Earlier this month, Microsoft was again blamed for not paying attention to security issues with its Web server software. In Microsoft's popular product IIS SEVER4.0, there is a flaw known as the "illegal HTR request." According to Microsoft, this flaw can cause arbitrary code to run on the server side under certain circumstances. But Firas Bushnaq, CEO of Eeye, the Internet security company that found the flaw, said: "This is just the tip of the iceberg." Bushnaq said that Microsoft has concealed the situation, such as hackers can use this vulnerability to the IIS server to complete control, and the exact number of E-commerce sites are based on this system.
The following is a list of the details of this IIS system vulnerability:
The latest security vulnerabilities for IIS
Affected Systems:
Internet Information Server 4.0 (IIS4)
Microsoft Windows NT 4.0 SP3 Option Pack 4
Microsoft Windows NT 4.0 SP4 Option Pack 4
Microsoft Windows NT 4.0 SP5 Option Pack 4
Release Date: 6.8.1999
Microsoft has confirmed the vulnerability, but no patches are available at this time.
Microsoft Security Bulletin (ms99-019):
Topic: "Abnormal HTR Request" vulnerability
Release time: 6.15.1999
Summary:
Microsoft has confirmed a serious system vulnerability in its published Web server product Internet Information Server 4.0, which results in a "service denial of attack" for the IIS server, in which case any 2-step code may be running on the server. A patch for this vulnerability will be released in the near future, with all IIS users watching closely.
Vulnerability Description:
IIS supports a variety of file types that require server-side processing, such as ASP, ASA, IDC, HTR, and when a Web user requests such a file from a client, the corresponding DLL file is processed automatically. However, a serious security breach was found in ISM.DLL, the file responsible for handling HTR files. (Note: The HTR file itself is used to remotely manage user passwords)
This vulnerability contains an unauthenticated buffer in ISM.DLL, which can pose two threats to the security operation of the Web server. First, it comes from the threat of a denial-of-service attack, from an abnormal pair. HTR file requests cause a cache overflow that directly causes IIS to crash, and when this occurs, you do not need to reboot the server, but the IIS WEB server must reboot. Another threat is even more troubling, and anything can happen in this situation by using a specially crafted file request that will allow the standard cache overflow to cause the 2 code to run on the server side. The vulnerability does not include the ability to manage user passwords. HTR files.
Principle Analysis:
There is an overflow at least in the extension of one IIS (for example, ASP,IDC,HTR). We speculate that the overflow occurs when IIS passes the full URL to the DLL to handle the extension. If the ISAPI DLL does not properly check the limits, causing the INETINFO.EXE to produce an overflow, the user can execute the 2 code from the remote. Attack method: Send an HTTP request to IIS as follows: "Get/[overflow].htr http/1.0", IIS will crash. The [overflow] here can be 3K long code.
Everyone may be right. HTR files are not very familiar, but IIS has the ability to let NT users change their passwords through the web directory/iisadmpwd/. And this function is exactly by a group. HTR file and an extension dll:ism of the ISAPI. DLL implementation. When a complete URL is passed to ISM.DLL, an overflow is caused by the absence of an appropriate size-limit check, which causes the server to crash. Htr/ism. DLL ISAPI is the IIS4 default installation.
Way to solve:
Because Microsoft has not yet released the available patches, so we can only do some emergency prevention.
1. Remove the. htr extension from the list of ISAPI DLLs
On your NT desktop, click "Start"-> "program"-> "Windows NT 4.0 Option Pack->" Microsoft Internet Information Server "->" internet Service Manager "; double-click Internet Information Server, right-click the computer name and choose Properties, select WWW Service from the main Properties drop-down menu, click the Edit button, select the Home Directory folder, and click the Configure button to The Application Mappings list box is selected. HTR Related mappings, select Delete and OK.
2, install the patch program provided by Microsoft, please pay close attention to the following Web site
http://www.microsoft.com/security
http://www.microsoft.com/security/products/iis/CheckList.asp
Maybe some friends will be puzzled, why I in ASP 17, 18 consecutive use of two sections focused on IIS, ASP security issues, if you are a web Developer, ASP programmer, I think you should be able to understand my intention. We do network programming, development of interactive Web site, of course, first of all, to develop, build their own web site, but these are based on security, where the security includes the development of their own hard-earned ASP or other network application code protection, to ensure that the Web server safe and normal operation, Ensure user information security and certification, etc., when the future E-commerce becomes a truly widespread operation of a business operation means, security is the key key. Many of our friends in the ASP programmer as well as the role of the network administrator, so familiar with the operation of the system, timely understanding of system vulnerabilities, the first time to solve the security problem is very important and necessary, so at the end of this article, the author will organize some of the NT, The security recommendations for the IIS system configuration are listed, hoping to give you some help.
1. Use the latest version of Microsoft Internet information Server4.0 and install NT's latest version of service PACK5, the server's file system does not use FAT, you should use NTFS.
2. Set up web directories such as sample, scripts, IISAdmin, and MSADC in IIS to prohibit anonymous access and restrict IP addresses. Before Microsoft has provided the patch, remove the Ism.dll-related application mappings.
3, conditional on the use of firewall mechanism, the simplest such as Web services open in the foreground, the table of contents in the background, if can a service a machine of course the best.
4, Web directory, CGI directory, scripts directory and Winnt directory, and other important directories to use NTFS features to set detailed security permissions, the Winnt directory containing registry information only allows administrators full control, the general user read-only permissions do not give. All important documents related to the system, except for the administrator, should be set to read-only access, not everyone/Full control.
5. Only open the service you need, block off all ports that should not be opened, such as NetBIOS port 139, which is a typical dangerous port; How to prohibit these ports? In addition to using firewalls, NT's TCP/IP settings also provide this functionality: Open Control Panel-Network-Protocol-tcp/ip-Properties-advanced-enable security-configuration, which provides restrictions on TCP and UDP ports and IP protocol restrictions.
6, the administrator's account to be set up a bit more complex, it is recommended to add special characters.
7, the Ftp,telnet TCP port to the non-standard port, usually I was set to the range of 10000~65000
8, delete all the shares that can be deleted, including printer sharing and hidden sharing such as icp$,admin$, Microsoft said that these special shared resources are important, most of the cases can not be deleted, but actually on the internet most of the machines do not need to be shared.
ipc$: For remote management computers and viewing shared resources, it is best not to use
admin$: It's actually c:\winnt, and there's no need to share
C $: Users who log in as admin and Backup-operator can access the \c$ by the name of the \ computer, although they are limited to the local area network, but remote hackers also have the means to disguise themselves as users of the LAN, so they should be turned off.
print$: This is the directory where the printer driver is placed, which is also a very dangerous entry as above.
Netlogon: This is the share that handles domain logon requests. If your machine is the primary domain controller, there are other machines in the domain to log in, do not delete it, otherwise you can delete.
How do I turn off these shares? "Stop sharing" with the Server Manager-> "shared directory"->
9, the ASP's directory centralized management, ASP's program directory set detailed access rights, generally recommended not to use the "read" permission.
10, the Winnt under the Sam._ file renamed, Practice proved that this may leak the password file can be deleted.
11, for known NT security vulnerabilities, should be in their own machine to do test checks. and timely installation of patches.
12, if necessary, the use of IIS4.0 provided by the SSL security communication mechanism to prevent data interception on the Internet.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
