Understanding Microsoft
Web Application Security
Rajya Bhaiya
Gradient Vision
Info@GradientVision.com
(415) 599-0220
www.GradientVision.com
(ISC)
2San Francisco Chapter
Info@ISC2-SF-Chapter.org
(415) 602-3751
Network security
Windows
Security
Web Server
security
Code
Security
•
Network Security
–
Network topology
•
Windows Security
–
Operating system
configuration
•
Web Server Security
–
Services configuration
•
Code Security
–
Best practices for data
& custom code
Common practice - NAT ports
Corporate Network
DMZ
Web server Web server
Outlook Web access
Exchange Lync DFS
Web server Web server
SQL 2012 ERP
80/443 NAT
80/443 NAT
•
Traditional network
–
DMZ
–
Corporate network
•
Allow external users
–
NAT rules
–
80 ports
•
No inspection on the ports
•
Only source and destination
IP logged
•
Exchange 2010 Client Access
role does not support DMZ
•
Risk
Substituent Layer 7 firewalls
Corporate Network
DMZ
Web server Web server
Outlook Web access
Exchange Lync DFS
Web server Web server
SQL 2012 ERP
Upgraded the firewall to a Layer 7 firewall
•
Upgraded to a Layer 7
firewall
–
Checks for valid HTTP
request
–
If valid then allowed
–
Else drop packet
•
HTTPS can be used to
secure traffic between
client and server
–
Most application
firewall cannot inspect
HTTPS
Microsoft TMG/UAG implementation
•
Microsoft Threat Management
Gateway (TMG)/Unified Access
Gateway (UAG)
•
TMG/UAG supports a server
farm
•
Install the same certificate as
the web servers on TMG servers
•
TMG can open all traffic incl.
HTTPS traffic
•
Smarter proxy system
•
No need to install every security
update on the webservers the
day they are released.
•
The TMG/UAG servers take care
of the dropping malicious traffic
Corporate Network
DMZ
Web server Web server
Outlook Web access
Exchange Lync DFS
Web server Web server
SQL 2012 ERP
Upgraded the firewall to a Layer 7 firewall
Same Cert as web server
UAG Internal Architecture
•
Windows 2012 support
–
Multi-domain support
complex
–
Multiple entry points
with automatic failover
–
Monitoring and
troubleshooting
problematic
•
DirectAccess
–
Always connected clients
UAG vs TMG
TMG 2010 UAG 2010
Wizards and predefined settings ✔ basic ✔
Information Leakage Prevention (Session clean up) ✔
Endpoint Health-based Authorization ✔
Web farm load balancing (WFLB) ✔ ✔
Advanced Authentication Schemes (e.g. AD FS) ✔
Rich Client Authentication ✔ ✔
Single Sign on ✔ ✔
Unified Portal ✔
Application Protection (Web Application Firewall) ✔ basic ✔
Policy-based access (granular Policies) ✔
Array Support ✔ ✔
AAM Support ✔ ✔
Customization and Manipulation (UI, Applications) ✔ basic ✔
•
ForeFront Threat Management
Gateway (TMG) is an outbound
internet proxy for internal corporate
users.
– Include advanced virus, anti-malware, and intrusion detection features.
– TMG can impersonate the external site's SSL certificate
– Perform application level inspection of the traffic
•
ForeFront Unified Access Gateway
(UAG) is recommended as an inbound
access to internal corporate resources.
– Includes acting as a reverse proxy for applications such as OWA, MOSS, and robustly supports DirectAccess
Network security
Windows
Security
Web Server
security
Code
Security
•
Network Security
–
Network topology
•
Windows Security
–
Operating system
configuration
•
Web Server Security
–
Services configuration
•
Code Security
–
Best practices for data
& custom code
First dilemma - Windows install
•
Server Core
–
None of the GUI Server Features
have been enabled
•
Minimal Shell (“Min Shell”)
–
Graphical Management Tools and
Infrastructure
•
Full Installation
–
In a Full Installation, both feature
has are enabled:
• Graphical Management Tools and Infrastructure
• Server Graphical Shell
•
Full Installation with Desktop
Experience
–
Windows RunTime
–
Windows Store
–
Ability to buy, download and run
Apps in the Start Screen
Windows System
•
System
–
Place the server in a physically secure
location
–
Do not share accounts among administrators
–
Secure physical media (floppy drive, CD-ROM
drive and so on)
–
Do not connect an IIS Server to the Internet
until it is fully hardened
–
Install service packs, patches and hot fixes
–
Secure Extensible Firmware Interface
(EFI)/Unified (UEFI) settings
–
Secure SAM (HKLM\ System\
CurrentControlSet\ Control\ LSA\NoLMHash)
–
Do not install the IIS server on a domain
controller
–
Do not install a printer
•
Account
–
Remove unused accounts from the server
–
Rename Administrator account
–
Require approval for account delegation
–
Enforce strong password policies
–
Do not create more than two accounts in the
Administrators group
–
Disable Windows Guest account
–
Disable IUSR_MACHINE account if it is not
used by the application
–
Create a custom least-privileged anonymous
account
• Multiple Web apps, configure separate anonymous user accounts
–
Do not give the anonymous account
write/execute access
Windows System (Contd.)
•
Network
– Restrict Internet-facing interfaces to port 80/443
– Use two network interfaces in the server — one for admin and one for the network
– Disable NetBIOS and SMB (closing ports 137, 138, 139 and 445)
•
Content storage
– Put Web site content on a non-system NTFS volume
– Put log files on a non-system and non Web site content volume
– Reconfigure Recycle Bin and Page file system data policies
•
Auditing and Logging
– Audit failed logon attempts
– Relocate and secure IIS log files and analyze log files
– Audit access to the Metabase.bin file
– Configure IIS for W3C Extended log file format auditing
– Use SQL Server to analyze Web logs
•
Remote Administration / Other Services
– Restrict remote registry access
– Restrict remote log-ons
– Secure remote administration, configure for encryption & low session time-outs
– Disable Telnet, FTP, SMTP, MS Index Server and NNTP services if they are not required
– Shares
• Remove all unnecessary shares • Restrict access to required shares
• Remove Administrative shares (C$ and Admin$)
•
Remove unwanted content
– Remove resource kit tools, utilities and SDKs
– Remove sample applications (\WINNT \Help \IISHelp, \Inetpub\IISSamples).
– Restrict the Everyone group (no access to \WINNT\system32 or Web directories).
– Remove remote IIS administration application (\WINNT\System32\Inetsrv\IISAdmin)
Network security
Windows
Security
Web Server
security
Code
Security
•
Network Security
–
Network topology
•
Windows Security
–
Operating system
configuration
•
Web Server Security
–
Services configuration
•
Code Security
–
Best practices for data
& custom code
IIS Architecture and Components
Inetinfo.exe Process SMTP
FTP
IIS Admin Service
Metabase
WinSock API HTTP.sys API Svchost.exe WWW Service Windows Activation Service (WAS) ISAPI Filters Managed Modules ISAPI Extensions
App Pool 1
ISAPI Filters Managed
Modules ISAPI Extensions
App Pool 2 App Pool 3 (webgarden)
User Mode Components Kernel Mode Components
HTTP.sys Kernel Driver HTTP Listener
Request Queues Kernel Output Cache
HTTP.sys SSL
TCP / IP Protocol Layer ApplicationHosts
IIS System
– Run IISLockdown run on the server
– Install and configure URLScan
– Configure ASP.NET process account for least privilege
– Disable ASP.NET state service if not used by your applications.
– Disable webDAV if not used by the application, or secure it if it is required. (See How To: Create a secure webDAV Publishing Directory at
support.microsoft.com.)
– Do not install the MS FrontPage Server extensions unless required
•
Script Mappings
– Map extensions not used by the application to 404.dll (.idq, .htw, .ida, .shtml, .shtm, .stm, idc, .htr, .printer).
– Map unnecessary ASP.NET file type extensions to “HttpForbiddenHandler” in Machine.config
•
Sites and Virtual Directories
– Disable “Parent paths” setting
– Remove potentially dangerous virtual directories including IISSamples, IISAdmin, IISHelp and Scripts
– Remove or secure MSADC virtual directory (RDS)
– Do not grant included directories Read Web permission
– Ensure there is script source access only on folders that support content authoring.
– Ensure there is write access only on folders that support content authoring and these folders are configured for authentication (and SSL encryption, if required).
– Remove FrontPage Server Extensions (FPSE) if not used. If FPSE are used, update and restrict access to them.
