iis| Security | Security vulnerability Author: scholar
When ASP with its flexible, simple, practical, powerful features quickly swept the global web site, some of its own flaws, vulnerabilities are also threatening all web developers, following the introduction of some of the IIS system vulnerabilities and ASP security issues, this period will be for the latest ASP, IIS security vulnerabilities for detailed discussion, please all the ASP Web site developers pay close attention to improve vigilance.
Earlier this month, Microsoft was again blamed for not paying attention to security issues with its Web server software. In Microsoft's popular product IIS
SEVER4.0 was found to have a flaw known as the "illegal HTR request". According to Microsoft, this flaw can cause arbitrary code to run on the server side under certain circumstances. But the CEO of Eeye, an Internet security firm that found this vulnerability,
Firas Bushnaq's words: This is only the tip of the iceberg. Bushnaq said that Microsoft has concealed the situation, such as hackers can use this vulnerability to the IIS server to complete control, and the exact number of E-commerce sites are based on this system.
The following is a list of the details of this IIS system vulnerability:
The latest security vulnerabilities for IIS
Affected Systems:
Internet Information Server 4.0 (IIS4)
Microsoft Windows NT 4.0 SP3 Option Pack 4
Microsoft Windows NT 4.0 SP4 Option Pack 4
Microsoft Windows NT 4.0 SP5 Option Pack 4
Release Date: 6.8.1999
Microsoft has confirmed the vulnerability, but no patches are available at this time.
Microsoft Security Bulletin (ms99-019):
Topic: "Abnormal HTR Request" vulnerability
Release time: 6.15.1999
Summary:
Microsoft has confirmed the Internet Information Server for its published Web server products
A serious system vulnerability exists in 4.0 that causes a "service denial of attack" for the IIS server, in which case any 2-in-process code may be running on the server. A patch for this vulnerability will be released in the near future, with all IIS users watching closely.
Vulnerability Description:
IIS supports a variety of file types that require server-side processing, such as ASP, ASA, IDC, HTR, and when a Web user requests such a file from a client, the corresponding DLL file is processed automatically. However, a serious security breach was found in ISM.DLL, the file responsible for handling HTR files. (Note: The HTR file itself is used to remotely manage user passwords)
This vulnerability contains an unauthenticated buffer in ISM.DLL, which can pose two threats to the security operation of the Web server. First, it comes from the threat of a denial-of-service attack, from an abnormal pair. HTR file requests cause a cache overflow that directly causes IIS to crash, and when this happens, the server does not need to be restarted, but IIS
Web
The server must be restarted. Another threat is even more troubling, and anything can happen in this situation by using a specially crafted file request that will allow the standard cache overflow to cause the 2 code to run on the server side. The vulnerability does not include the ability to manage user passwords. HTR files.
Principle Analysis:
There is an overflow at least in the extension of one IIS (for example, ASP,IDC,HTR). We speculate that the overflow occurs when IIS passes the full URL to the DLL to handle the extension. If the ISAPI
The DLL does not properly check the limit so that the INETINFO.EXE produces an overflow, and the user can execute the 2 code from the remote. Attack method: Send an HTTP request to IIS as follows: "Get
/[overflow].htr http/1.0 ", IIS will crash. The [overflow] here can be 3K long code.
Everyone may be right. HTR files are not very familiar, but IIS has the ability to let NT users change their passwords through the web directory/iisadmpwd/. And this function is exactly by a group. HTR file and an extension DLL for ISAPI:
Ism. DLL implementation. When a complete URL is passed to ISM.DLL, an overflow is caused by the absence of an appropriate size-limit check, which causes the server to crash. Htr/ism. Dll
ISAPI is the IIS4 default installation.
Way to solve:
Because Microsoft has not yet released the available patches, so we can only do some emergency prevention.
1. Remove the. htr extension from the list of ISAPI DLLs
On your NT desktop, click the "Start"-> "program"-> Windows NT
4.0 Option Pack "->" Microsoft Internet Information Server "->" internet
Service Manager "; double-click Internet Information Server, right-click the computer name and choose Properties, select WWW Service from the main Properties drop-down menu, click the Edit button, select the Home Directory folder, and click the Configure button to The Application Mappings list box is selected. HTR Related mappings, select Delete and OK.
2, install the patch program provided by Microsoft, please pay close attention to the following Web site
http://www.microsoft.com/security
Http://www.microsoft.com/security/products/iis/CheckList.asp
Maybe some friends will be puzzled, why I in ASP 17, 18 consecutive use of two sections focused on IIS, ASP security issues, if you are a web Developer, ASP programmer, I think you should be able to understand my intention. We do network programming, development of interactive Web site, of course, first of all, to develop, build their own web site, but these are based on security, where the security includes the development of their own hard-earned ASP or other network application code protection, to ensure that the Web server safe and normal operation, Ensure user information security and certification, etc., when the future E-commerce becomes a truly widespread operation of a business operation means, security is the key key. Many of our friends in the ASP programmer as well as the role of the network administrator, so familiar with the operation of the system, timely understanding of system vulnerabilities, the first time to solve the security problem is very important and necessary, so at the end of this article, the author will organize some of the NT, The security recommendations for the IIS system configuration are listed, hoping to give you some help.
1. Use the latest version of Microsoft Internet information Server4.0 and install NT latest version of service
PACK5, do not use FAT on the file system of the server, NTFS should be used.
2. Set up web directories such as sample, scripts, IISAdmin, and MSADC in IIS to prohibit anonymous access and restrict IP addresses. Before Microsoft has provided the patch, remove the Ism.dll-related application mappings.
3, conditional on the use of firewall mechanism, the simplest such as Web services open in the foreground, the table of contents in the background, if can a service a machine of course the best.
4, Web directory, CGI directory, scripts directory and Winnt directory, and other important directories to use NTFS features to set detailed security permissions, the Winnt directory containing registry information only allows administrators full control, the general user read-only permissions do not give. All important documents related to the system, except the administrator, should be set to read-only permissions, not everyone/Full Control
。
5. Only open the service you need, block off all ports that should not be opened, such as NetBIOS port 139, which is a typical dangerous port; How to prohibit these ports? In addition to using firewalls, NT's TCP/IP settings also provide this functionality: Open Control Panel-Network-Protocol-tcp/ip-Properties-advanced-enable security-configuration, which provides restrictions on TCP and UDP ports and IP protocol restrictions.
6, the administrator's account to be set up a bit more complex, it is recommended to add special characters.
7, the Ftp,telnet TCP port to the non-standard port, usually I was set to the range of 10000~65000
8, delete all the shares that can be deleted, including printer sharing and hidden sharing such as icp$,admin$, Microsoft said that these special shared resources are important, most of the cases can not be deleted, but actually on the internet most of the machines do not need to be shared.
ipc$: For remote management computers and viewing shared resources, it is best not to use
admin$: It's actually c:\winnt, and there's no need to share
C $: Users who log in as admin and Backup-operator can access the \c$ by the name of the \ computer, although they are limited to the local area network, but remote hackers also have the means to disguise themselves as users of the LAN, so they should be turned off.
print$:
