Understanding Microsoft Web Application Security Rajya Bhaiya Gradient Vision Info@GradientVision.com (415) 599-0220 www.gradientvision.com (ISC) 2 San Francisco Chapter Info@ISC2-SF-Chapter.org (415) 602-3751 www.isc2-sf-chapter.org
Code Security Network security Web Server security Windows Security Network Security Network topology Windows Security Operating system configuration Web Server Security Services configuration Code Security Best practices for data & custom code
Common practice - NAT ports Corporate Network DMZ 80/443 NAT 80/443 NAT Web server Web server Web server Web server Traditional network DMZ Corporate network Allow external users NAT rules 80 ports No inspection on the ports Only source and destination IP logged Exchange 2010 Client Access role does not support DMZ Risk This allows frontal assault Outlook Web access Exchange Lync DFS SQL 2012 ERP
Substituent Layer 7 firewalls Upgraded the firewall to a Layer 7 firewall Outlook Web access Web server Corporate Network Exchange Lync DFS Web server SQL 2012 DMZ Web server Web server ERP Upgraded to a Layer 7 firewall Checks for valid HTTP request If valid then allowed Else drop packet HTTPS can be used to secure traffic between client and server Most application firewall cannot inspect HTTPS
Microsoft TMG/UAG implementation Upgraded the firewall to a Layer 7 firewall Web server Web server Corporate Network DMZ Web server Web server Same Cert as web server Microsoft Threat Management Gateway (TMG)/Unified Access Gateway (UAG) TMG/UAG supports a server farm Install the same certificate as the web servers on TMG servers TMG can open all traffic incl. HTTPS traffic Smarter proxy system No need to install every security update on the webservers the day they are released. The TMG/UAG servers take care of the dropping malicious traffic Outlook Web access Exchange Lync DFS SQL 2012 ERP
UAG Internal Architecture Windows 2012 support Multi-domain support complex Multiple entry points with automatic failover Monitoring and troubleshooting problematic DirectAccess Always connected clients No VPN application
UAG Solution Architecture
UAG vs TMG TMG 2010 UAG 2010 Wizards and predefined settings basic Information Leakage Prevention (Session clean up) Endpoint Health-based Authorization Web farm load balancing (WFLB) Advanced Authentication Schemes (e.g. AD FS) Rich Client Authentication Single Sign on Unified Portal Application Protection (Web Application Firewall) basic Policy-based access (granular Policies) Array Support AAM Support Customization and Manipulation (UI, Applications) basic ForeFront Threat Management Gateway (TMG) is an outbound internet proxy for internal corporate users. Include advanced anti-virus, antimalware, and intrusion detection features. TMG can impersonate the external site's SSL certificate Perform application level inspection of the traffic ForeFront Unified Access Gateway (UAG) is recommended as an inbound access to internal corporate resources. Includes acting as a reverse proxy for applications such as OWA, MOSS, and robustly supports DirectAccess UAG will also include the TMG engine
Code Security Network security Web Server security Windows Security Network Security Network topology Windows Security Operating system configuration Web Server Security Services configuration Code Security Best practices for data & custom code
First dilemma - Windows install Server Core None of the GUI Server Features have been enabled Minimal Shell ( Min Shell ) Graphical Management Tools and Infrastructure Full Installation In a Full Installation, both feature has are enabled: Graphical Management Tools and Infrastructure Server Graphical Shell Full Installation with Desktop Experience Windows RunTime Windows Store Ability to buy, download and run Apps in the Start Screen
Easy to switch
Windows System System Place the server in a physically secure location Do not share accounts among administrators Secure physical media (floppy drive, CD-ROM drive and so on) Do not connect an IIS Server to the Internet until it is fully hardened Install service packs, patches and hot fixes Secure Extensible Firmware Interface (EFI)/Unified (UEFI) settings Secure SAM (HKLM\ System\ CurrentControlSet\ Control\ LSA\NoLMHash) Do not install the IIS server on a domain controller Do not install a printer Account Remove unused accounts from the server Rename Administrator account Require approval for account delegation Enforce strong password policies Do not create more than two accounts in the Administrators group Disable Windows Guest account Disable IUSR_MACHINE account if it is not used by the application Create a custom least-privileged anonymous account Multiple Web apps, configure separate anonymous user accounts Do not give the anonymous account write/execute access
Windows System (Contd.) Network Restrict Internet-facing interfaces to port 80/443 Use two network interfaces in the server one for admin and one for the network Disable NetBIOS and SMB (closing ports 137, 138, 139 and 445) Content storage Put Web site content on a non-system NTFS volume Put log files on a non-system and non Web site content volume Reconfigure Recycle Bin and Page file system data policies Auditing and Logging Audit failed logon attempts Relocate and secure IIS log files and analyze log files Audit access to the Metabase.bin file Configure IIS for W3C Extended log file format auditing Use SQL Server to analyze Web logs Remote Administration / Other Services Restrict remote registry access Restrict remote log-ons Secure remote administration, configure for encryption & low session time-outs Disable Telnet, FTP, SMTP, MS Index Server and NNTP services if they are not required Shares Remove all unnecessary shares Restrict access to required shares Remove Administrative shares (C$ and Admin$) Remove unwanted content Remove resource kit tools, utilities and SDKs Remove sample applications (\WINNT \Help \IISHelp, \Inetpub\IISSamples). Restrict the Everyone group (no access to \WINNT\system32 or Web directories). Remove remote IIS administration application (\WINNT\System32\Inetsrv\IISAdmin)
Code Security Network security Web Server security Windows Security Network Security Network topology Windows Security Operating system configuration Web Server Security Services configuration Code Security Best practices for data & custom code
IIS Architecture and Components SMTP IIS Admin Service Windows Activation Service (WAS) ISAPI Extensions Managed Modules ISAPI Extensions Managed Modules FTP Metabase WWW Service ISAPI Filters ISAPI Filters Inetinfo.exe Process ApplicationHosts.config Svchost.exe App Pool 1 App Pool 2 App Pool 3 (webgarden) WinSock API HTTP.sys API User Mode Components Kernel Mode Components HTTP Listener Request Queues Kernel Output Cache HTTP.sys SSL HTTP.sys Kernel Driver TCP / IP Protocol Layer
IIS System Run IISLockdown run on the server Install and configure URLScan Configure ASP.NET process account for least privilege Disable ASP.NET state service if not used by your applications. Disable webdav if not used by the application, or secure it if it is required. (See How To: Create a secure webdav Publishing Directory at support.microsoft.com.) Do not install the MS FrontPage Server extensions unless required Script Mappings Map extensions not used by the application to 404.dll (.idq,.htw,.ida,.shtml,.shtm,.stm, idc,.htr,.printer). Map unnecessary ASP.NET file type extensions to HttpForbiddenHandler in Machine.config Sites and Virtual Directories Disable Parent paths setting Remove potentially dangerous virtual directories including IISSamples, IISAdmin, IISHelp and Scripts Remove or secure MSADC virtual directory (RDS) Do not grant included directories Read Web permission Ensure there is script source access only on folders that support content authoring. Ensure there is write access only on folders that support content authoring and these folders are configured for authentication (and SSL encryption, if required). Remove FrontPage Server Extensions (FPSE) if not used. If FPSE are used, update and restrict access to them. Remove the IIS Internet Printing virtual directory.
Server Certificates Ensure certificate date ranges are valid. Only use certificates for their intended purpose (For example, the server certificate is not used for e-mail). Ensure the certificate s public key is valid, all the way to a trusted root authority. Confirm that the certificate has not been revoked. Machine.config Map protected resources to HttpForbiddenHandler. Remove unused HttpModules. Disable tracing. <trace enable= false /> Turn off debug compiles. <compilation debug= false explicit= true defaultlanguage= vb > ISAPI Filters Remove from the server unnecessary or unused ISAPI filters. IIS Metabase Restrict access to the metabase by using NTFS permissions (%systemroot%\system32\inetsrv\metabase. bin) Restrict IIS banner information (Disable IP address in content location)
Code Security Network security Web Server security Windows Security Network Security Network topology Windows Security Operating system configuration Web Server Security Services configuration Code Security Best practices for data & custom code
Recommended reading Buffer Overrun Determining Good Access Control Running with Least Privilege Cryptographic Foibles Don t use Registry as a database Create and Store temp files securely Allow long passwords Cross site scripting SQL injection Stack overflow Custom pages (Yellow screen of death) Samples are typically templates Beware!!!
QUESTIONS
Windows 2012 hidden feature
Thank you for your Attention! Our core focus: Microsoft Dynamics CRM Microsoft SharePoint Cloud Computing Azure Amazon Office 365 Database and Business intelligence Database Data Integration Integration Services Business Intelligence Reporting Services Analysis Services
References http://www.technet.com http://www.msdn.microsoft.com http://video.ch9.ms/teched/2012/na/wsv326.ppt x