怎样使IIS更安全.pptx

Slide Title,Body Text,Second Level,Third Level,WEB327,怎样使,IIS,更安全,胡 雪高级顾问,美国微软公司 顾问咨询部,Microsoft Corporation,日程：,出名的病毒：,Code Red(I&II),Windows 2000,安全吗,?,IIS 5.0,基本安全步骤,您的程序,code,安全吗,?,微软的工具及策略转变,Code Red,红色代码,IIS,安装了,ISAPI,功能扩展,dlls,其中,idq.dll,是,indexserver/service,组件,在处理,URL,请求的一段程序中忘了检查 缓冲区,(buffer),大小,黑客或病毒发一个特殊请求到,idq.dll,造成：,buffer overrun or buffer overflow:,缓冲区溢出,黑客的程序得以用系统账号运行,特征：,C:explorer.exe,C:inetpubscriptsroot.exe,Extra network traffic or disk activity,Windows 2000,安全吗,?,是的,!,W,10,000,000 hits,400 concurrent hackers,500.000 attacks,Winner of eWeek OpenHack challenge,最快的反应速度：,Microsoft Security Response Center,Blackhat,黑客大会没人能攻破,IIS,为什么常听说微软不安全,?,微软名气大，容易成为攻击目标。其他操作系统也有相应的安全漏洞。,IIS,功能多，用做应用服务器,Wide attack surface,too many doors,soft defaults,most features enabled,Security Hotfixes dont get installed,Unicode exploit went public in August 2000,RDS exploit went public in June 1999!,Code Red,两个星期后才在一个著名大公司出现,IIS,基本安全步骤,减小受攻击面,加固您的,IIS,服务器文件及账号系统,时刻留意新情况,Stay informed,减小受攻击面,如果你没在用,IIS Samples,Internet Printing,Index Server ISAPI,services like,Telnet,Terminal Services,FTP,SMTP,NNTP,WebDAV,CGI,Server Side Includes,Internet Data Connector,Active Server Pages,Frontpage Server Extensions,那就关掉它,!,加固您的,IIS,服务器,A well-configured server will resist even newly found vulnerabilities,Prevent attackers from,executing command-line tools,cacls%windir%system32*.exe/P Administrators:F,modifiying your content,cacls c:inetpubwwwroot*.*/P Everyone:R,cacls c:inetpubwwwroot*.*/E/G Administrators:F,Lock down your network with IPSec,No FAT!,Have your content on a separate partition,时刻留意新情况,Security:A Way of Life,Remain informed,vigilant and educated!,Audit:Eventlog,Monitor:IIS Logging,Check for new security hot fixes,Subscribe to the Security Notification Service,Use HFCHECK,Query Windows Update,Do Backups,Use tools to detect intrusions,您的,Code,安全吗,?,All input is bad!,Buffer overruns,Input validation,缓冲区溢出,Buffer Overflow,工作原理,Local variables,Calling Code,Program Stack,Return Address,JMP ESP,Local variables,Calling Code,Program Stack,Return Address,Malicious Input,New Return Address,push ebp,push ecx,mov ebp,esp,sub esp,54h,xor ecx,ecx,mov byte ptr ebp-14h,h,mov byte ptr ebp-13h,a,mov byte ptr ebp-12h,c,mov byte ptr ebp-11h,k,mov byte ptr ebp-10h,e,mov byte ptr ebp-0Fh,d,mov byte ptr ebp-0Eh,1,mov byte ptr ebp-0Dh,.,mov byte ptr ebp-0Ch,e,解决方法,strcpy,strcat,memcpy,sprintf,memcpy,memset,gets,sscanf,read,strstr,strrev,Set Data Limits,Check your Input,Double-check or dont use unsafe functions,Cross-site Scripting,Again:All input is bad!,Client,How Cross-Site Scripting Works,BAD.COM,TRUSTED.COM,hyperlink,+,malicious payload,Echo:,malicious payload,malicious code,malicious payload,malicious payload,malicious payload,解决方法,Encode output based on input parameters,URLEncode,HTMLEncode,Filter input parameters for special characters,%;)(&+-,Set Data Limits,Use ASP.NET data validation controls,输入验证：,And again:All input is bad!,if(isPasswordOK(Request.form(name),Request.form(pwd)Response.write(Authenticated!);,/Do stuff,else Response.write(Access Denied);function isPasswordOK(strName,strPwd)var fAllowLogon=false;var oConn=new ActiveXObject(ADODB.Connection);var strConnection=Data Source=c:authauth.mdb;oConn.Open(strConnection);var strSQL=SELECT count(*)FROM client WHERE +name=+strName+and pwd=+strPwd+;var oRS=new ActiveXObject(ADODB.RecordSet);oRS.Open(strSQL,oConn);fAllowLogon=(oRS(0).Value 0)?true:false;oRS.Close();delete oRS;oConn.Close();delete oConn;return fAllowLogon;,危险在哪？,好人,Username:,jeff,Password:&y-),4Hi=Qw8,SELECT count(*)FROM client WHERE name=jeff and pwd=&y-)4Hi=Qw8,坏人,Password:,or 1=1,SELECT count(*)FROM client WHERE name=jeff and pwd=or 1=1,Unicode attack,IIS,检查,.,防止进入父目录。但,IIS 5 Gold,没检查,UTF-8,的,或,/.,例如,%c0%af.,localhost/scripts/.%c0%af./winnt/system32/cmd.exe?/c+type%20d:boot.ini,h,ttp:/localhost/scripts/.%c0%af./winnt/system32/cmd.exe?/c+copy%20d:winntsystem32cmd.exe root.exe,localhost/scripts/root.exe?/c+echo Your Website is Defaced d:inetpubwwwrootdefault.asp,对策,Tell the attacker nothing!,Determine what is valid input,Beware of quotes,Check SQL return values,Disable parent paths,如果您不幸被黑,Have a“Incident Response Plan”,Remove machines from the net,Find out how the hacker did it,Perform low-level format,Examine connected computers,IIS 4.0 and 5.0,新安全工具,Security hotfixes,New:Cumulative Security Hotfixes,New:No reboot hotfixes,New:Windows Update Integration,New:One-Button-Lockdown-Tool,New:Lockdown ISAPI Filter,New:HFCHECK v2.0,IIS 6.0,安全防范措施,Server is locked down by default,Only static files,Secure defaults,Content protection,Secure timeouts and limits,Code Security,Buffer Overflow Checks,automated in the Windows build environment,VC+compiler supported(/Gs),Isolation through a new process model,Worker Processes run as a low privileged by default,Lets get real:WindowsDotNetT,Always secure with AutoUpdate,工具和检查清单,Security Checklist,HiSecWeb Template,HFCheck,IIS Lockdown Tool IISlockd.exe,Using IPSec:,Secure Web-based Applications”,2000 and Windows.NET,are robust platforms that can provide security against real-world attacks,provide the tools and features needed to make managing a secure web site as easy as possible,In Windows 2000 you dont get Security out-of-the-box though,