1 / 27

Remote Applications & IIS

Remote Applications & IIS. Terminal Services MW2K3 Chpt. 16. Benefits Centralized Deployment of Applications Supporting PC-Unfriendly Environments: Unclean, excessive heat, exposure to elements and theft. Less Processing Power Required on the Client Easier management of user interface.

chambray
Download Presentation

Remote Applications & IIS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Remote Applications & IIS

  2. Terminal Services MW2K3 Chpt. 16 • Benefits • Centralized Deployment of Applications • Supporting PC-Unfriendly Environments: • Unclean, excessive heat, exposure to elements and theft. • Less Processing Power Required on the Client • Easier management of user interface. • Remote Server Administration

  3. Is this the Future of Networking • Not likely for two reasons: • Not all applications behave well in Terminal Server environment • Legacy applications • Some applications and users are just too demanding. • Computer-Assisted Drawing • Intensive Database applications

  4. Windows NT 4.0 TSE v. W2K3 • Windows Server now supports: • Client side now supports richer screen color • Client side now supports sound • Publish applications to Web page • Mapping client side printers and hard drives • Support for cut and paste between local and remote session via clipboard • Load balancing with Advanced Server • New Remote Desktop Protocol, supporting multiple channels, which means more communication between client and server. • Clustering solutions • Group policy enhancement

  5. Citrix Metaframe in a Nutshell • Multi protocol support • Application publishing • Seamless Windows • Load Balancing

  6. What’s Missing in W2K3 TS • Supports only Windows 32 Operating systems • Does not support DOS, Unix/Linux, or MacIntosh clients • Citrix Metaframe is required for those clients. • Multi Protocol Support • ICA supports IPX/SPX and Netbeui • Seamless Client session • Support more than 256 colors • Server Farming • Load Balancing

  7. Server and Client Requirements • Server Hardware • Load up on RAM, Processors and NIC’s • 1 CPU should be able to support up to 20 users depending on usage. • 2GB-4GB minimum RAM

  8. Server and Client Requirements • Client Hardware • PC w/ a Win32 operating system loaded • Windows Terminal Thin Client • WYSE • HP • Handheld PC running Windows CE/PocketPC

  9. IIS Review • World Wide Web Server • Supports security and encryption • Host site for 1 to many domains • Pass through to access HTML documents on other machines. (virtual directories) • Supports Front Page Server Extensions for easy management and web publishing. • Default install only support static content

  10. IIS Continued The following technologies are supported in IIS 6 but are disabled after installation of IIS. • ASP: Active Server Pages • SSI: Server Side Includes • CGI: Common Gateway Interface • ISAPI: Internet Server Application Programming Interface

  11. IIS Continued • Read-Allows user to read files from your Web Server. In most instances, you will want this option set for the root of a new site. The primary reason for disabling this option is for directories that contain CGI or ISAPI apps, which will usually be set on a subdirectory level • Run Script-if you need to allow the execution of ASP’s on your site, enable this option • Execute-if you need to allow the execution of ISAPI or CGI apps on your site, enable this option. When you enable this option, it is inclusive of the Run Scripts option as well. • Write-If the client browsers either will need to upload files on your Web server or will be writing data to a file, you will need to have write permissions enabled. • Browse-if a user does not send a request for a specific file on the Web server and there is no default document defined on the system, IIS will return an HTML representation of the files and subdirectories in the root of the site.

  12. Security Considerations • Design and implement your Web app with security as top priority. • All it takes is one “legitimate” anonymous or authorized user. • At the application level all it takes is one bad assumption in the logic of your site design • Don’t hesitate to bring in outside expertise to the development team as well as have an unbiased third party audit your solution. • ASSUME ALL INPUT IS MALICIOUS, AND VALIDATE IT!!!

  13. Basic Http • HTTP is essentially a basic file transfer protocol using the HTTP GET command • Ie. http://www.victim.com/files/index.html • This command requests the file index.html from the /files virtual directory for example, c:\inetpub\wwwroot\files • The server interprets the request as such: • GET /files/index.html HTTP/1.0

  14. CGI • Common Gateway Interface • An executable variation of HTTP • Ie. http://www.victim.com/scripts/cgi.exe?variable1+variable2

  15. ASP and ISAPI • Active Server Pages • Internet Server Application Programming Interface • Spawns inetinfo.exe process • Ie. http://www.victim.com/scripts/script.asp?variable1=x&variable2=Y • Ie. http://www.victim.com/isapi.dll?variable1&variable2

  16. HTTP Issues • What do hackers do???? • Try to trick server into revealing data it otherwise shouldn’t • Ie. File system traversal using ../ • http://www.victim.com/../../../winnt/secret.txt

  17. How do we prevent? • Do NOT do a default install, which does install IIS and turns everything on in Server 2000 • Default install in Server 2003 does not turn anything on • After installation, install only necessary items for IIS • Once installed apply ALL necessary hotfixes http://windowsupdate.microsoft.com/ and keep up to date on a WEEKLY basis • Move the default location of IIS install off system drive • Shutdown unnecessary sites, ie. FTP

  18. Additional Prevention • Apply network level access control at routers, firewalls, or other devices that make up the perimeter around Web Servers. Block all non-essential communications in both directions. • Make sure to block outbound communications originating from web server to confound attackers who may compromise the web server in an attempt to tftp or ftp files from a remote system or shovel a shell to a remote listener

  19. Additional • Block all non-essential communications to and from the web server at the host level to provide “defense ind depth”. Host-level network access control on Server 200x can be configured using TCP/IP Security or IPSec filters.

  20. Secure IIS Checklist • Read your corporate security policy • How do we react to a break-in? • Where are the backups stored? • Who is allowed access to the server? • http://www.sans.org • http://www.baselinesoft.com

  21. Secure IIS Checklist • Review, Update and deploy the provided hisecweb.inf template • Configure IPSec Policy • Consider setting an IPSec packet-filtering policy on every server. This provides an extra level of security if your firewalls are breached. • In general, you should block all tcp/ip protocols other than those you explicitly want to support and the ports you want to open. You can use the IPSec administration tool or the IPSecPol command line to deploy IPSec Policy

  22. Secure IIS Checklist • Set Appropriate IIS log file ACLs • Administrators (Full Control) • System (Full Control) • Secure Telnet server…or, better yet disable it in the services.(it is disabled by default) • Set Appropriate ACLS on virtual directories

  23. Secure IIS Checklist • Enable Logging • Load IIS tool • Right click site in question and choose properties • Click web site tab • Check the enable logging check box • Choose w3c extended log file format from the active log format drop down list • Click properties • Click the extended properties and set the following properties • Client ip address • Username • Method • URI stem • Http status • Win32 status • Useragent • Server ip address • Server port

  24. IIS Basic Log File Sample #Software: Microsoft Internet Information Services 5.1 #Version: 1.0 #Date: 2005-03-11 12:50:34 #Fields: time c-ip cs-method cs-uri-stem sc-status 12:50:34 10.0.0.11 GET /non_existant_web_link123511.htm 404 12:50:38 10.0.0.11 HEAD /cgi-bin/ 404 12:50:38 10.0.0.11 HEAD /cgi-bin/a1stats/ 404 12:50:38 10.0.0.11 HEAD /cgi-bin/adcycle/ 404 12:50:38 10.0.0.11 HEAD /error/ 404 12:50:38 10.0.0.11 HEAD /doc/ 404 12:50:42 10.0.0.11 HEAD /~nobody/ 404 12:50:42 10.0.0.11 HEAD /site/eg/ 404 12:50:42 10.0.0.11 HEAD /cfdocs/ 404 12:50:42 10.0.0.11 HEAD /cfide/ 404 12:50:42 10.0.0.11 HEAD /cowsconf/ 404 12:50:42 10.0.0.11 HEAD /cgi-bin/cowsconf/ 404 12:50:42 10.0.0.11 HEAD /scripts/ 403 12:50:42 10.0.0.11 GET /scripts/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 500

  25. Secure IIS Checklist • Set IP address/dns address restrictions • Not a common option to set, but if you want to restrict your website to certain users this one option is available to you. • Update Root CA certificates at the IIS Server

  26. Secure IIS Checklist • Remove the IISADMPWD virtual directory • Directory allows you to reset NT and 2000 passwords. Used primarily for intranets • Remove unused script mappings • Disable Parent Paths • Disable IP Address in content-location • q218180

  27. Windows Security Resources • www.ntsecurity.com • www.ntsecurity.net • www.isaserver.org • www.winguides.com/security • www.microsoft.com/security • http://msdn.microsoft.com/library/default.asp?url=/nhp/default.asp?contentid=28001191 • http://nsa2.www.conxion.com/win2k/download.htm

More Related