Objective 3.4: Designing Security for IIS

1. Open Start Control Panel Network Connections Local Area Connection .

2. Navigate to the Advanced tab and select the Protect my computer and network by limiting or preventing access to this computer option from the internet check box (see Figure 6.22).

   
   Figure 6.22: Enabling the Internet Connection Firewall

3. Click the Settings button and navigate to the Services tab. This will bring up a window to select or deselect the access protocols to your server. This is the list of protocols the IIS server will understand to process user requests . Select the correct check box next to the protocol name to enable requests using the particular protocol. You can disable the protocol access by clearing the check box. Your screen should be similar to Figure 6.23.

   
   Figure 6.23: Available Protocol Configuration Window

4. Select the appropriate protocols for your organization. Most organizations will enable HTTP, HTTPS, SMTP, and FTP access through the firewall. Each time you select a protocol, a small window will appear, prompting you to enter the machine name or IP address of the server that hosts the service. Figure 6.24 shows the entry to enable HTTPS access to a machine called home-net.

5. Click OK and repeat the process for all other protocols.

   When you complete these steps, you have enabled the correct access to your organization through the ICF.

Advanced Digest Authentication

Advanced digest authentication is an extension of Digest Security . Digest Security uses MD5 hashing to encrypt user credentials.(username, password, and user roles). So, what s the purpose of MD5 hashing? Basic authentication sends the username and password details over the network medium in base-64 encoded format. These details can be easily sniffed (captured with a protocol analyzer) and decoded by an intruder, who could then use the credentials for nefarious purposes. The MD5 hash enhances security by applying more sophisticated, more difficult to crack cipher algorithms to deter these intruders. An MD5 hash is made up of binary data consisting of the username, password, and realm . The realm is the name of the domain that authenticates the user. All of this means that Digest Security is more secure than basic authentication.

Advanced Digest Security takes the digest authentication model a bit further by storing the user credentials on a DC as an MD5 hash. The Active Directory database on the DC is used to store the user credentials. Thus, intruders would need to get access to the Active Directory to steal the credentials. This adds another layer of security to protect access to Windows Server 2003 Web sites, and you do not need to modify the application code to accommodate this security feature.

Server-Gated Cryptography

Communication between an IIS Web server and the Web client is done using the HyperText Transfer Protocol (HTTP). These HTTP network transmissions can be easily compromised due to their text-based messaging formats. Therefore, we need to encrypt these HTTP calls between the client and the server. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the most common encryption mechanism used on Web sites. SSL/TLS enables secure communication by encrypting the communication channel with a cipher algorithm. TLS is the later version of the SSL protocol.

IIS 5.0 and earlier versions included SSL/TLS for secure communication between the Web client and the server. Server Gated Cryptography (SGC) is an extension of SSL/ TLS. It uses a strong 128-bit encryption mechanism to encode the data. SGC does not require an application to run on a client s machine. It was available since IIS 4.0. SCG needs a valid certificate at the client Web browser, which can be encoded and decoded. A special SGC certificate is needed to enable SGC support built in to IIS 6.0. We can obtain a certificate by contacting a CA. This certificate can be added to IIS as any other certificate. IIS 6.0 supports both 40-bit and 128-bit encryption sessions. This means your old 40-bit SGC certificates are still valid in IIS 6.0. SGC is commonly used for financial sector applications (banking and financial institutions) to protect data.

Selectable Cryptographic Service Provider

SSL/TLS offer a secure environment in which to exchange data. The downside is performance. SSL/TLS are very CPU intensive . IIS 6.0 comes with a new feature called the Selectable Cryptographic Service Provider (CSP) that lets the user select from an optimized list of cryptography providers. A cryptographic provider will provide you with an interface to encrypt communication between the server and the client. CSP is not specific to IIS and can be used to handle cryptography and certificate management. Microsoft implements two default security providers: the Microsoft DH SChannel Cryptographic provider and the Microsoft RSA SChannel Cryptographic provider. The Microsoft implementations are optimized to IIS 6.0 for faster communications. The private keys for these Microsoft implementations are stored in the Registry. The Microsoft Cryptographic API (Crypto API) for every provider contains identical interfaces for all providers. This will enable developers to switch between providers without modifying the code. Each provider will create a public and a private key to enable data communication. The private key is stored on hardware devices (such as PCI cards, smart cards, and so forth) or in the Registry. The other CSP keys can also be stored in the Registry. It makes more sense to store private keys as Registry settings for computer access to the server. The private key will be stored on smart cards and other portable devices if we have a mobile distribution environment. (This is similar to Plug and Play support for devices in Windows 2000 and Windows Server 2003 environments.) The CSP can be configured using the Welcome to the Web Server Certificate Wizard (click Properties of a Web site, select the Directory Security tab, and then click the Server Certificate button).

Configurable Worker Process Identity

One of the most serious problems with previous IIS versions was the instability of the World Wide Web Publishing Service (WWW). The failure of this service could result in the shutdown of the machine. IIS 6.0 runs each Web site in an isolated process environment. This isolated process environment is called a worker process . Therefore, a Web site malfunction could be limited to its process environment (and hence will not lead to a Web server shutdown). IIS 5.0 did not implement a worker process model. IIS 6.0 can also run an IIS 5.0 isolated environment. The IIS system administrator can choose between the worker process model or the IIS 5.0 isolation model by selecting the correct option from Services tab by right-clicking on Web Sites . You can click the Run WWW service in IIS 5.0 isolation mode option box to run IIS in IIS 5.0 isolation mode. IIS will run on the worker process model if you do not check the box. IIS can run only at one mode at a time. Therefore, we will not be able to run worker process model Web sites and IIS 5.0 isolation mode Web sites simultaneously .

The worker process can be run with a lower level of permission than the system account. The worker process will shut down the application if the IIS server is targeted with malicious code. IIS 6.0 can detect malicious code by observing the rapid fail-over mechanism. This process will be explained later in the chapter. The rapid fail-over program will restart IIS 6.0 when the system has generated a specified number of errors in a specified amount of time. IIS 6.0 (which is by default run by the local system account) is not affected since the worker process can be configured to run under a less privileged account.

Default Locked Down Status

The default installation of IIS 6.0 will result in a lightweight Web server. The only default feature available will be the access to static content. This is to deter any malicious access by intruders. This restricted functionality is referred as Default Locked down status. This feature will force the system administrators to manually enable and disable the features that are necessary for the applications. They can do this through the Web Services Extensions node of the IIS Manager.

New Authorization Framework

Authorization refers to the concept of confirming a user s access for a given resource. (Authentication refers to obtaining access to the resource. When a user is authenticated, we need to make sure whether he or she is authorized to perform any tasks on the resource. This is the basis of authorization.) There are two types of ASP.NET authorization options available for IIS 6.0:

• File authorization The FileAuthorizationModule class is responsible for file authorization on Windows Server 2003 systems. The module is activated by enabling Windows authentication on a Web site. This module does access control list (ACL) checks on the authorization access on an ASP.NET file for a given user (it could be either .asmx file for ASP.NET application, or a .asmx file for a Web service) . The file is available for the user if the ACL confirms the user access to the file.

• URL authorization The URLAuthorizationModule class is responsible for URL authorization on Windows Server 2003. This mechanism uses the URL namespace to store user details and access roles. The URL authorization is available to use at any time. The authorization information is stored in a text file on a directory. The text file will have an <authorization> tag to allow or deny access to the directory (this will apply to the subdirectories if not specified). Here is a sample authorization file:

   <authorization>     <allow users="Chris"/>     <allow roles="Admins"/>     <deny users="Gayan"/>     <deny users="?"/> </authorization> 

  This file will enable Chris to access its content. It will also allow anyone with an Admins user role. The user Gayan is denied access. Anyone else will not be able to gain access to this directory (indicated by the ? wild card).

Configure IIS Logs

We can enable logging on Web sites and FTP sites. This will record user and server activity. These log files will enable system administrators to regulate access to content, evaluate the popularity of different Web sites, plan security requirements, and troubleshoot potential security breaches. We can use several log formats to record data. IIS logging can be enabled or disabled with IIS Manager on demand. Although logs can be read by a text editor, there are specialized third-party software tools to analyze these logs. We can also use Object Database Connectivity (ODBC) connections to log the IIS entries to SQL server databases.

We can record logs in many formats: W3C log file, IIS log file, and NSCA log file. W3C log file format is an ASCII format that can be customized. The other log file formats are not customizable. Here is a sample W3C log file entry:

 #Software: Internet Information Services 6.0  #Version: 1.0 #Date: 2003-12-26 17:42:15 #Fields: time c-ip cs-method cs-uri-stem sc-status cs-version 17:42:15 172.11.255.255 GET /test.htm 200 HTTP/1.0 

The first three lines define the IIS server settings and time stamp. The fourth line describes the log file captions (the description of the fields that we are logging information on). The last line is the actual log entry. The log entry was made at 17.42.15 from the machine 172.11.255.255. The client sends a GET HTTP request to the server to the test.htm page. This call is successful and returns a 200 response (200 means success). The communication was done using HTTP 1.0. Now let s learn how to enable logging in IIS 6.0 and customize log fields.

Exercise 6.09: Configure IIS Logging

1. Open IIS Manager ( Start Administrative Tools IIS Manager ).

2. Navigate to the Web site or the FTP site. Select Web Sites and then Default Web site for this demonstration.

3. Right-click on the Default Web site and select Properties .

4. Select the Web Site tab. Click the Enable logging option box. Your screen should be similar to Figure 6.25.

   
   Figure 6.25: Enable Logging for Default Web Site

5. Click the Properties button to customize log entries. The Logging Properties window will appear. The General tab will enable you to modify the log filename and the frequency that the log is written (for example, hourly, daily, monthly, and so forth).

6. Click the Advanced tab and you can select the fields you want to log in the IIS logs. It is good practice to log the date, time, server IP, host, URI query, username, and client IP address as minimum requirements to investigate security breaches. Your screen should be similar to Figure 6.26. Click OK when finished customizing the log fields.

   
   Figure 6.26: Customizing Log Fields

 

Enable Security Auditing

Security events are logged in the Security log, accessible by administrators via the Event Viewer. An audit entry can be either a Success or a Failure event in the Security log. A list of audit entries that describes the life span of an object, file, or a folder is referred to as an audit trail. The primary types of events that you can choose to audit include:

• Computer logons and logoffs.

• System events (when a computer shuts down or reboots, or something happens that affects system security, such as the audit log being cleared, system time is changed, or an invalid procedure call port is used to try to impersonate a client).

• User and computer account management tasks (such as the creation of accounts or changes to account status or permissions).

• Access to files, folders, and objects.

Configuring security auditing will help you track potential security issues and provide evidence in relation to security breaches. It is best practice to create an audit plan before you enable auditing on your system. The audit plan will detail the purpose and objectives of the audit. The audit plan should contain the following:

• The type of information you want to audit

• How much time you have to review audit logs

• The resources you have for collecting and storing audit logs (disk space, memory, and processor usage)

• The intended scope of the audit

You ll need to ask yourself some questions as you prepare the audit plan. Is the purpose of the audit plan to prevent security breaches from unauthorized sources? If so, you need to enable the audit failure events on logons and collect information on it. Is the objective of the auditing to get a snapshot of the organization s activities for forensic purposes? In that case, you need to enable both success and failure events to collect data on all applications.

It is important to remember that the audit trail information can result in a very large amount of data if both the success and failure audits are enabled. Too wide a scope for the audit can also make it difficult for you to find the information you re looking for within a huge file that records thousands of events.

The Audit Account Logon Events and Audit Logon Events items are enabled for auditing by default in Windows Server 2003. By default, object access auditing is not enabled. You can view the security audit entries under the Security section of the Event Viewer .

Head of the Class
Periodically Back Up Audit Information

The administrative account or administrative privileges are a prime target for hackers so there is always the possibility of intruders gaining administrator access to your system. With these privileges, an intruder can do malicious damage to your system and delete the audit events from the event log. If this happens, there will not be an audit trail to determine the cause and the damage to the system. To minimize the damage that would be caused by such an attack, you need to duplicate the audit information periodically. You can use the Microsoft Operations Manager (MOM) to copy audit events periodically and store them in a secure network drive; this provides a backup of the audit trail information.

MOM is a monitoring and management tool released by Microsoft in 2000 and used for a variety of enterprise-level management tasks. You can download a trial version from Microsoft s Web site at www.microsoft.com/_MOM/default.asp.

Let s learn how to define an audit policy on a local computer. The local audit policy dictates the audit procedures on the local machine. It does not dictate the audit policy for the rest of the network computers. Exercise 6.09 walks you through the steps required to enable the auditing policy on the local computer. You need to have administrator access to perform any of the auditing policy changes.

Exercise 6.09: Enabling Audit Policy on a Local Machine

1. Click Start Programs Administrative Tools Local Security Policy .

2. In the left pane of the console, expand Local Policies and click Audit Policy . Your screen should look similar to Figure 6.27.

   
   Figure 6.27: Local Audit Policy Settings

3. In the right details pane, select and double-click the option for which you want to define audit policy. For this exercise, select the Audit object access option. You see a dialog box similar to Figure 6.28. Here you can choose to enable success and/or failure audits by checking the option box(es).

   
   Figure 6.28: Enable Success or Failure Audit Options

4. Click OK or the Apply button. Now we can enable auditing on objects, files, and folders on the local computers.

 

Monitor Event Log Activities

The Event Viewer is used to monitor many different aspects of server activity. To access this tool, click Start Programs Administrative Tools Event Viewer . The Event Viewer is displayed as an MMC that is stored at SystemRoot\System32\_eventvwr.mmc . The Everyone user group has read and execute access to manipulate the Event Viewer. The Administrator group and the System account have full control (full control consists of read, write, modify, and execute permissions).

Event log data is displayed in the Event Viewer. There are at least three different event log files: the Application, Security, and System logs. Your Event Viewer can display additional logs, depending on applications and services you have installed on the server. For example, if the computer is configured as a DNS server, it will have a DNS log in addition to the three default logs. There are five major event types. The error, warning , and information types occur in the Application and System logs. The Success Audit or Failure Audit types occur in the Security log. Following are descriptions of each event type and its function:

• Error Indicates a significant problem in the system. This can have adverse effects on the application or operating system if ignored (for example, the DHCP service not starting at reboot can lead to the lack of IP assignment for the network computers).

• Warning Indicates the possibility of future errors to come, but conditions do not pose an immediate threat to the system (for example, e.g., l ow disk space is a warning that can lead to various errors if ignored, but does not indicate an immediate threat).

• Information Describes a successful operation of the system or an application (for example, SQL Server logs an information event when the SQL server starts up correctly).

• Success Audit All audited security events that are completed successfully will be logged in this category, (for example, a successful user logon when security auditing is enabled).

• Failure Audit All audited security events that fail will be logged here (for example, you will receive an authorization error if you try to log on to a shared drive to which you don t have access. This will result in a failure audit entry in the Security event log).

The event log service is automatically started when the Windows Server 2003 system starts. There are three default log files available in Windows Server 2003. These same logs were also available in Windows NT, 2000, and XP. The default logs are:

• Application log This log is available for application developers and system administrators. The developers can monitor their application activities in this log. The system administrator can trace and monitor the applications and how they interact with each other using this utility. It can be used to record application errors, warnings, and information events. Scripting languages (such as C#, C++, VB 6.0, and so forth) include Application Programming Interface (API) calls to log entries in the Application log. This log can be used to display a myriad of application errors (for example, the application can record a Source file not found error when files needed to complete a transaction are missing).

• Security log Events that affect system security are logged in this event log. These events include failed or successful logon attempts, creating, opening or deleting files, changing properties or permissions on user accounts and groups, and so forth. We will be using this log to monitor IIS security closely.

• System log Events related to Windows system components are stored in this log file. This includes entries regarding failure of drivers and other system components during startup and shutdown.

Enable Health Detection

Health detection simplifies IIS Web site management. Health detection is performed by IIS over all its worker processes. This adds another level of reliability to the Web applications. The inetinfo.exe process (IIS) will check the availability of each worker process (different Web sites) periodically. This time limit can be configured by IIS Manager (240 seconds by default). Therefore, IIS will maintain a heart beat between its worker processes. (Heart beat is similar to the ping facility. The IIS server will try to communicate with worker processes to make sure they are alive .)

Health detection enables IIS to monitor its worker process functionality. We can enable pinging and configure rapid application fail-over (discussed later in the chapter). You can also set the startup and shutdown time for a worker process using the option.

Exercise 6.10: Enable Health Detection

You can enable health detection by following this process. This process only works if you re running in worker process isolation mode.

1. Start IIS Manager ( Start Administrative Tools IIS Manager ).

2. Select Application Pools .

3. Navigate to the correct Web site.

4. Right-click on the site and click Properties .

5. Select the Health tab and enter your proffered settings. Your screen should be similar to Figure 6.29.

   
   Figure 6.29: Enable Health Detection

6. You can configure the ping interval using the Enable Pinging group box. This interval describes the timeframe to contact a worker process to make sure it functions accordingly . The default setting is 240 seconds. (Rapid-fail protection is initiated by IIS when too many application pool errors are generated for specified timeframe. The default is five errors occurring in five minutes. This scenario will trigger the IIS to restart and issue a 503 error to the client.) You can also configure the worker process a startup time (if the worker process restarts) and a shutdown time (if the worker process gets into a deadlock position) using this screen.

7. Click OK or the Apply button to apply the changes.

 

We can also use the Network Monitor and System Monitor to analyze abnormal activity in your network and system, respectively. Let s discuss how we identify these security breaches.