The fact that an attacker can strike remotely makes a Web server an appealing target. Understanding threats to your Web server and being able to identify appropriate countermeasures permits you to anticipate many attacks and thwart the ever-growing numbers of attackers .
The main threats to a Web server are:
Profiling
Denial of service
Unauthorized access
Arbitrary code execution
Elevation of privileges
Viruses, worms, and Trojan horses
Figure 16.1 summarizes the more prevalent attacks and common vulnerabilities.
Profiling, or host enumeration, is an exploratory process used to gather information about your Web site. An attacker uses this information to attack known weak points.
Common vulnerabilities that make your server susceptible to profiling include:
Unnecessary protocols
Open ports
Web servers providing configuration information in banners
Common attacks used for profiling include:
Port scans
Ping sweeps
NetBIOS and server message block (SMB) enumeration
Countermeasures include blocking all unnecessary ports, blocking Internet Control Message Protocol (ICMP) traffic, and disabling unnecessary protocols such as NetBIOS and SMB.
Denial of service attacks occur when your server is overwhelmed by service requests. The threat is that your Web server will be too overwhelmed to respond to legitimate client requests .
Vulnerabilities that increase the opportunities for denial of service include:
Weak TCP/IP stack configuration
Unpatched servers
Common denial of service attacks include:
Network-level SYN floods
Buffer overflows
Flooding the Web server with requests from distributed locations
Countermeasures include hardening the TCP/IP stack and consistently applying the latest software patches and updates to system software.
Unauthorized access occurs when a user without correct permissions gains access to restricted information or performs a restricted operation.
Common vulnerabilities that lead to unauthorized access include:
Weak IIS Web access controls including Web permissions
Weak NTFS permissions
Countermeasures include using secure Web permissions, NTFS permissions, and .NET Framework access control mechanisms including URL authorization.
Code execution attacks occur when an attacker runs malicious code on your server either to compromise server resources or to mount additional attacks against downstream systems.
Vulnerabilities that can lead to malicious code execution include:
Weak IIS configuration
Unpatched servers
Common code execution attacks include:
Path traversal
Buffer overflow leading to code injection
Countermeasures include configuring IIS to reject URLs with "../" to prevent path traversal, locking down system commands and utilities with restrictive access control lists (ACLs), and installing new patches and updates.
Elevation of privilege attacks occur when an attacker runs code by using a privileged process account.
Common vulnerabilities that make your Web server susceptible to elevation of privilege attacks include:
Over-privileged process accounts
Over-privileged service accounts
Countermeasures include running processes using least privileged accounts and using least privileged service and user accounts.
Malicious code comes in several varieties, including:
Viruses . Programs that are designed to perform malicious acts and cause disruption to an operating system or applications.
Worms . Programs that are self-replicating and self- sustaining .
Trojan horses . Programs that appear to be useful but that actually do damage.
In many cases, malicious code is unnoticed until it consumes system resources and slows down or halts the execution of other programs. For example, the Code Red worm was one of the most notorious to afflict IIS, and it relied upon a buffer overflow vulnerability in an ISAPI filter.
Common vulnerabilities that make you susceptible to viruses, worms, and Trojan horses include:
Unpatched servers
Running unnecessary services
Unnecessary ISAPI filters and extensions
Countermeasures include the prompt application of the latest software patches, disabling unused functionality such as unused ISAPI filters and extensions, and running processes with least privileged accounts to reduce the scope of damage in the event of a compromise.