Web Server Security Issues

Internet Information Services (IIS) is the Microsoft Web server provided in each Windows Server 2003 Edition. Internet Information Services (IIS) 6.0 was designed as the solution for intranets, extranets, and the Internet. Through IIS, organizations can implement Web sites and applications, and Web services. IIS supports Secure Sockets Layer (SSL) version 3. SSL is used to encrypt HTTP and NNTP authentication data and transmission data through public key cryptography. IIS also supports Transport Layer Security (TLS), which is used to encrypt SMTP data transmissions.

Basic security measures for securing Web servers are listed here:

  • Physically secure your Web servers.

  • Apply and maintain a strong virus protection solution.

  • Software patches should be kept up to date.

  • The NTFS file system should be utilized to protect data on the system volume. It is strongly recommended to install IIS 6 on an NTFS partition. If the existing partition is formatted with the FAT32 file system, upgrade it to a NTFS partition when you install or upgrade to IIS 6.

  • You should use firewalls to protect your Web servers, and your internal servers from unauthorized access. Because Web servers are usually attacked by hackers, a firewall should exist between your Web server and your users on the internal network.

  • Use IPSec filters to protect confidential IP traffic.

  • All unnecessary services and applications not being utilized on your Web servers should be uninstalled.

  • Only enable those IIS components which you are going to use.Securing Web Servers

  • Secure the well-known accounts: Administrator account, Guest account.

  • To protect Web servers from unauthorized access, enforce the use of strong passwords.

  • Consider using smart cards to further augment your access strategy.

  • Monitor Web server activity and traffic flow.

As mentioned previously, you should only enable those IIS components which you are going to use. Enabling unnecessary IIS components only adds to the vulnerability of the IIS Web server. Some IIS components are automatically installed when you add the Application Server role, while other components need to be manually enabled. You can use Add Or Remove Programs in Control Panel to check which IIS 6 components have been installed

The IIS subcomponents together with their default installation settings are listed here:

  • Background Intelligent Transfer Service (BITS) server extension (disabled by default); utilized by Windows Update and Automatic Update to apply the latest service packs and hotfixes to IIS Web servers.

  • Common Files (enabled by default); includes files required by IIS.

  • File Transfer Protocol (FTP) Service (disabled by default); enables the IIS Web server to provide FTP services.

  • FrontPage 2002 Server Extensions (disabled by default); enables FrontPage support for Web sites using FrontPage extensions.

  • Internet Information Services Manager (enabled by default); the management utility for managing IIS.

  • Internet Printing (disabled by default); enables printers to be shared over HTTP.

  • NNTP Service (disabled by default); for posting news articles on the Internet.

  • SMTP Service (disabled by default); for transferring e-mail.

  • World Wide Web Service (enabled by default); for providing Web services and static and dynamic content.

To verify which IIS 6 components are installed,

  1. Open Control Panel.

  2. Click Add/Remove Programs.

  3. Click Add/Remove Windows Components, click Application Server in the Windows Components dialog box, and then click the Details button.

  4. The Application Server dialog box next appears. This is where you elect the IIS 6 components which you want to install.

  5. Click Internet Information Services (IIS) and click the Details button.

  6. Click World Wide Web Service.

  7. Select all other IIS components which you want to install.

  8. Click OK.

Web logs can assist with identifying unusual traffic patterns which could be indicative of an attack on the Web server. When Web logging is enabled, the event logs contain error, warning, and information events which are logged by IIS. After Web logging is enabled, you can specify which home directories, virtual directories, subdirectories, and files which should have access logging enabled.

Web logging can be enabled at the Web Sites level so that Web logging occurs for all Web sites hosted on the IIS Web server. Alternatively, you can enable Web logging for only specific Web sites. The IIS Manager console is used to enable Web logging.

Reviewing IIS 5 and IIS 6 Security Features

With Windows 2000 came the introduction of Internet Information Services IIS 5.0 which was fully integrated with the Active Directory directory service. IIS 5.0 improved on security, administration, reliability, and performance in the Web infrastructure environment.

Security specific enhancements and features included with IIS 5 are listed here:

  • Server-Gated Cryptography (SGC), a SSL extension enables stronger 128-bit encryption to be utilized.

  • Digest Authentication improves security for user authentication over proxy servers and firewalls.

  • IIS 5.0 is integrated with Kerberos version 5 authentication, and is used for authentication between computers running Windows 2000.

  • IIS certificate storage in IIS 5 is integrated with Microsoft CryptoAPI (CAPI) storage.

  • A number of new security wizards are introduced in IIS 5:

    • The Permissions Wizard, for configuring Web site access.

    • The Web Server Certificate Wizard, for creating certificate requests and for the administration tasks of the certificates.

    • The CTL (certificate trust lists) Wizard, for configuring CTLs. A CTL contains the trusted Certification Authorities (CAs) for a directory. Configuring CTLs is beneficial when ISPs that have multiple Web sites requiring a unique list of approved CAs for every site.

With the introduction of Windows Server 2003, came the advent of Internet Information Services 6 (IIS 6). IIS 6 is included with the 32-bit version and the 64-bit versions of the Windows Server 2003 Editions.

Security specific enhancements and features included with IIS 6 are here listed here:

  • IIS 6 is not by default installed, and ASP and FrontPage extensions are disabled.

  • The worker process shuts down applications if the IIS web server is sent malicious code.

  • Digest Authentication can be used over proxy servers and firewalls.

  • IIS 6 can also utilize Passport authentication because of its integration with Microsoft .NET Passport.

  • You can use the Group Policy feature of Active Directory to further secure IIS. You can prevent users from deploying unauthorized Web servers on the network.

  • IIS 6 supports the use of Server-Gated Cryptography (SGC), an extension of SSL/TLS. You can utilize 128-bit encryption to protect data.

  • Selectable Cryptographic Service Provider (CSP) provided by IIS 6 allows users to select from a list of cryptography providers to provide the interface for encrypting data between the IIS Web server and Web client. CSP can also be used for certificate management. The default Cryptographic Service Providers are Microsoft RSA SChannel Cryptographic provider and Microsoft DH SChannel Cryptographic provider

Previous to IIS 6, when IIS was installed, the following occurred:

  • All services were enabled and started.

  • All service accounts had high system rights.

  • Permissions were assigned to the lowest levels.

This type of installation essentially made your Web server installation vulnerable to attacks by hackers. IIS 6 is installed in locked-down mode.

When installing IIS 6 included with Windows Server 2003, the following occurs:

  • ASP and FrontPage extensions are disabled

  • ISAPI extensions and filters are not installed

  • Permissions are assigned to the high levels

  • All applications and extensions are prohibited from running.

The IIS 6 worker processes that run Web service extensions run as a new account, namely the Network Service account. Privileges of the Network Service account include:

  • Logging on as a service.

  • Impersonating a client once authentication occurred

  • Allow logon locally.

  • Accessing the computer from over the network

  • Generating security audits.

Configuring IP address and Domain Name restrictions for IIS

You can configure IP address and domain name restrictions for IIS to restrict access to websites and directories by using addresses and domain names. Through IP address and domain name restrictions, you can specify that all computers are granted access, or you can specify those computers which should not be granted access by listing their IP address or domain name.

To configure IP address and domain name restrictions,

  1. Open the IIS Manager.

  2. Right-click a Web site in the console tree, and select Properties from the shortcut menu.

  3. When the Properties dialog box of the Web site opens, click the Directory Security tab.

  4. In the IP Address and Domain Name Restrictions section of the Directory Security tab, click the Edit button.

  5. The Address and Domain Name Restrictions dialog box opens.

  6. Using the dialog box, you can specify that all computers are granted access, or you can specify those computers which should not be granted access by listing their IP address or domain name.

  7. Click the Add button to include particular users' IP addresses in a list.

  8. Click OK.

Configuring Authentication for Web Sites

User authentication in a Web infrastructure is probably the primary step for securing access to IIS Web servers. When a user attempts to access a Web site on an IIS server, authentication verifies whether the user can access the site. Authentication and permissions are closely coupled. After a user is authenticated, NTFS permissions determine whether the user can access folders and files, and Web site permissions indicate whether a Web client or FTP client can read the home directory or virtual directory of the Web site.

An authentication method for a Web site can be defined at either of these levels:

  • Web Sites node

  • Specific websites

  • Virtual directory

  • Specific files

The different authentication methods for authenticating users in IIS are:

  • Anonymous access; allows all anonymous users to access the content of the Web site. Anonymous access is enabled by default for the Default Web Site.

  • Basic Authentication; uses a clear-text username and password combination and should therefore only be used when no other authentication methods can be utilized. Basic Authentication is the weakest authentication method for authenticating users.

  • Integrated Windows Authentication; provides the best authentication technology for authenticating users attempting to access Web sites hosted on IIS Web servers. Kerberos authentication is used when the IIS server belongs to a domain. The NTLMv2 method is used when the IIS machine is running in a network that contains Windows NT domain controllers, or when the IIS machine belongs to a workgroup

  • Digest Authentication; sends user credentials over the network by utilizing an encrypted MD5 hash. However, the Digest Authentication method can only be used if Active Directory is used. Active Directory must be used with domain controllers running Windows 2000 or Windows Server 2003. Users and the IIS machine should also belong to the same domain.

  • .NET Passport Authentication; .NET passports are used for authentication that occurs through a single sign on method. The Passport accounts of users are located on Passport servers which are connected to the Internet. These Passport servers are managed by Microsoft. Passport information of the user is sent by the IIS Web server to the Passport servers for authentication whenever a user attempts to access a Web site.

To configure an authentication method for a Web site,

  1. Open the IIS Manager.

  2. Right-click a Web site in the console tree, and select Properties from the shortcut menu.

  3. When the Properties dialog box of the Web site opens, click the Directory Security tab.

  4. In the Authentication and Access Control section of the Directory Security tab, click the Edit button.

  5. The Authentication Methods dialog box opens.

  6. Proceed to configure an authentication method using this dialog box.

Using NTFS Permissions to Enhance Web Server Security

Authentication verifies whether the user can access a Web site. Once a user is authenticated, NTFS permissions can be used to specify whether the user can access folders and files. NTFS permissions form the basis of Windows Server 2003 and IIS security by controlling whether users are allowed to access files and folders, and the level of access users have.

The default permissions assigned to security principals for new Web sites are listed below:

  • Administrators: Full Control

  • Users: Read & Execute

  • SYSTEM: Full Control

  • Creator Owner: Special permissions

  • Internet Guest Account: No permissions are assigned

Using Web Site Permission to Control Access to Web Content

Web site permissions can be configured to control access to Web content on IIS Web sites. Web site permissions can be configured at the following levels:

  • For all Websites

  • For a specific Web site(s)

  • For a specific directory or virtual directory

  • For a specific file located in a virtual directory

The different Web site permissions which you can configure are listed here:

  • Read; users can read or download files which are located in the directory. This permission is enabled by default.

  • Write; users can add and change Web content

  • Script Source Access; users are able to access the source code of ASP pages. You should only use this Web site permission on servers used for development.

  • Directory Browsing; users are permitted to browse the directory structure

  • Log Visits; enables logging of visits to the Web site.

  • Index This Resource; enables the Microsoft Windows Content Indexing Service to create an index of the home folder.

  • Execute; determined by the options listed below:

    • None; scripts or executable files do not run on the server.

    • Scripts Only; only scripts are allowed to be run on the server.

    • Scripts And Executables; scripts and executable files are allowed to be run on the server.

Using SSL Encryption to Secure Web Server Communication

Secure Sockets Layer (SSL) uses public key cryptography to create an encrypted session key to secure communication between a Web server and a Web client. A few security features provided by SSL are authentication, message integrity, and data confidentiality. To secure Web traffic, SSL provides server authentication so that a user can verify the identity of the Web server. SSL also provides client authentication so that the Web server can verify the identity of the client. Because communications between the Web server and clients are encrypted, data confidentiality is ensured.

When a client Web browser connects to a Web server that is configured for SL, a SSL handshake process is initiated with the Web server. The SSL handshake process occurs to negotiate the secret key encryption algorithm which the client and Web server will utilize to encrypt the data which is transmitted in the SSL session.

To use SSL encryption, you must obtain a digital certificate and install it on the Web server. The digital certificate verifies the identity of the server to the client and also encrypts communications between the Web server and a client. You can obtain a digital certificate from an external certificate authority, such as VeriSign, GlobalSign or Thawte; or you can configure an internal CA for the organization. To make certificates trusted, you must obtain a certificate from a trusted entity called a certification authority (CA). For configuring internal CAs, Microsoft provides Certificate Services.

To enable SSL on the IIS Web server,

  1. Open the IIS Manager.

  2. In the console tree, right-click the Default Web Site node and select Properties from the shortcut menu.

  3. When the Default Web Site Properties dialog box opens, click the Web Site tab.

  4. Verify that the SSL port is defined as the default SSL port – 443.

  5. Click the Directory Security tab.

  6. In the Secure Communications area of the dialog box, click the Edit button.

  7. In the Secure Communications dialog box, click the Require Secure Channel (SSL) checkbox.

  8. Click OK.

Using URLScan to Secure Web Server Processing

If you have not installed IIS 6.0, then it is recommended that you use the URLScan tool's features to specify which types of HTTP requests your Web server should process. The URLScan tool enables Administrators to limit which HTTP requests the Web server should process by allowing you to configure criteria for filtering requests for the server. This basically means that you can define rules which can isolate bad requests which are aimed at attacking the Web server.

A few bad requests which can be sent to Web servers by intruders are listed here:

  • Bad requests sent to the Web server which are exceptionally long, can result in buffer overflow issues.

  • Bad requests to the Web server that contain unusual character sequences can lead to issues.

  • Bad requests can contain an unusual character that can be incorrectly processed by your Web servers.

  • Bad requests to the Web server that have an unusual action request can also be incorrectly processed by the Web server.

The latest version of URLScan is URLScan 2.5. The security enhancements included with URLScan 2.5 are listed below:

  • URLScan 2.5 enables you to limit the size of requests to the Web server.

  • URLScan 2.5 can log longer URLs than the previous URLScan versions.

  • URLScan 2.5 allows you to modify the location of the log file.