May 2004 - Posts
After months of hard work, finally :) It's out ! my first book - CYA Securing IIS 6.0. Hope I'm not doing too bad :) Now, Syngress is the publisher. Ken Shaefer another IIS MVP is my co-author and Chris Peiris - the tech editor for the book. This book is all about IIS 6.0, consist of quick guides for you to secure your IIS 6.0. Though IIS 6.0 in Windows Server 2003 is secure by default, design, and deployment, there are 'things' that you should take care before putting it into production environment. It covers major services related to IIS, from the most common W3SVC to the 'not so famous' NNTPSVC security. It gives you the complete checklists and best practices for securing each component in IIS 6.0. The ideas is to have a secure IIS right from the start (Get Secure), follow by close monitoring to ensure the server is always secure (Stay Secure).
Tell me what you think about it. If you have comments, you know how to reach me. You can get it online at Amazon, Barnes & Noble and BookPool. Finally, I want to thank everyone in this project, especially Christine and Jaime from Syngress, Ken, Chris, my wife :) and friends that supported me throughout the entire project.
Oh ya, I also wish to thank Grace - my local lead :) for helping me do some free advertising in her blogs, China's MVP newsletters and Microsoft China Community page. Kenji - Security MVP in Japan for his blogs for Japan's community.
I blogged Part I weeks ago and received some pretty good comments on additional 'tweaking' that you can apply to other services. Thanks to Karl and Kenji our Security MVP(s).
POP3 and IMAP4 (E2k)
XCON: How to Modify the POP or IMAP Banner
you are able to modify Exchange 2000 POP3 and IMAP4 banner, howerver this only apply to E2K and above.
POP3 (W2K3)
you need to create a new string value key in the registry. e.g. “my pop3svr“. path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Pop3 Service\Greeting
Telnet (W2K)
HOW TO: Change the Telnet Server Banner and Run Programs for All Users
which is actually modifying the login.cmd file.
Next to extend the HTTP header masking, we can apply -
Internet Information Server Returns IP Address in HTTP Header (Content-Location)
This KB only apply to IIS 4.0 and IIS 5.0. It's not supported for IIS 6.0. If my information is correct, you will see this fix in Windows Server 2003 SP1 (which will be out soon). Microsoft is aware of this issue and will fix it on SP1.
One way to hide it(at least for now), is to configure host header for the IIS 6.0 website. It will mask detail from
Content-Location: http://10.1.1.1/Default.htm
to
Content-Location: http://www.domain.com/Default.htm
Again, hiding banner detail is NOT the way you should protect your server.
How many of you heard of this before? Nope, this is not MSDN TV, .NET Rocks! or others. It's REAL TV, maybe I don't know Microsoft that well :) Believe it or not, it has a /tv url after ms.com. Google a while, I found out that it is actually launched way back year 2000! Mm... well, I know Microsoft like to go into this business, but I didn't know that it started since 2000 and selling TV server?
You might wonder how I found this? Err. take a look at this kb -
323254 HOWTO: Lock Microsoft TV Server by Using the IISLockDown Utility
I'm an IIS guy, hence I read most of the IIS KB. 'Microsoft TV Server'? and IIS server? Apparently not much detail I can find, I assume the TV platform is hosted on IIS server, and we can install IIS lock down tool to further secure it.
If you have not try IIS 6.0, you have no ideas what you've missed :)
From TryIIS.com, 6 new reasons to try IIS 6.0
1) Best-in-class compression and consolidation capabilities that enrich and improve Web functionality with faster page downloads, support richer content, reduce costs, and improve server efficiency.
2) Rebuilt security from the code level up that reduces attack surface area and blocks most known types of Web attacks.
3) Reliable support you can depend on for tested solutions, training, and more.
4) Powered by Windows Server 2003.
5) A complete set of integrated application services that enable faster application development and reduce time-to-market for critically needed Web applications and services.
6) Best real-world platform as measured by both performance and total cost of ownership.
Normally, when you connect to an anonymous FTP server, you tend to specify 'anonymous' as username, follow by 'username@domain.com' format style password. This is per RFC spec, take for example IIS FTP is based on RFC959. Actually, you can specify anything in the 'password' field; say '1' or 'blabla', is not a must to enter email format password.
Now, here's the interest part, beside specifying 'anonymous' as username for anonymous access, do you know what you can actually use 'ftp' as username ? and the FTP program will take 'ftp' username as anonymous. In short, to login as anonymous account, you can either specify username as 'ftp' or 'anonymous'. why? because, in the RFC (the one, which I can't locate) 'ftp' is the anonymous user login.
Have you try creating a user name 'ftp' in Windows server? If you did, which user you feel the FTP server will recognize? The real ‘ftp’ windows account or it will take it as ‘anonymous’ user? The answer is later case, you can’t never login you can never login as the real ‘ftp’ windows account to IIS FTP, because FTP server treat the ‘ftp’ user as FTP anonymous user not Windows server user.
Well, If you are like me, didn't get any invitation for Google Gmail, you can try this :) It's from SpyMac, got myself an account couple days ago, quite a content rich site, but my only concern is the mailbox size. So go grab one and it supports remote pop3 access as well. here's the other stuff you will get when you register an account:
1 GB e-mail account, blabla@spymac.com*
250 MB of space to upload pictures in the Spymac Gallery
100 MB free space on Spymac Hosting with WebDAV access*
Free iCal Hosting (both public and private)*
Access to the Spymac Forums and Shoutbox
Your very own Spymac Blog*
Access to the Spymac Auctions
The ability to create your very own personal Gallery and Forum
And oh ya.. Thanks to XiaoYS for pointing this out.
Now, sometime you might want to remove the IIS banner information to 'hide' your server. Though, it doesn't really help you avoid any attack as the attackers or malicious program will just try to connect to every single possible host and then try any known exploits on it. So 'hiding' is not good, you should 'protect' your IIS server instead.
Anyway, you might want to know to hide it. Ok, let's look at:
Web - banner
HTTP: Server = Microsoft-IIS/5.0
You can hide it using URLScan, try..
HOW TO: Mask IIS Version Information from Network Trace and Telnet
FTP - banner
220 Microsoft FTP Service
This one is HOT!, just released by MS. but you need to ring PSS to get the fix, try
FIX: You cannot suppress the default FTP banner for the FTP service
SMTP - banner
220 hostname.domain.com Microsoft ESMTP MAIL Service
This apply to IIS SMTP and Microsoft Exchange SMTP component, try
XCON: How to Modify the SMTP Banner
NNTP - banner
No clues yet, but you can try the nntp binary dll and hex edit it.
Name: CYA Securing IIS 6.0
Publisher: Syngress; (April 1, 2004)
ISBN: 1931836256
Author(s):Bernard Cheah, Ken Schaefer, Chris Peiris (Tech Editor)
Name: IIS6 Programming Handbook
Publisher: Wrox Press Inc; (March 25, 2003)
ISBN: 1861008392
Author(s):Srinivasa Sivakumar, Technical lead for a financial institute, author, speaker and reviewer.
What is Sasser ?
This is a new worm that exploits the Local Security Authority Subsystems on most of the Microsoft OS(es) . There's been many variants reported, Click here for more information.
How to protect yourself ?
Make sure you patch your machine with MS04-011 asap, and refer - Protect Against Exploit Code Related to Security Bulletin MS04-011 for more detail on how to protect yourself further. If you are infected, use this tool to clean up. Piece of advise, you should always have a firewall in place whenever you connected to the Internet ! this is a hostile area that you must beware before somebody kick your as* :)
Why Windows Server 2003 not affected ?
Well, this is because the RPC interface for remote access has changed in W2k03, read this explanation by Micheal Howard.
832852 MBSA detects IIS Lockdown Tool after you use the IIS Lockdown Tool Undo feature
831711 FIX: A WebDAV request to IIS causes a 500 internal server error
838645 FIX: You receive an HTTP 401.2 error message when you use SSL client certificate mapping
839565 The UrlScan security tool redirects HTTP POST requests to the "Page cannot be displayed" page when the content length exceeds the MaxAllowedContentLength value in IIS
839003 FIX: "Automation Error, object is not registered" error message when an ASP page calls COM objects that are running in a COM+ package on IIS 6.0
824330 FIX: IIS 6.0 Does Not Return AUTH_TYPE for Integrated Security
Comparing CGI and ISAPI in IIS 6.0 (Level 300)
Learn the differences between CGI and ISAPI interaction with IIS, as well as how to make CGIs or custom ISAPIs work correctly with the new IIS 6.0 architecture.
Using Network Load Balancing on Windows Server 2003 and IIS 6.0 (Level 200)
Find out how to configure Network Load Balancing and IIS 6.0 to improve the reliability and efficiency of your Web farms. Topics include client affinity and how Network Load Balancing affects authentication.
Great news ! MS has put in new IIS information and discussion forums on www.asp.net. Click here.
Now, one more community to take care :(
Won't it be nice to have one place, one url, one site for everything about IIS ? what do you think ?