ASP. NET Trojan and Webshell Security Solution

 

Introduction: This article will show you how to solve ASP problems easily and quickly in Microsoft Win series 2003 SERVER IIS6.0.. NET. After reading this article, you will be able to remove your website server from ASP.. NET Trojans and webshells are faced with elevation of permissions, cross-site attacks, and even threats to system security.

ASP Trojan and Webshell security solution body content:
(Note: Setting Method and environment described in this article: Applicable to Microsoft windows Server 2003 SERVER | IIS6.0)

Introduction:As we all know, there have been similar introductions such as "major risks of asp.net virtual hosts" on the Internet.. Net vulnerabilities and related articles on hacker attack methods, such as Webadmin. asp. net Webshell, if you take it to your asp.net virtual host for testing, you will know that this stuff has the read permission on the C drive, and has the modification and deletion permission on the entire hard drive; in this case, what security does our website and my server have? Today, when hackers frequently attack, we have to worry about our servers...

Cause:
We all know that FileSystemObject, a standard component commonly used in ASP, provides ASP with powerful file system access capabilities, you can read, write, delete, and rename any directories and files on the server's hard disk. The FSO object comes from the script running library scrrun. dll provided by Microsoft. In Asp. this problem still exists in. Net and is more difficult to solve.. Net is more powerful in system I/O operations. For example, you do not need to use Regsvr32 to register components. Instead, you can directly use these functions in the bin directory. net program is very generous, but it makes security more complicated .... (For more information, see the original article "major risks of asp.net virtual hosts)

Solution:
As we all know, Asp Trojans can control the security of FSO components by using independent anonymous users on virtual hosts in IIS, so that they can only be active on the site, rather than cross-site data or data that harms other hard disks (Note: if you do not understand, refer to my previous two articles FSO security risk solutions; ASP Trojan Webshell security solution) Asp security issues and settings will not be discussed here. Next we will start Asp. net Trojan/WebShell prevention methods:

1. In IIS6.0, the WEB application's working process runs with the process identifier "Network Service. In IIS5.0, the out-of-process WEB application runs the line with the "IWAM _ server name" User, which is a common local Guests User. Microsoft. NET Framework Configration sets System. i/O permission to read the directory, but it is a pity that we failed the test. It may be. net framework1.1 mechanism changed?

Network Service is a built-in account in windows Server 2003. It is important to know the difference between the local user account (IUSR and IWAM) on IIS5.0 and the built-in account. In windows, all accounts are assigned a SID (Security ID ). The server identifies all accounts on the server based on the SID rather than the SID-related name. When we interact with the user interface, the server uses the name for interaction. The vast majority of accounts created on the server are local accounts with a unique SID used to identify members of the user database of the server. Because the SID is unique relative to the server, it is not valid on any other system. Therefore, if you assign NTFS permissions for a file or folder to your local account, and then copy the file and its permissions to another computer, there is no user account for this SID migration on the target computer, even if there is an account with the same name on it. This makes it possible to replicate the content containing the NTFS permission. A built-in account is a special type of account or group created by the operating System, such as the System account, Network Service, and Everyone group. One of the important features of these objects is that they have the same and well-known SID on all systems. When a file with NTFS permissions is copied to a built-in account, the permissions are valid between servers because the SID of the built-in account is the same on all servers. The Network Service account in the windows Server 2003 Service is specially designed to provide sufficient Network access permissions for applications. In IIS 6.0, you can run Web applications without increasing permissions. This is an extremely large message for IIS security. Because there is no buffer overflow, malicious applications cannot decrypt the process ID, or attacks against applications cannot enter the System user environment. More importantly, you cannot create a "backdoor" for the System account. For example, you can no longer use the InProcessIsapiApps metadatabase to use the applications loaded to Inetinfo. We have briefly introduced ASP. this method is cumbersome in the prevention and control of file I/O system vulnerabilities in. NET, but it can fundamentally eliminate some vulnerabilities. We only discuss a few of them, more solutions should be explored and learned together. (AD ^ _ ^: The game blade is on the edge of the Technical Ghost God to create a server security myth! Pioneer in the Internet revolution! Server Security Forum [S.S. D. A] http://www.31896.net )

When creating a Network Service account, you not only consider the application in IIS6.0. The token also has a vast majority of (not all) permissions for w3wp.exe. For example, in order to run the ASP.net application, an ASP net user must have access permissions at certain locations on the IIS6.0 server. The process identification W3WP.exe must also have access permissions at similar locations, in addition, some built-in groups are not assigned permissions by default.

2. For ease of management, the "IIS_WPG" Group (also known as the IIS Working Process Group and IIS Worker Process Group) was created when IIS6.0 was installed ), its members include Local System, Local Service, Network Service, and IWAM account. IIS_WPG members have the appropriate NTFS Acls permissions and necessary user permissions, and can act as the process ID of the Worker Process in IIS 6.0.

3. Therefore, the Network Service account provides the permission to access the above location, and has sufficient permissions to act as the process ID of the IIS 6 worker process, as well as the permission to access the Network. In windows Server 2003, the user context is called network service. These user accounts are created during. NET Framework installation. They have a unique password that is not easy to crack and are only granted limited permissions. ASPNET or network service users can only access specific folders required to run Web applications, such as the in directory where Web applications store compiled files. To set the process identity as a specific user name to replace the ASPNET or network service user identity, the user name and password you provide must be stored in the machine. config file. However, according to the actual situation, the system. io of asp.net can have unlimited access to the undefended server path. I don't know if this is a major ms vulnerability. Moreover, iis cannot execute the asp.net program as a machine. config user.

4. How can this problem be solved? The answer is-application pool.
IIS 6.0 runs in two different operating modes called Application Isolation Mode (Isolation Mode): Working Process Isolation Mode and IIS 5.0 Isolation Mode. Both modes depend on HTTP. sys as Hypertext Transfer Protocol (HTTP) listeners. However, their internal working principles are completely different.

The work process Isolation Mode utilizes the re-designed architecture of IIS 6.0 and uses the core components of the work process. IIS 5.0 isolation mode is used for applications that depend on specific functions and behaviors of IIS 5.0. This isolation mode is specified by the IIs5Isolation ModeEnabled configuration database attribute.

The Isolation Mode of your selected IIS application affects performance, reliability, security, and functional availability. Working Process Isolation Mode is recommended for IIS 6.0 operations because it provides a more reliable platform for applications. The work process Isolation Mode also provides a higher level of security, because the application running in the work process is identified as NetworkService by default. The default ID of an application running in IIS 5.0 Isolation Mode is LocalSystem, which allows access and has the ability to change almost all resources on the computer.

IIS Functions	IIS 5.0 Isolation Mode host/component	Worker Process Isolation Mode host/component
Workflow Management	N/	Svchost.exe/WWW Service
Worker Process	N/	W3wp.exe/Worker Process
ISAPI extension in the running process	Inetinfo.exe	W3wp.exe
External ISAPI extension for Running Processes	DLLHost.exe	N/A (all ISAPI extensions are in process)
Run ISAPI filter	Inetinfo.exe	W3wp.exe
Configure Svchost.exe/WWW Service in HTTP. sys	Svchost.exe/WWW	Service
HTTP support	Windows kernel/HTTP. sys	Windows kernel/HTTP. sys
IIS configuration database	Inetinfo.exe	Inetinfo.exe
FTP	Inetinfo.exe	Inetinfo.exe
NNTP	Inetinfo.exe	Inetinfo.exe
SMTP	Inetinfo.exe	Inetinfo.exe

It can be seen that we can only use the Working Process Isolation Mode to solve. net security problems. By default, IIS 6.0 runs in work process Isolation Mode. In this mode, IIS runs an independent w3wp.exe instance for each Web application. W3wp.exe is also called a Worker Process or W3Core.

Reliability and security. The reliability is improved because the failure of a Web application does not affect other Web applications, nor does it affect http. sys. W3SVC independently monitors the health status of each Web application. Security is improved because applications no longer run as systemaccounts in IIS 5.0 and IIS 4.0. all instances of w3wp.exe run under a "Network Service" account with limited permissions. If necessary, you can also configure a workflow to run with another user account.

5. Solution steps:
1. We assign an independent application pool to each Asp. Net virtual host site and grant different permissions. Here is an example: First, we create two users for the website (App_31896.net_User, App_31896.net, IUSR_31896.net_User, and IUSR_31896.net)

2. According