[thelist] IIS Security Tip, was FW: Microsoft Security Bulletin MS01-033
Paul Cowan
paul at wishlist.com.au
Mon Jun 18 18:53:36 CDT 2001
Hi all,
Free of charge, relating to the below, here's probably the most important
tip for any IIS webheads out there. Rather long for a tip, but hey.
<tip type="IIS Security" author="Paul Cowan">
The ABSOLUTE FIRST STEP in securing a production NT/2000 web server is to
remove *any* and *all* DLL mappings which aren't required. On a live,
publicly-accessible box, that should include all of them except the ASP
ones.
Do it for the default website pretty much on the first power-up after
install, then you won't forget, and any new sites you create afterwards
should be fine. On IIS 4, this is in [server name] -> Properties -> WWW
Service master properties -> Home Directory -> Configuration -> App
mappings. If it doesn't map to asp.dll, delete it. There are many other
important steps when securing an IIS box (check the MS documentation),
but with this baby, when _most_ of the MS IIS security bulletins
come through, and your boss says in a panic "are we OK? my god, a
security risk! help help!", you can read it, lean back, and smile
heartily, impressing them with your incredibly cool demeanor and
guaranteeing yourself another $15K next financial year.
</tip>
Next week, in IIS Security 101: "Removing The Default Website And
Sample Virtual Directories For Dummies".
Cheers,
Paul
> -----Original Message-----
> From: Ryan Finley [mailto:RyanF at SonicFoundry.com]
> Sent: Tuesday, 19 June 2001 7:43
> To: 'thelist at lists.evolt.org'
> Subject: [thelist] FW: Microsoft Security Bulletin MS01-033
>
>
> Better fix it quick (IIS people)...I just did.
>
> Ryan Finley
> President - SurveyMonkey.com (http://www.surveymonkey.com)
>
> -----Original Message-----
> From: Microsoft Product Security [mailto:secnotif at MICROSOFT.COM]
> Sent: Monday, June 18, 2001 2:54 PM
> To: MICROSOFT_SECURITY at ANNOUNCE.MICROSOFT.COM
> Subject: Microsoft Security Bulletin MS01-033
>
>
> The following is a Security Bulletin from the Microsoft
> Product Security
> Notification Service.
>
> Please do not reply to this message, as it was sent from
> an unattended
> mailbox.
> ********************************
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> -
> ----------------------------------------------------------------------
> Title: Unchecked Buffer in Index Server ISAPI Extension Could
> Enable Web Server Compromise
> Date: 18 June 2001
> Software: Index Server 2.0 and Indexing Service
> Impact: Run code of attacker's choice
> Bulletin: MS01-033
>
> Microsoft encourages customers to review the Security Bulletin at:
> http://www.microsoft.com/technet/security/bulletin/MS01-033.asp.
> -
> ----------------------------------------------------------------------
>
> Issue:
> ======
> As part of its installation process, IIS installs several ISAPI
> extensions -- .dlls that provide extended functionality. Among these
> is
> idq.dll, which is a component of Index Server (known in Windows 2000
> as
> Indexing Service) and provides support for administrative scripts
> (.ida
> files) and Internet Data Queries (.idq files).
>
> A security vulnerability results because idq.dll contains an
> unchecked
> buffer in a section of code that handles input URLs. An attacker who
> could establish a web session with a server on which idq.dll is
> installed could conduct a buffer overrun attack and execute code on
> the
> web server. Idq.dll runs in the System context, so exploiting the
> vulnerability would give the attacker complete control of the server
> and allow him to take any desired action on it.
>
> The buffer overrun occurs before any indexing functionality is
> requested. As a result, even though idq.dll is a component of Index
> Server/Indexing Service, the service would not need to be running in
> order for an attacker to exploit the vulnerability. As long as the
> script mapping for .idq or .ida files were present, and the attacker
> were able to establish a web session, he could exploit the
> vulnerability.
>
> Clearly, this is a serious vulnerability, and Microsoft urges all
> customers to take action immediately. Customers who cannot install
> the
> patch can protect their systems by removing the script mappings for
> .idq and .ida files via the Internet Services Manager in IIS.
> However,
> as discussed in detail in the FAQ, it is possible for these mappings
> to
> be automatically reinstated if additional system components are added
> or removed. Because of this, Microsoft recommends that all customers
> using IIS install the patch, even if the script mappings have been
> removed.
>
> Mitigating Factors:
> ====================
> - The vulnerability can only be exploited if a web session
> can be established with an affected server. Customers
> who have installed Index Server or Index Services but not
> IIS would not be at risk. This is the default case for
> Windows 2000 Professional.
> - The vulnerability cannot be exploited if the script mappings
> for Internet Data Administration (.ida) and Internet Data
> Query (.idq) files are not present. The procedure for
> removing the mappings is discussed in the IIS 4.0
> (http://www.microsoft.com/technet/security/iischk.asp) and IIS
> 5.0 (http://www.microsoft.com/technet/security/iis5chk.asp)
> Security checklists, can be automatically removed via either
> the High Security Template or the Windows 2000 Internet Server
> Security Tool
> (http://www.microsoft.com/technet/security/tools.asp).
> Customers should be aware, however, that subsequently adding
> or removing system components can cause the mapping to be
> reinstated, as discussed in the FAQ.
> - An attacker's ability to extend control from a compromised web
> server to other machines would depend heavily on the specific
> configuration of the network. Best practices recommend that the
> network architecture account for the inherent high-risk that
> machines in an uncontrolled environment, like the Internet,
> face by minimizing overall exposure though measures like DMZ's,
> operating with minimal services and isolating contact with
> internal networks. Steps like this can limit overall exposure
> and impede an attacker's ability to broaden the scope of a
> possible compromise.
>
> Patch Availability:
> ===================
> - A patch is available to fix this vulnerability. Please read the
> Security Bulletin
> http://www.microsoft.com/technet/security/bulletin/ms01-033.asp
> for information on obtaining this patch.
>
> Acknowledgment:
> ===============
> - eEye Digital Security (http://www.eeye.com)
>
> -
> ---------------------------------------------------------------------
>
> THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
> "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
> WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
> MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
> SHALL
> MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
> WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
> LOSS
> OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION
> OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
> DAMAGES.
> SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
> CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
> NOT
> APPLY.
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.3
>
> iQEVAwUBOy5cV40ZSRQxA/UrAQFixQf/T7TzDv7UnbRJGNJhTlotVp73M8Gz0Plf
> 1m/Axqx4/qo6oA1hwM4RRrCU6eJ30HEmwORAwKabZoewK8Vpqc5FLquHoJLFsiFo
> 5K1wD7/FmUnwEHu8UGpooNKelYxehnbOatms87jE4Oq9GCDnDGlQN9V+oIYccqBA
> 05RmF7Vm0Z9e8qOonrl58LiwjIItDnkAutOHTO6OEDwRf71VfL4xCfU8Vz2t1zc/
> tRPVEgEk4WqHOkYw5ZOsmI0/khnzF14M6sbpKf8pj+vOKKb/qNRrhU2MvBOu4b/U
> 4JQEuFNQbqTyZvcD9p5cm8IVfjxv6Tx/blpr4tLk/3ZnL8IyWX/QxQ==
> =i6pf
> -----END PGP SIGNATURE-----
>
> *******************************************************************
> You have received this e-mail bulletin as a result of your
> registration
> to the Microsoft Product Security Notification
> Service. You may
> unsubscribe from this e-mail notification service at any
> time by sending
> an e-mail to
> MICROSOFT_SECURITY-SIGNOFF-REQUEST at ANNOUNCE.MICROSOFT.COM
> The subject line and message body are not used in processing
> the request,
> and can be anything you like.
>
> To verify the digital signature on this bulletin, please
> download our PGP
> key at http://www.microsoft.com/technet/security/notify.asp.
>
> For more information on the Microsoft Security
> Notification Service
> please visit
> http://www.microsoft.com/technet/security/notify.asp. For
> security-related information about Microsoft products,
> please visit the
> Microsoft Security Advisor web site at
> http://www.microsoft.com/security.
>
> ---------------------------------------
> For unsubscribe and other options, including
> the Tip Harvester and archive of TheList go to:
> http://lists.evolt.org Workers of the Web, evolt !
>
More information about the thelist
mailing list