Search results matching tag 'security risks'

Risks of unmanaged IIS7

giis2 — Mon, 27 Apr 2009 12:56:04 GMT

Hi,

I've got myself a hard question:

I'm devloping a process control system that consists of a Windows Vista PC combined with a Windows XP machine (connected through windows network, separate adapter). On the Vista PC, IIS 7 is running with an ASP.NET application with form based authentication. The Vista PC is also used for the local UI (WinForms) and data storage.
To use the application we should attach the Vista PC to the internet and opening port 80 on the firewall.
We don't use Windows Update; we want a very stable system for our customer(s) without reboots. Therefore, patches can't be installed quickly if a vulnerability arises. The system is at least updated once a year.

So the question is: What are the risks of attaching a machine, containing an IIS/ASP.NET application that is not maintained at a daily basis, to the internet? For instance, what is the chance of being hacked into, so that others can control the machine?

Regards,

Jeff Hundam

IIS 6.0 with out Anti-virus and no firewall

jenefa — Wed, 15 Apr 2009 14:34:51 GMT

Hello All,

Due to performance reasons, can i run IIS 6.0 on a public ip without Anti-virus and firwall.

I am actively patching the server 2003.

Any thoughts about it, i really appreciate.

Jenefa

Guest account

dwheeler — Tue, 18 Nov 2008 20:28:57 GMT

to add to the security of our web server it has been recommended that the guest account be removed from the guest group, since annonymous is not allowed. Does anyone see any issues in IIS 6.0 if this is done?

UrlScan not blocking URL segments

RedCrystal — Tue, 30 Sep 2008 18:45:06 GMT

I'm using UrlScan 3.0 on IIS 6.0 (IIS 7.0 is not an option).

I need to block all requests for URLs which contain "NR" as a path segment:

http://localhost/NR/....

Here's my UrlScan.ini file (most settings are the defaults, changes are in italics, things I think are significant are in bold):

[options]
UseAllowVerbs=1
UseAllowExtensions=0
NormalizeUrlBeforeScan=1
VerifyNormalization=1
AllowHighBitCharacters=0
AllowDotInPath=0
RemoveServerHeader=0
EnableLogging=1
PerProcessLogging=0
AllowLateScanning=0
PerDayLogging=1
UseFastPathReject=0
LogLongUrls=0
UnescapeQueryString=1
RejectResponseUrl=/FilterRejectUrl
LoggingDirectory=E:\UrlScan
AlternateServerName=
RuleList=BlockCmsNrRule

[BlockCmsNrRule]
DenyDataSection=BlockCmsNrRuleSegments
ScanURL=1

[BlockCmsNrRuleSegments]
/NR/

[RequestLimits]
MaxAllowedContentLength=30000000
MaxUrl=260
MaxQueryString=2048

[AllowVerbs]
GET
HEAD
POST

[DenyVerbs]
PROPFIND
PROPPATCH
MKCOL
DELETE
PUT
COPY
MOVE
LOCK
UNLOCK
OPTIONS
SEARCH

[DenyHeaders]
Translate:
If:
Lock-Token:
Transfer-Encoding:

[AllowExtensions]
.htm
.html
.txt
.jpg
.jpeg
.gif

[DenyExtensions]
.exe
.bat
.cmd
.com

.htw
.ida
.idq
.htr
.idc
.shtm
.shtml
.stm
.printer

.ini
.log
.pol
.dat
.config

[AlwaysAllowedUrls]

[DenyUrlSequences]
..
./
\
:
%
&

[AlwaysAllowedQueryStrings]

[DenyQueryStringSequences]
<
>

The "Common UrlScan Scenarios" page (http://learn.iis.net/page.aspx/476/common-urlscan-scenarios/) says of the rule data section (which I've named [BlockCmsNrRuleSegments]) "This list is case insensitive and allows entering encoded values of the format %XX, where XX are hexadecimal digits."

This is not quite what I'm encountering. If I use Fiddler to request http://localhost/%6ER/... (which is a valid escaped URL for /NR/ (case sensitive)), the request is indeed blocked (shows up in the log file and everything). But if I request http://localhost/%4Er/... (a valid escaped URL for /nr/ (case-sensitive)), that goes through and I get the resource I'm trying to block.

Is there a better way to write the rule to make sure clever URL escaping is still blocked? Or just to make sure I can totally block all requests for anything with that path segment? What am I missing?

Thanks,

Security considerations w/Front Page 2002 Server Extensions?

Lizard King 49 — Thu, 18 Sep 2008 16:12:14 GMT

Good morning, all. New to the forum. I have been looking, but can't find much data, and need info quickly.

Would there be any deal-breaking security implications with installing FPSE 2002 on an INTRANET server? Better yet, does anyone know of a usable page hit counter that would not require FSPE 2002 (which is about the only reason the user is requesting this)?

Thanks in advance for any help you may provide,

URLScan Recycle

jeremyn11 — Fri, 05 Sep 2008 18:24:12 GMT

In our URLScan logs we get the following quite a bit

- - - - - - - - - - - - - - - - - - - - - - - -

#Software: Microsoft UrlScan 3.0

#Version: 1.0

#Date: 2008-09-04 01:01:20

- - - - - - - - - - - - - - - - - - - - - - - -

Does anyone know if this means that UrlScan is recycling and we have a period of time where something like an SQL injection (if you setup the filters of course) can get through?

Respectfully,

-Jeremy

Re: Anyone know about www.nihaorr1.com/1.js?

ejhay — Thu, 22 May 2008 02:11:46 GMT

Hi, Im a System Administrator of a Hosting Company, and one of our website has been hacked with SQL injection, At first the hacker inserted nihaorr1.com/1.js most of the website table are being affected with this attacked, after that incident I developed a SQL validation that is similar on the asp script that you posted in this forum unfortunately the hacker inserted again a malicious URL on the MS SQL database what I did is I include the validation for all database driven pages to make the website secured but at this time the hacker can insert the script again and again. I think the hacker is using a problem that you executing this kind of hacking activity. please advise what else can I do with this problem. thanks

Re: Anyone know about www.nihaorr1.com/1.js?

ejhay — Thu, 22 May 2008 02:08:52 GMT

Hi, Im a System Administrator of a Hosting Company and one of our website has been hack with SQL injection, At first the hacker inserted nihaorr1.com/1.js most of the website table are being affected with this attacked, after I created that a created a SQL validation like one that you have posted in this forum unfortunately the hacker inserted again a malicious URL on the MS SQL database what I did is I include the validation for all database driven pages to make the website secured but at this time the hacker can insert the script again and again. I think the hacker is using a problem that you executing this kind of hacking activity. please advise what else can I do with this problem. thanks

Re: White-Paper on Secure Scalability of IIS 6.0 web apps (Windows Server 2003 R2)

species5618 — Fri, 18 Apr 2008 18:44:25 GMT

This is excatly what I have been doing for a few years,

A collegue and I are in the middle of writing it up as a high level design, hopefully if we can remove the corporate references we will publish this as a paper

but a few thing to note so far are

We use CIFS (windows shares on sep file server for content) while this has a performance hit, separating web server from content opens up a whole new world of possibilities for scale out and DR situations

Each web site should have its owns app pool (this is now standard on IIS7)
Then restrictions are applied via ASP.NET trusts which enforce these restrictions on each application (each application will run under medium trust which prevents OS access and file system access outside the applications folder). This means you cannot use the ADO.NET managed OLE DB data provider to access databases. However, you can use the managed SQL Server provider to access SQL Server databases.
EventLogPermission is not available. ReflectionPermission is not available. This means you cannot use reflection.
RegistryPermission is not available. This means you cannot access the registry.
WebPermission is restricted. This means your application can only communicate with an address or range of addresses that you define in the <trust> element.
FileIOPermission is restricted. This means you can only access files in your application's virtual directory hierarchy. Your application is granted Read, Write, Append, and PathDiscovery permissions for your application's virtual directory hierarchy.

Each application pool runs under its own Active Directory identity. This is granted minimum server access and read-only access to its own code area. Each application is run inside a dedicated application pool in web server memory, again under the same identity

using unique ID for each sites uses a LOT of desktop heap
see http://support.microsoft.com/kb/831135
and http://blogs.msdn.com/ntdebugging/archive/2007/01/04/desktop-heap-overview.aspx

SQL Database access / authentication will be achieved using a ‘trusted’ connection with the Worker process identity. As every application container has a dedicated domain account, this can be locked down to just code within the container. Using this method no extra UserId or password is required to connect to the database. Eliminating the use and need for any application accounts which can be used in an anonymous manner by the Application Support Groups or inadvertently displayed to end users during an error condition.
The application access to the SQL DB will only have Data_Reader and Data_writer
Where Possible the Application support staff only have DDL_admin , Data_Reader and Data_writer to the database as standard, while this may seem restrictive, it prevents them change various database parameters someone with DBO can, such as logging mode

ASP.NET caches pre-compiled ASPX code for speed. The default location of this cache is moved to the local data drive (typically H:) and minimal NTFS permissions set to ensure access is only available to appropriate worker processes. , ( i believe this is iis_wpg : create and create_owner:full control) this allows each app pool to create its cache and managed it, but it cannot be acess by any other application

To ensure the web as a service infrastructure is fully scalable, the touch points between the application and the infrastructure must be kept to a minimum and fully defined and controlled by the infrastructure. All touch points must be defined in virtual or alias terms.

File Path : uses DFS
Database connections : FQDN DNS Name
Downstream service connectivity (web services) : FQDN DNS Name
SMTP : All routed by Localhost

IUSR_SERVER Write permissions unacceptable?

rlang — Tue, 20 Nov 2007 20:06:17 GMT

I've read in a number of articles that giving IUSR_SERVER write permissions creates a huge security risk.

I'm working with a databaseless CMS using ASP/VBScript that needs IUSR set to read/write in order to function. Is there a way to allow the CMS to modify files without creating a security hole? I'm running IIS 6.0

Thanks in advance.