New Security Features

   

Experience has taught Microsoft that it's impossible to conceive of every possible attack and proactively address all possible vulnerabilities. Yet patterns have emerged in areas that hackers commonly exploit. As a result, several preventive measures are built into IIS 6.0 to make IIS more secure out of the box. In addition, improvements have been made to IIS to make it easier to further lock down a site and to discover and apply security patches.

Locked-Down Server

IIS ships in a locked-down state, in which only static content (.htm, .jpg, .bmp, and similar files) is served , thereby providing additional protection. IIS provides multiple levels of security, as described in the following list:

  • IIS is not installed by default on Windows Server 2003.

    Security is all about reducing the attack surface of your system. Therefore, IIS is not installed by default on Windows Server 2003. Administrators explicitly select and install IIS.

  • IIS is installed in a locked-down state.

    The default installation of IIS exposes only minimal functionality. Only static files get served, and all other functionality has to be enabled explicitly by the administrator.

  • Disabled on upgrades.

    Accidentally installed IIS servers will be disabled on Windows Server 2003 upgrades.

  • Disabling IIS via Group Policy.

    With Windows Server 2003, domain administrators can prevent users from installing IIS on their computers.

  • Running as a low-privilege account.

    IIS worker processes run in a low-privilege user context. This drastically reduces the effect of potential attacks.

  • Secure ASP.

    All ASP built-in functions always run in a low-privilege account (anonymous user).

  • Recognized file extensions.

    IIS serves requests only to files that have recognized file extensions and rejects requests to file extensions it doesn't recognize.

  • Command-line tools not accessible to Web users.

    Malicious attackers often take advantage of command-line tools that are executable via the Web server. In IIS 6.0, the command-line tools can't be executed by the Web server.

  • Write protection for content.

    Once attackers get access to a server, they often try to deface Web sites. If anonymous Web users are prevented from overwriting Web content, these attacks can be mitigated.

  • Timeouts and limits.

    In IIS 6.0, settings are set to aggressive and secure defaults. This minimizes attacks due to timeouts and limits that were previously too generous.

  • Upload data limitations.

    Administrators can limit the size of data that can be uploaded to a server.

  • Buffer overflow protection.

    A worker process terminates a program if a buffer overflow is detected .

  • File verification.

    The core server verifies that the requested content exists before it gives the request to a request handler (ISAPI extension).

In an effort to reduce the attack surface of your Web server, IIS 6.0 serves only static content after a default installation. Programmatic functionality provided by IIS APIs (ISAPI) or Common Gateway Interfaces (CGI) must be manually enabled by an IIS administrator. ISAPIs and CGIs extend the ability of your Web pages, and for this reason ISAPIs and CGIs are referred to here as Web service extensions. For example, to run Active Server Pages with this version of IIS, the ISAPI asp.dll must be enabled as a new Web service extension.

Using the Web Service Extension node, Web site administrators can enable or disable IIS functionality based on the individual needs of the organization. Therefore, additional functionality such as Active Server Pages or FrontPage Server extensions will have to be enabled before they work as expected. IIS 6.0 provides programmatic, command-line, and graphical interfaces for enabling Web service extensions.

Worker Process Identity

Running multiple applications or sites on one Web server puts additional requirements on a Web server. If an ISP hosts two companies (who might even be competitors ) on one server, it has to guarantee that these two applications run completely isolated from each other. More important, the ISP has to make sure that a malicious administrator for one application can't access the data of the other application.

Complete isolation is a must. IIS 6.0 provides this level of isolation through the configurable worker process identity. Together with other isolation features such as bandwidth and CPU throttling and memory-based recycling, IIS 6.0 provides an environment to host even the fiercest competitors on one Web server. Similarly, IIS 6.0 provides an environment to run multiple applications on one Web server with complete isolation.

IIS Runs as NetworkService

The worker process runs as NetworkService, which is a new built-in account with very few privileges. Running as a low-privilege account is one of the most important security principles. The ability to exploit a security vulnerability can be extremely contained if the worker process has very few rights on the underlying system.

Improvements to SSL

There are three main Secure Sockets Layer (SSL) improvements in IIS 6.0. The following list describes them:

  • Performance.

    IIS 5.0 already provides the fastest software-based SSL implementation on the market. As a result, 50 percent of all SSL Web sites run on IIS. IIS 6.0 will be even faster. Microsoft tuned and streamlined the underlying SSL implementation for even more performance and scalability.

  • Remotable Certification Object.

    In IIS 5.0, administrators cannot manage SSL certificates remotely because the cryptographic service provider (CSP) certificate store is not remotable. Because customers manage hundreds or even thousands of IIS servers with SSL certificates, they need a way to manage certificates remotely.

  • Selectable cryptographic service provider.

    If SSL is enabled, performance drops dramatically because the CPU has to perform a lot of intensive cryptography. There are hardware-based accelerator cards that enable the offloading of these cryptographic computations to hardware. They plug their own Crypto API (CAPI) provider into the system. IIS 6.0 makes it easy to select such a third-party provider.

If authentication answers the question, "Who are you?" authorization answers the question, "What can you do?" So authorization is about allowing or not allowing a user to conduct a certain operation or task. Windows Server 2003 integrates Passport as a supported authentication mechanism for IIS 6.0. IIS 6.0 extends the use of a new authorization framework that comes with the Windows Server 2003 family. Additionally, Web applications can use URL authorization in tandem with Authorization Manager to control access. Constrained, delegated authorization was added in Windows Server 2003 to provide domain administrators with control to allow delegation to particular machines and services only.

Passport Integration

Windows Server 2003 integrates Passport as a supported authentication mechanism for IIS 6.0; this integration provides Passport authentication in the core Web server and uses Passport version 2 interfaces provided by standard Passport components . Administrators can take advantage of the Passport customer base (150,000,000+) without having to deal with account management issues such as password expiration and provisioning.

Once Passport authentication is verified , a Windows Server 2003 Passport user can be mapped to a user of Active Directory through the user's Windows Server 2003 Passport identification ”if such a mapping exists. A token is created by the Local Security Authority (LSA) for the user and set by IIS for the HTTP request.

Application developers and Web site administrators can use this security model for authorization based on users of Active Directory. These credentials are also delegatable using the new Constrained Delegation feature, which is supported in Windows Server 2003.

URL Authorization

Today access control lists (ACLs) are used to make authorization decisions. The problem is that the ACL model is very object (file, directory) driven and tries to fulfill the requirements of the resource manager ”the NTFS file system. But most Web applications used today are now business applications and are not object driven ”they are operation- or task-based. If an application wants to provide an operation- or task-based access control model, it has to create its own. With the new authorization framework in Windows Server 2003, Microsoft provides a way to fulfill the needs of these business applications.

IIS 6.0 extends the use of a new authorization framework that comes with the Windows Server 2003 family by providing gatekeeper authorization to specific URLs. Additionally, Web applications can use URL authorization in tandem with Authorization Manager to control access, from within a single policy store, to URLs that are compromising a Web application and to control application-specific tasks and operations. Maintaining the policy in a single policy store allows administrators to manage access to the URLs and application features from a single point of administration, while leveraging the store-level application groups and user-programmable business rules.

Delegated Authentication

Delegation is the act of allowing a server application to act as a user on a network. An example of this would be a Web service application on an enterprise intranet that accesses information from various other servers in the enterprise as the client and then presents the consolidated data over HTTP to the end user.

Constrained delegation was added in Windows Server 2003 to provide domain administrators with control to allow delegation to particular computers and services only. The following are delegation recommendations:

  • Delegation should not allow a server to connect on behalf of the client to any resource in the domain or forest. Only connections to particular services (for example, a back-end SQL database or a remote file store) should be allowed. Otherwise, a malicious server administrator or application can impersonate the client and authenticate against any resource in the domain on behalf of the client.

  • Delegation should not require the client to share its credentials with the server. If a malicious server administrator or application has your credentials, it can use them throughout the domain, and not just against the intended back-end data store.

Constrained, delegated authentication is a highly desirable way to design an application suite in the Windows environment because there are many opportunities to leverage high-level protocols, such as Remote Procedure Call (RPC) and Distributed Component Object Model (DCOM). These protocols can be used to transparently carry the user context from server to server, impersonate the user context, and have the user context be authorized against objects as the user by the authorization rules, defined by domain group information, local group information, and discretionary access control lists (DACLs) on resources located on the server.


   
Top


Introducing Microsoft Windows Server 2003
Introducing Microsoft Windows Server(TM) 2003
ISBN: 0735615705
EAN: 2147483647
Year: 2005
Pages: 153

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net