ASP + database (4)

Document directory

• 6.7 IIS server security technical solution
• 6.7.1 Unicode Vulnerability
• 6.7.2 iis cgi interpretation Error Vulnerability
• 6.7.3. printer Buffer Vulnerability
• 6.7.4 IIS Server Security Configuration

6.7 IIS server security technical solution

Because ASP is easy to use, more and more website background programs use ASP scripting language. However, due to some security vulnerabilities in ASP, hackers may be given a chance to seize the opportunity. In fact, security is not only a matter of network management. program developers must also pay attention to some security details to develop good security habits. Otherwise, it will bring huge security risks to their websites. Currently, ASP programs on most websites have one or more security vulnerabilities. However, you can avoid these vulnerabilities when writing programs. This section analyzes and solves IIS server vulnerabilities in detail.

6.7.1 Unicode Vulnerability

Unicode is one of the most popular vulnerabilities today and is often exploited by hackers. If you know the intrusion methods used by hackers, You can effectively defend against these attacks. Next, I will introduce how hackers use this vulnerability to intrude into the system. By analyzing this vulnerability, I will find a defense method.

1. Solution Analysis

During UNICODE character decoding, IIS 5.0/6.0 has a security vulnerability that allows you to remotely execute arbitrary commands through IIS. When you use IIS to open a file, if the file name contains Unicode characters, the system decodes the file. If you provide some special encoding, IIS will mistakenly open or execute files outside the Web root directory. Unauthorized users may use the context space of the IUSR_machinename account to access any known files. This account is a member of the everyone and users groups by default, therefore, any file that can be accessed by these user groups on the same logical drive as the web root directory may be deleted, modified, or executed. Through this vulnerability, users can view file content, create folders, delete files, copy files and rename the files, display the current environment variables of the target host, copy all files in a folder to another folder at a time move a folder to a specified directory and display the file content of the same file type in a specific path.

The Unicode vulnerability affects not only Chinese Windows IIS 6.0 + SP6, but also Chinese Windows 2000 + IIS 5.0 and Chinese Windows 2000 + IIS 5.0 + SP1.

2. Implementation Process

If hackers use the Unicode vulnerability to access the target host and execute FTP commands, such as downloading files from an FTP site, they will be recorded, do not think that hackers can escape the intrusion by deleting the file or renaming the file. Find the FTP running log in the WINNT/system32/logfiles/msftpsvc1 directory of the target host. If the hacker has executed the FTP command, in the log file, you can see records similar to the following (126.0.0.1 is the IP address of the intruders recorded in the log ):

L 11:49:19 126.0.0.1 [2] user WR 331

L 11:49:19 126.0.0.1 [2] Pass-230

L 11:49:19 126.0.0.1 [2] sent/aa.txt 226

L 11:49:19 126.0.0.1 [2] Quit-226

If the Unicode vulnerability exists in the network, you can use the following four solutions.

(1) restrict the permissions of network users to access and call cmd commands.

(2) Delete or rename the folder if the scripts and MSADC directories are not necessary.

(3) do not use the default winnt path when installing Windows NT. You can change the name to another folder. For example, c: \ mywindowsnt.

(4) users can download patches provided by Microsoft from the following address:

L IIS 6.0 patch address

Http://www.microsoft.com/ntserve... q269862/default. asp.

L IIS 5.0 patch address

Http://www.microsoft.com/windows... q269862/default. asp.

3. Additional instructions

You can use scanning software such as red.exe, superscan, rangescan scanner, Unicode scanner uni2.pl, fluxay 6.7, and SSS to detect the unicodeleakage of an IP segment in the network.

6.7.2 iis cgi interpretation Error Vulnerability

Iis cg is also one of the vulnerabilities that hackers often exploit. If the vulnerability on the server is not fixed in time, the vulnerability may be exploited by intruders to increase the server's attack index.

1. Solution Analysis

When IIS loads the executable CGI program, it decodes the program twice. The first code is to decomcode the cgifile name http://service.us-west-1.maxcompute.aliyun-inc.com/api. After the file name check is passed, IIS will perform the second decoding. Under normal circumstances, only the CGI parameter should be decoded. However, when the vulnerability is attacked, IIS will mistakenly decode the decoded CGI File name along with the CGI parameter. In this way, the CGI File Name is mistakenly decoded twice. By carefully constructing CGI file names, attackers can bypass IIS's security checks on file names. In some conditions, attackers can execute arbitrary system commands.

2. Implementation Process

To avoid the iis cgi interpretation error vulnerability and prevent this vulnerability from adversely affecting system security, you can install the vulnerability patch. You can download patches from Microsoft at the following address:

Http://www.microsoft.com/Downloads/Release.asp? Releaseid = 29787.

3. Additional instructions

This vulnerability is applicable to IIS 6.0/5.0 (SP6/SP6a is not installed) and can be tested using SSS scanning software.

6.7.3. printer Buffer Vulnerability

The. printer Buffer vulnerability is often exploited by hackers. The following describes the hazards and solutions of this vulnerability.

1. Solution Analysis

This vulnerability exists only on Windows 5.0 servers running IIS 2000. This is because the Internet Server Application Programming Interface (ISAPI) Extension interface of IIS 5.0 is set up. printer extension to msw3prt. DLL ing relationship (this ING also exists by default. in a printer URL request, iis5.0 calls msw3prt. DLL interprets the request, coupled with msw3prt. DLL does not have enough buffer boundary check, and remote users can submit a specially crafted targeting. for a printer URL request, its "Host:" field contains approximately B of data. A typical buffer overflow occurs in DLL, which may allow arbitrary code execution. After an overflow occurs, the Web service will stop responding to the user, and Windows 2000 will restart it automatically, making it difficult for the system administrator to check for the attack.

2. Implementation Process

To avoid the occurrence of A. printer Buffer vulnerability and prevent adverse impact on system security, install the Microsoft vulnerability patch at http://www.microsoft.com/downloads/...releaseid=29321.

3. Additional instructions

There are a lot of software to detect. Printer vulnerabilities, such as easyscan (http://www.netguard.com.cn), x-scaner (http://www.xfocus.org) and SSS scanning software.

6.7.4 IIS Server Security Configuration

The ASP site can run securely and stably. Relying on the compilation and execution environment of highly efficient and stable ASP files, the IIS server is used as the carrier for compiling and executing ASP scripts. Its security is good or bad, it is directly related to the security of the entire ASP site. The following describes how to implement the security configuration of the IIS server.

1. Solution Analysis

For security configuration of IIS server, you can analyze the solution from the following aspects. The IIS server can execute multiple server scripts. To improve the security of the site, you can filter the executed scripts. That is to say, only ASP script-related items are retained in the filter. At the same time, the server should enable authentication, and it is better not to use the default site directory on the IIS server, but to create a new directory. The above is only a basic solution for Security Configuration of IIS servers. In actual applications, specific problems should be analyzed to effectively ensure the security of the site.

2. Implementation Process

IIS security configuration can enhance the security of IIS sites. The following uses the Windows 2003 Server operating system as an example to describe how to configure IIS security.

(1) Select "Administrative Tools"> "Internet Information Service (IIS) manager" to open the "Internet Information Service (IIS) manager" window.

(2) Right-click the "default website" option and choose "properties" from the shortcut menu to open the "default website properties" dialog box, as shown in 6.50.

Figure 6.50 "default website attributes" dialog box

(3) If you want to record the Website access records of the browser so that you can analyze the problems in the website when there is a problem, you need to check the "Enable Logging" check box, then, specify the log format in the "active log format" drop-down list box. The internal differences between various logs are not very large. Common log formats include Microsoft IIS Log File Format and W3C extended log file format. Click "properties" to open the log Properties dialog box, where you can set log properties in detail. 6.51.

Figure 6.51 "logging properties" dialog box

(4) Select the "home directory" tab in the "default website properties" dialog box to configure the home directory and content permissions, as shown in Figure 6.52. There are three ways to allocate a Home Directory: the "directory on this computer" option is selected by default. In the "local path" text box, enter or click the "Browse" button to specify the local main directory path. You can select the "share location on another computer" option to specify the remote main directory, in the form: \ Server \ Share Name; single-Choice "redirect to URL" item can point the site to the directory of other domain names, for example, point the site to http://www.mingrisoft/bbs/, and the site as the main directory of the current website. Here, the author sets the main directory Allocation Method to the "directory on this computer" option, the local path is: e: \ chatsystem, 6.52.

Figure 6.52 "main directory" tab

On the "home directory" tab, you can set site file permissions. If the file has read and write permissions, select the "read" and "write" check boxes. If the website file contains a script file, check the "script Resource Access" check box.

The execution permissions of an application can be divided into "Pure script" and "script and Executable File". The difference between the two is that executable programs are executed on the server end, with the suffix .exe and ,. DLL ,. BIN and. the script program is first downloaded to the client and then interpreted and executed. The script program is written in VBScript, JScript, pert, PHP, and other script languages.

(5) Click "Configure" on the right of the "application settings" area to set the IIS extension ing, as shown in Figure 6.53. You can delete unnecessary application mappings. If no other mappings are used, only the. Asa and. asp file extensions are retained.

Figure 6.53 "application configuration" dialog box

(6) Select the "ISAPI filter" tab in the "default website properties" dialog box to manage the "ISAPI filter" of the site, as shown in Figure 6.54. ISAPI filters are most commonly used in security-related applications, such as customer authentication. Click the Add button to add an ISAPI filter ".

Figure 6.54 "ISAPI filter" tab

"ISAPI filter" is an implementation method of server-side applications, also known as ISAPI applications. It is a program developed using the ISAPI technology. Similar to early CGI technology, ISAPI can implement interactive applications with simple browser/server (Brower/Server Architecture. Because ISAPI occupies a small server memory and can run in independent memory space, it has great flexibility, so it is gradually becoming an alternative to CGI technology.

The ISAPI application is implemented in the form of a dynamic link library, that is, a. dll file. All users accessing the website must process the. dll file to run the application. Therefore, this method of work for apps similar to sieve is called ISAPI filter.

(7) Select the "Directory Security" tab in the "Default web site properties" dialog box to define the Windows User Account for accessing the site, as shown in Figure 6.55.

Figure 6.55 "Directory Security" tab

Click "edit" in the "authentication and Access Control" area to open the "authentication method" dialog box for accessing the main directory, as shown in 6.56.

Figure 6.56 "authentication method" dialog box

Anonymous access is performed by default users. If you want to specify a user to access the main directory, Click Browse to open the Select User dialog box, as shown in Figure 6.57.

Figure 6.57 "Select User" dialog box

Note: The user account is the user on the operating system.

Click the user name to be accessed, click OK to select the user, and then enter the user's password in the "password" text box in the returned "authentication method" dialog box, enter the password again for confirmation, as shown in Figure 6.58.

Figure 6.58 Set User Password

Note: The user's password is the password set when the operating system is created.

(8) Delete the inetpub directory installed by default. Under the system disk (in this example, the system disk F is used as an example), right-click the "inetpub" directory, and select the "delete" command to delete the inetpub directory, as shown in 6.59.

Figure 6.59 Delete the inetpub directory

Note: deleting the inetpub directory installed by default is to prevent hackers from cracking the website by guessing its home directory.

(9) delete useless virtual directories. Click the "default website" directory in the displayed "Internet Information Service" dialog box, as shown in Figure 6.60.

Fig 6.60 default website directory

(10) To prevent hackers from using IIS and other permissions and functions for damage, delete the following virtual directories: _ VTI bin, IIS Samples, scripts, IISHelp, IIS Admin, and MSADC. Right-click the directory to be deleted and select the "delete" command in the pop-up menu, as shown in Figure 6.61.

Figure 6.61 delete a virtual directory

3. Additional instructions

To create a secure and reliable web server, you must implement both window and IIS security, because IIS users are also window users, in addition, the permission of the IIS Directory depends on the permission control of the Windows NTFS file system. To protect IIS security, you must ensure the security of the window operating system. The following aspects are used to ensure the security of the window operating system:

(1) using the NTFS file system, you can easily manage the permissions of files and directories.

(2) Disable default sharing. First open the Registry Editor, expand the "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ Parameters" option, and add the key value AutoShareServer. The type is REG_DWORD, the value is 0, which completely disables "default share ".

(3) modify the sharing permission. After creating a new sharing permission, you can immediately modify the default permissions of everyone. In this way, visitors to the web server can obtain unnecessary access permissions.

(4) You can rename the system administrator account to avoid illegal user attacks.