A Free Trial That Lets You Build Big!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
I once saw an article on the Internet about <major risks of Asp.net virtual hosts> for a long time. At that time, I did not care about it. Anyone who has worked on ASP virtual hosts may know that, that is to say, setting an independent server user and operation permission for a single directory for each user can basically solve the FSO problem of ASP.
I accidentally discovered an Asp.net-webshell called WebAdmin on the Internet. When I tested my server, I was surprised that I had read permission on the C drive of my server. And modify and delete permissions for the entire hard disk. In this case, the security of my server ......
To further confirm that I have performed tests on some well-known virtual host providers in China, all of which share the same issues with me.
It is necessary to first introduce the cause of the vulnerability.
Commonly used standard component in ASP: FileSystemObject, which provides powerful file system access capabilities for ASP, you can read, write, delete, and rename any directories and files on the server's hard disk. The FSO object comes from the script running library scrrun. dll provided by Microsoft.
In ASP. NET, we found that this problem still exists and becomes more difficult to solve. This is because. net, and ASP. net has a new function, this component does not need to use regsvr32 for registration as ASP does, you just need to upload the DLL class library file to the bin directory to use it directly. This function is designed for ASP development. net brings a lot of convenience, but it makes the solution that we delete or rename this DLL in ASP useless, so it becomes more complicated to prevent this problem. For more information, see <major risks of Asp.net VM>. This issue only leads to the security settings of the VM.
In response to this problem, I used Microsoft. NET Framework configration to set the directory read permission for system. Io. After a long period of test, we failed. may be because the. NET framework1.1 mechanism has been reformed?
Don't talk nonsense. Let's talk about the solution: in IIS 6, the Web application's working process is set to run with the process ID "network service. In IIS 5, the off-process web application is set to run with the IWAM _ <Server Name> account, which is a common local user account.
Network Service is a built-in account in Windows Server 2003. It is important to know the difference between the local user account (IUSR and IWAM) on IIS 5 and the built-in account. In Windows, all accounts are assigned a SID (Security ID ). The server identifies all accounts on the server based on the SID rather than the SID-related name. When we interact with the user interface, the server uses the name for interaction. The vast majority of accounts created on the server are local accounts with a unique SID used to identify members of the user database of the server. Because the SID is unique relative to the server, it is not valid on any other system. Therefore, if you assign NTFS permissions for a file or folder to your local account, and then copy the file and its permissions to another computer, there is no user account for this Sid migration on the target computer, even if there is an account with the same name on it. This makes it possible to replicate the content containing the NTFS permission.
A built-in account is a special type of account or group created by the operating system, such as the system account, network service, and everyone group. One of the important features of these objects is that they have the same and well-known Sid on all systems. When a file with NTFS permissions is copied to a built-in account, the permissions are valid between servers because the SID of the built-in account is the same on all servers. The Network Service account in the Windows Server 2003 Service is specially designed to provide sufficient network access permissions for applications. In IIS 6, you can run Web applications without privilege escalation. This is an extremely large message for IIS security. Because there is no buffer overflow, malicious applications cannot decrypt the process ID, or attacks against applications cannot enter the system user environment. More importantly, you can no longer create "backdoors" for the system account. For example, you can no longer use the inprocessisapiapps metadatabase to use the applications loaded to inetinfo.
When creating a network service account, you not only consider applications in IIS 6. It also has most (not all) permissions for w3wp.exe. For example, to run an Asp.net application, an ASP net user must have access permissions at certain locations on the IIS 5 Server. The process identification w3wp.exe must also have access permissions at similar locations, in addition, some built-in groups are not assigned permissions by default.
For ease of management, the iis_wpg group (also known as IIS Worker Process Group, IIS Worker Process Group) was created when IIS 6 was installed, and its members include local system (local system) local service, network service, and IWAM account. Iis_wpg members have the appropriate NTFS permissions and necessary user permissions, and can act as the process ID of the Worker Process in IIS 6.
Therefore, the network service account provides the permissions to access the above locations, and has sufficient permissions to act as the process ID of the IIS 6 worker process, as well as the permissions to access the network.
In Windows Server 2003, the user context is called network service. These user accounts are created during. NET Framework installation. They have a unique password that is not easy to crack and are only granted limited permissions. ASPnet or network service users can only access specific folders required to run Web applications, such as the/bin directory where Web applications store compiled files.
To set the process identity as a specific user name to replace the ASPNET or network service user identity, the user name and password you provide must be stored in the machine. config file.
However, according to the actual situation, the system. Io of Asp.net can have unlimited access to the undefended server path. I don't know if this is a major Ms vulnerability. Moreover, IIS cannot execute the Asp.net program as a machine. config user. J
How can this problem be solved? The answer is-application pool.
IIS 6.0 runs in two different operating modes called Application Isolation Mode (Isolation Mode): Working Process Isolation Mode and IIS 5.0 Isolation Mode. Both modes depend on HTTP. sys as Hypertext Transfer Protocol (HTTP) listeners. However, their internal working principles are completely different.
The work process Isolation Mode utilizes the re-designed architecture of IIS 6.0 and uses the core components of the work process. IIS 5.0 isolation mode is used for applications that depend on specific functions and behaviors of IIS 5.0. This isolation mode is specified by the iis5isolationmodeenabled configuration database attribute.
The Isolation Mode of your selected IIS application affects performance, reliability, security, and functional availability. Working Process Isolation Mode is recommended for IIS 6.0 operations because it provides a more reliable platform for applications. The work process Isolation Mode also provides a higher level of security, because the application running in the work process is identified as NetworkService by default.
The default ID of an application running in IIS 5.0 Isolation Mode is LocalSystem, which allows access and has the ability to change almost all resources on the computer.
|IIS Functions||IIS 5.0 Isolation Mode host/component||Worker Process Isolation Mode host/component|
|Workflow Management||N/||Svchost.exe/WWW Service|
|Worker Process||N/||W3wp.exe/Worker Process|
|ISAPI extension in the running process||Inetinfo.exe||W3wp.exe|
|External ISAPI extension for Running Processes||Dllhost.exe||N/A (all ISAPI extensions are in process)|
|Run ISAPI filter||Inetinfo.exe||W3wp.exe|
|Configure svchost.exe/WWW Service in HTTP. sys||Svchost.exe/WWW||Service|
|HTTP support||Windows kernel/HTTP. sys||Windows kernel/HTTP. sys|
|IIS configuration database||Inetinfo.exe||Inetinfo.exe|
It can be seen that we can only use the Working Process Isolation Mode to solve. Net security problems.
By default, IIS 6.0 runs in work process isolation mode, as shown in Figure 5. In this mode, for each web application, IIS 6.0uses an independent w3wp.exe instance to run it. W3wp.exe is also called a worker process or w3core.
Reliability and security. The reliability is improved because the failure of a Web application does not affect other Web applications, nor does it affect HTTP. SYS. W3SVC independently monitors the health status of each web application. Security is improved because the application is no longer running in the way of IIS 5.0 and IIS 4.0. all instances of w3wp.exe run under a "Network Service" account with limited permissions, as shown in figure 6. If necessary, you can also configure a workflow to run with another user account.
Right. Here, this is the core of our solution.
Each website is assigned an independent application pool with different permissions. Can this problem be solved?
How to do this? I will demonstrate how to create a website:
First, we create two users for the website (one is app_test_user, the password is appuser, the other is iis_test_user, And the password is iisuser)
1. Open the Computer Manager
2. Choose user> Computer Management> System Tools> local users and groups> users in the console tree.
3. Click "new user" in the "operations" menu and enter the user name. App_test_user. The password is appuser.
4. type the appropriate information in the dialog box.
5. Select the check box:
The user cannot change the password.
Password Never Expires
6. Click create, and then click Close ".
Follow these steps to create an iis_test_user account
Then, app_test_user is added to the iis_wpg group and iis_test_user is added to the guests group. Delete other groups.
Then, create an application pool.
Choose Internet Information Service> Local Computer> application pool> New> application pool
Create an application pool named Test
Edit the properties of the test application pool → flag → configuration → user name → browse → change the user name to the app_test_user we just created and enter the corresponding Password
Create a website.
Choose Internet Information Service> Local Computer> website> New> test. The directory is D: /test → edit the properties of the test website → home directory → application pool → app_test_user → Directory Security → authentication and access control → edit, select the iis_test_user we just created, enter the password iisuser → save and exit.
Finally, set the server security.
C: only give administrators and systems full control of permissions. Delete all other permissions without replacing subdirectories.
C:/Documents and Settings inherit the parent item and replace the subdirectory.
C:/Program Files inherits the parent item, replaces the subdirectory, deletes the C:/program files/common files/Microsoft shared inheritance attribute, and copies the existing attribute, add the users read permission and replace the sub-directories (to enable ASP and Asp.net to use access and other databases ).
C:/Windows: Delete the inheritance and copy the existing attributes. Only the Administrator and system are given full control over the permissions to read users and replace the subdirectories.
All other disks only give full control permissions to Administrators and System users, delete all other users and replace subdirectories.
D:/test (user's website directory) inherits the existing attributes, adds the permissions fully controlled by app_test_user and iis_test_user, and replaces the subdirectories.
And so on for every website added later.
However, at this point, system. i/O still has read permissions on C:/Windows (it is suspected that the network servers user belongs to the users group, but many services must use the Users Group for execution, so C: /windwos removes the Users Group's read permission) but must know the system path. There are two solutions.
1. When installing the system again, use unattended installation and change the default installation path of C:/Windows, for example, to C:/testtest (to comply with DOS naming rules, cannot exceed 8 characters ). This is required
2. permissions assigned to iis_wpg are as follows:
% WINDIR %/help/IISHelp/common-read
% WINDIR %/IIS temporary compressed files-list, read, and write
% WINDIR %/system32/inetsrv/asp compiled template-read
Inetpub/wwwroot (or content directory)-read and execute
Iis_wpg also has the following User Permissions:
Ignore traversal check (sechangenotifyprivilege)
Log on as a batch job (SeBatchLogonRight)
Access this computer from the network (SeNetworkLogonRight)
Of course, the combination of the two methods is the safest solution. Generally, the first solution is safe, after all, it takes time to guess the 8-character directory using a webshell. Firewall can be easily detected and controlled.
The second possibility is to add the directory read permission based on the installed software. The details should be determined based on the software.
If there are many host users, this will be a considerable amount of labor. We recommend that you use a program to solve the problem, the following code is not common online operations on the IIS application pool and on the IIS virtual directory.
Operate the IIS application pool
Using system. directoryservices;
Using system. reflection;
Createapppool (apppoolname );
Configapppool ("stop", apppoolname );
// Create a virtual directory
// Create a new application pool.
Static void assignapppool (directoryentry newvdir, string apppoolname)
// Method is the method used to manage the application pool. There are three methods: start, stop, and recycle, while apppoolname is the name of the application pool.
// List of application pools
Private void vdirtoapppool ()
IIS6 operation example
Namespace wuhy. toolbox
Public class iisadminlib
Public static string Username
Public static string Password
Public static void remoteconfig (string hostname, string username, string password)
Private Static string hostname = "localhost ";
# Region method for constructing an entry based on the path
Public static directoryentry getdirectoryentry (string entpath)
Public static void createnewwebsite (newwebsiteinfo siteinfo)
Public static void deletewebsitebyname (string sitename)
Public static void startwebsite (string sitename)
Public static void stopwebsite (string sitename)
Public static bool ensurenewsiteenavaile (string bindstr)
Public static string getwebsitenum (string sitename)
Throw new notfoundwebsiteexception ("the site we want is not found" + sitename );
Public static string getnewwebsiteid ()
# Region new website information structure
Public struct newwebsiteinfo
So far, a relatively secure. Net host has been established. With the release of. net2.0 approaching, it is hoped that Ms can properly prevent this problem.
We have briefly introduced ASP. this method is cumbersome in the prevention and control of file I/O system vulnerabilities in. net, but it can fundamentally eliminate some vulnerabilities. We only discuss a few of them, more solutions should be explored and learned together.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service