ASP. NET Virtual Host Security Vulnerability Solution

I once saw an article on the Internet about <major risks of asp.net virtual hosts> for a long time. At that time, I did not care about it. Anyone who has worked on asp virtual hosts may know that, that is to say, setting an independent server user and operation permission for a single directory for each user can basically solve the fso problem of asp.

I accidentally discovered an asp.net-webshell called webadmin on the Internet. When I tested my server, I was surprised that I had read permission on the C drive of my server. And modify and delete permissions for the entire hard disk. In this case, the security of my server ......

To further confirm that I have performed tests on some well-known virtual host providers in China, all of which share the same issues with me.

It is necessary to first introduce the cause of the vulnerability.

Commonly used standard component in ASP: FileSystemObject, which provides powerful file system access capabilities for ASP, you can read, write, delete, and rename any directories and files on the server's hard disk. The FSO object comes from the script running library scrrun. dll provided by Microsoft.
In ASP. NET, we found that this problem still exists and becomes more difficult to solve. This is because. NET, and ASP. NET has a new function, this component does not need to use regsvr32 for registration as ASP does, you just need to upload the Dll class library file to the bin directory to use it directly. This function is designed for ASP development. NET brings a lot of convenience, but it makes the solution that we delete or rename this dll in ASP useless, so it becomes more complicated to prevent this problem. For more information, see <major risks of asp.net VM>. This issue only leads to the security settings of the VM.

In response to this problem, I used Microsoft. NET Framework Configration to set the directory read permission for System. io. After a long period of test, we failed. may be because the. net framework1.1 mechanism has been reformed?

Don't talk nonsense. Let's talk about the solution: in IIS 6, the Web application's working process is set to run with the process ID "Network Service. In IIS 5, the out-of-process Web application is set to IWAM _ <Server Name>Account running. This account is a common local user account.

Network Service is a built-in account in Windows Server 2003. It is important to know the difference between the local user account (IUSR and IWAM) on IIS 5 and the built-in account. WindowsAll accounts in the operating system are assigned a SID (Security ID ). The server identifies all accounts on the server based on the SID rather than the SID-related name. When we interact with the user interface, the server uses the name for interaction. The vast majority of accounts created on the server are local accounts with a unique SID used to identify members of the user database of the server. Because the SID is unique relative to the server, it is not valid on any other system. Therefore, if you assign NTFS permissions for a file or folder to your local account, and then copy the file and its permissions to another computer, there is no user account for this SID migration on the target computer, even if there is an account with the same name on it. This makes it possible to replicate the content containing the NTFS permission.

The built-in account is composedA special account or group created by the operating System, such as the System account, Network Service, and Everyone group. One of the important features of these objects is that they have the same and well-known SID on all systems. When a file with NTFS permissions is copied to a built-in account, the permissions are valid between servers because the SID of the built-in account is the same on all servers. The Network Service account in the Windows Server 2003 Service is specially designed to provide sufficient Network access permissions for applications. In IIS 6, you can run Web applications without privilege escalation. This is an extremely large message for security. Because there is no buffer overflow, malicious applications cannot decrypt process identifiers, or attacks against applications cannot enter the System user environment. More importantly, you can no longer create "backdoors" for the System account. For example, you can no longer use the InProcessIsapiApps metadatabase to use the applications loaded to Inetinfo.

When creating a Network Service account, you not only consider applications in IIS 6. It also has most (not all) permissions for W3WP.exe. For example, to run an ASP.net application, an ASP net user must have access permissions at certain locations on the IIS 5 Server. The process identification W3WP.exe must also have access permissions at similar locations, in addition, some built-in groups are not assigned permissions by default.

For ease of management, the IIS_WPG Group (also known as the Working Process Group, IIS Worker Process Group) was created when IIS 6 was installed, and its members include the Local System (Local System) local Service, Network Service, and IWAM account. IIS_WPG members have the appropriate NTFS permissions and necessary user permissions, and can act as the process ID of the Worker Process in IIS 6.

Therefore, the Network Service account provides the permissions to access the above locations, and has sufficient permissions to act as the process ID of the IIS 6 worker process, as well as the permissions to access the Network.

In Windows Server 2003, the user context is called network service. These user accounts are created during. NET Framework installation. They have a unique password that is not easy to crack and are only granted limited permissions. ASPNET or network service users can only access specific folders required to run Web applications, such as the in directory where Web applications store compiled files.

To set the process identity as a specific user name to replace the ASPNET or network service user identity, the user name and password you provide must be stored in the machine. config file.

However, according to the actual situation, the system. io of asp.net can have unlimited access to the undefended server path. I don't know if this is a major ms vulnerability. Moreover, iis cannot execute the asp.net program as a machine. config user. J

How can this problem be solved? The answer is-application pool.

IIS 6.0 runs in two different operating modes called Application Isolation Mode (Isolation Mode): Working Process Isolation Mode and IIS 5.0 Isolation Mode. Both modes depend on HTTP. sys as Hypertext Transfer Protocol (HTTP) listeners. However, their internal working principles are completely different.

The work process Isolation Mode utilizes the re-designed architecture of IIS 6.0 and uses the core components of the work process. IIS 5.0 isolation mode is used for applications that depend on specific functions and behaviors of IIS 5.0. This isolation mode is specified by the IIs5IsolationModeEnabled configuration database attribute.

The Application Isolation Mode you select affects performance, reliability, security, and functional availability. Working Process Isolation Mode is recommended for IIS 6.0 operations because it provides a more reliable platform for applications. The work process Isolation Mode also provides a higher level of security, because the application running in the work process is identified as NetworkService by default.

The default ID of an application running in IIS 5.0 Isolation Mode is LocalSystem, which allows access and has the ability to change almost all resources on the computer.

Function	IIS 5.0 Isolation Mode host/component	Worker Process Isolation Mode host/component
Workflow Management	N/	Svchost.exe/WWW Service