[thelist] IIS Security Tip, was FW: Microsoft Security Bulletin MS01-033

Paul Cowan paul at wishlist.com.au
Mon Jun 18 18:53:36 CDT 2001 

Hi all,

Free of charge, relating to the below, here's probably the most important
tip for any IIS webheads out there. Rather long for a tip, but hey.

<tip type="IIS Security" author="Paul Cowan">
The ABSOLUTE FIRST STEP in securing a production NT/2000 web server is to 
remove *any* and *all* DLL mappings which aren't required. On a live, 
publicly-accessible box, that should include all of them except the ASP
ones. 
Do it for the default website pretty much on the first power-up after 
install, then you won't forget, and any new sites you create afterwards 
should be fine. On IIS 4, this is in [server name] -> Properties -> WWW 
Service master properties -> Home Directory -> Configuration -> App 
mappings. If it doesn't map to asp.dll, delete it. There are many other
important steps when securing an IIS box (check the MS documentation), 
but with this baby, when _most_ of the MS IIS security bulletins 
come through, and your boss says in a panic "are we OK? my god, a 
security risk! help help!", you can read it, lean back, and smile 
heartily, impressing them with your incredibly cool demeanor and 
guaranteeing yourself another $15K next financial year.
</tip>

Next week, in IIS Security 101: "Removing The Default Website And 
Sample Virtual Directories For Dummies".

Cheers,

Paul

> -----Original Message-----
> From: Ryan Finley [mailto:RyanF at SonicFoundry.com]
> Sent: Tuesday, 19 June 2001 7:43 
> To: 'thelist at lists.evolt.org'
> Subject: [thelist] FW: Microsoft Security Bulletin MS01-033
> 
> 
> Better fix it quick (IIS people)...I just did.
> 
> 	Ryan Finley
> 	President - SurveyMonkey.com (http://www.surveymonkey.com)
> 
> -----Original Message-----
> From: Microsoft Product Security [mailto:secnotif at MICROSOFT.COM]
> Sent: Monday, June 18, 2001 2:54 PM
> To: MICROSOFT_SECURITY at ANNOUNCE.MICROSOFT.COM
> Subject: Microsoft Security Bulletin MS01-033
> 
> 
> The following is a Security  Bulletin from the Microsoft 
> Product Security
> Notification Service.
> 
> Please do not  reply to this message,  as it was sent  from 
> an unattended
> mailbox.
>                     ********************************
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> - 
> ----------------------------------------------------------------------
> Title:      Unchecked Buffer in Index Server ISAPI Extension Could
>             Enable Web Server Compromise
> Date:       18 June 2001
> Software:   Index Server 2.0 and Indexing Service
> Impact:     Run code of attacker's choice
> Bulletin:   MS01-033
> 
> Microsoft encourages customers to review the Security Bulletin at: 
> http://www.microsoft.com/technet/security/bulletin/MS01-033.asp.
> - 
> ----------------------------------------------------------------------
> 
> Issue:
> ======
> As part of its installation process, IIS installs several ISAPI 
> extensions -- .dlls that provide extended functionality. Among these
> is 
> idq.dll, which is a component of Index Server (known in Windows 2000
> as 
> Indexing Service) and provides support for administrative scripts
> (.ida 
> files) and Internet Data Queries (.idq files). 
> 
> A security vulnerability results because idq.dll contains an
> unchecked 
> buffer in a section of code that handles input URLs. An attacker who 
> could establish a web session with a server on which idq.dll is 
> installed could conduct a buffer overrun attack and execute code on
> the 
> web server. Idq.dll runs in the System context, so exploiting the 
> vulnerability would give the attacker complete control of the server 
> and allow him to take any desired action on it. 
> 
> The buffer overrun occurs before any indexing functionality is 
> requested. As a result, even though idq.dll is a component of Index 
> Server/Indexing Service, the service would not need to be running in 
> order for an attacker to exploit the vulnerability. As long as the 
> script mapping for .idq or .ida files were present, and the attacker 
> were able to establish a web session, he could exploit the 
> vulnerability. 
> 
> Clearly, this is a serious vulnerability, and Microsoft urges all 
> customers to take action immediately. Customers who cannot install
> the 
> patch can protect their systems by removing the script mappings for 
> .idq and .ida files via the Internet Services Manager in IIS.
> However, 
> as discussed in detail in the FAQ, it is possible for these mappings
> to 
> be automatically reinstated if additional system components are added
> or removed. Because of this, Microsoft recommends that all customers 
> using IIS install the patch, even if the script mappings have been 
> removed. 
> 
> Mitigating Factors:
> ====================
>  - The vulnerability can only be exploited if a web session 
>    can be established with an affected server. Customers 
>    who have installed Index Server or Index Services but not
>    IIS would not be at risk. This is the default case for 
>    Windows 2000 Professional. 
>  - The vulnerability cannot be exploited if the script mappings 
>    for Internet Data Administration (.ida) and Internet Data 
>    Query (.idq) files are not present. The procedure for 
>    removing the mappings is discussed in the IIS 4.0 
>    (http://www.microsoft.com/technet/security/iischk.asp) and IIS
>    5.0 (http://www.microsoft.com/technet/security/iis5chk.asp)
>    Security checklists, can be automatically removed via either 
>    the High Security Template or the Windows 2000 Internet Server 
>    Security Tool 
>    (http://www.microsoft.com/technet/security/tools.asp). 
>    Customers should be aware, however, that subsequently adding 
>    or removing system components can cause the mapping to be 
>    reinstated, as discussed in the FAQ. 
>  - An attacker's ability to extend control from a compromised web
>    server to other machines would depend heavily on the specific
>    configuration of the network. Best practices recommend that the
>    network architecture account for the inherent high-risk that 
>    machines in an uncontrolled environment, like the Internet, 
>    face by minimizing overall exposure though measures like DMZ's,
>    operating with minimal services and isolating contact with 
>    internal networks. Steps like this can limit overall exposure
>    and impede an attacker's ability to broaden the scope of a 
>    possible compromise. 
> 
> Patch Availability:
> ===================
>  - A patch is available to fix this vulnerability. Please read the 
>    Security Bulletin
>    http://www.microsoft.com/technet/security/bulletin/ms01-033.asp
>    for information on obtaining this patch.
> 
> Acknowledgment:
> ===============
>  - eEye Digital Security (http://www.eeye.com)
> 
> - 
> ---------------------------------------------------------------------
> 
> THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED 
> "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL 
> WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF 
> MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
> SHALL 
> MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES 
> WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
> LOSS 
> OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION
> OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
> DAMAGES. 
> SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
> CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
> NOT 
> APPLY.
> 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.3
> 
> iQEVAwUBOy5cV40ZSRQxA/UrAQFixQf/T7TzDv7UnbRJGNJhTlotVp73M8Gz0Plf
> 1m/Axqx4/qo6oA1hwM4RRrCU6eJ30HEmwORAwKabZoewK8Vpqc5FLquHoJLFsiFo
> 5K1wD7/FmUnwEHu8UGpooNKelYxehnbOatms87jE4Oq9GCDnDGlQN9V+oIYccqBA
> 05RmF7Vm0Z9e8qOonrl58LiwjIItDnkAutOHTO6OEDwRf71VfL4xCfU8Vz2t1zc/
> tRPVEgEk4WqHOkYw5ZOsmI0/khnzF14M6sbpKf8pj+vOKKb/qNRrhU2MvBOu4b/U
> 4JQEuFNQbqTyZvcD9p5cm8IVfjxv6Tx/blpr4tLk/3ZnL8IyWX/QxQ==
> =i6pf
> -----END PGP SIGNATURE-----
> 
>    *******************************************************************
> You have received  this e-mail bulletin as a result  of your 
> registration
> to  the   Microsoft  Product  Security  Notification   
> Service.  You  may
> unsubscribe from this e-mail notification  service at any 
> time by sending
> an  e-mail  to  
> MICROSOFT_SECURITY-SIGNOFF-REQUEST at ANNOUNCE.MICROSOFT.COM
> The subject line and message body are not used in processing 
> the request,
> and can be anything you like.
> 
> To verify the digital signature on this bulletin, please 
> download our PGP
> key at http://www.microsoft.com/technet/security/notify.asp.
> 
> For  more  information on  the  Microsoft  Security 
> Notification  Service
> please  visit  
> http://www.microsoft.com/technet/security/notify.asp.  For
> security-related information  about Microsoft products, 
> please  visit the
> Microsoft Security Advisor web site at 
> http://www.microsoft.com/security.
> 
> ---------------------------------------
> For unsubscribe and other options, including
> the Tip Harvester and archive of TheList go to:
> http://lists.evolt.org Workers of the Web, evolt ! 
>

More information about the thelist mailing list