Securing IIS

Skywing · August 15, 2003, 07:21 PM

Quote from: St0rm.iD on August 15, 2003, 06:35 PM
Proving once again why Window's priviledge system sucks. Should see me at school demonstrating it

A mod_dotnet for Apache on Freebsd would be so awesome

Actually, this has little-to-none to do with the Windows privilege model - it's a problem with application developers writing sloppy code that doesn't work well without lots of privileges.

Camel · August 15, 2003, 09:59 PM

Skywing, one could argue that the problem is that when the core of windows was written, security was not an issue, or even very much of a consideration. That's why there are so many holes that can be taken advantage of.

MSBlast is a prime example of the typical windows security flaw. Go ahead; convince me that the reason MSBlast spread was because of "application developers writing sloppy code..."

[edit] BTW Skywing, I agree with you but I just feel like playing the devil's advocate tonight.

Kp · August 16, 2003, 12:16 AM

Quote from: Camel on August 15, 2003, 09:59 PM
Skywing, one could argue that the problem is that when the core of windows was written, security was not an issue, or even very much of a consideration. That's why there are so many holes that can be taken advantage of.

MSBlast is a prime example of the typical windows security flaw. Go ahead; convince me that the reason MSBlast spread was because of "application developers writing sloppy code..."

The Windows NT privilege model is actually quite complex in terms of how well subdivided it is. The problem is that, as Skywing points out, the applications that Microsoft provides in many cases wrongly rely on these high privilege levels. Based on the duties of an RPC endpoint mapper, I would expect it to require filesystem access to read its configuration data, registry read to do the same, and permission to bind a network socket / send datagrams. However, Microsoft chose to have it running under an account which can do all those things and far too much more. That is why MSBlast can spread and cause problems.

If the people responsible for choosing what services to run under which IDs had consulted a listing of the RPC mapper's requirements and then matched it to an account with just that access and nothing more, MSBlast's damage would be significantly reduced. It would be able to crash unpatched RPC mappers, possibly install itself, and that's about it. It wouldn't have permission to write to anywhere terribly important, couldn't create accounts, couldn't create raw sockets, etc. IMO, the fault lies with the people who chose to just run everything as LocalSystem rather than tailoring the services to IDs of appropriate access.

Grok · August 16, 2003, 01:07 AM

I agree with Kp.

Microsoft did indeed write Windows NT with security in mind, from the ground up. The Pentagon can purchase NT and secure it by paying attention to the details of which services run on which accounts, locking down the registry and file system, and physically restricting access.

But Microsoft also needed to sell it to the general public .. which in 1993 did not require Pentagon type security. Thus, someone probably in marketing made the decision to relase Windows NT with all services running as SYSTEM, and all file system permissions and most registry permissions set to 'Everyone'. Not even 'Authenticated Users'.

To gain widespread acceptance, Windows NT had to have widespread usability, thus be configured for the general user. It's still a configuration issue though, and not one of architecture or design, in my understanding.

Adron · August 16, 2003, 04:15 AM

Actually, doesn't RPC need impersonation/token management rights?

Camel · August 16, 2003, 01:58 PM

Grok, wouldn't it make much more sense to have 'System' group of accounts that would notrmally not be visible to the end user, thus relieving said marketing problem?

Banana fanna fo fanna · August 16, 2003, 05:43 PM

Window's priviledge system sucks simply because most services run at *much* higher priviledge level than they need to. Why? Because the software vendors feel that users are too stupid to create new accounts for which the service to run on.

Also, I got Mono to run on redhat (!!!)

Kp · August 16, 2003, 06:24 PM

Quote from: Adron on August 16, 2003, 04:15 AM
Actually, doesn't RPC need impersonation/token management rights?

Some of the remotely invokable services might, but the endpoint mapper shouldn't. An endpoint mapper's only task (to me) is to provide a well known port which can be queried to find the ephemeral ports of other services. Perhaps I'm misexplaining which program I meant (or don't know all of its other duties -- I haven't poked at it much).

Adron · August 16, 2003, 07:21 PM

I don't really know, but I thought that whatever runs on that port was able to *start* a server running on an unused port under the credentials of whoever is connecting. Then your next step would be to connect directly to that server.

Skywing · August 17, 2003, 03:51 PM

Quote from: St0rm.iD on August 16, 2003, 05:43 PM
Window's priviledge system sucks simply because most services run at *much* higher priviledge level than they need to. Why? Because the software vendors feel that users are too stupid to create new accounts for which the service to run on.

Also, I got Mono to run on redhat (!!!)

Typically you install things with admin privileges, so setup programs can often create accounts if necessary.

LocalService and NetworkService are preexisting accounts that can be used in XP/2003.

MyndFyre · September 21, 2003, 03:18 PM

Quote from: St0rm.iD on August 16, 2003, 05:43 PM
Window's priviledge system sucks simply because most services run at *much* higher priviledge level than they need to. Why? Because the software vendors feel that users are too stupid to create new accounts for which the service to run on.

Also, I got Mono to run on redhat (!!!)

I fail to see how Windows' privilege system sucks because services written for Windows choose to use too high of a user. That's up to the publisher, not Windows.

Kp · September 25, 2003, 05:22 PM

Quote from: Myndfyre on September 21, 2003, 03:18 PM
Quote from: St0rm.iD on August 16, 2003, 05:43 PM
Window's priviledge system sucks simply because most services run at *much* higher priviledge level than they need to. Why? Because the software vendors feel that users are too stupid to create new accounts for which the service to run on.

Also, I got Mono to run on redhat (!!!)
I fail to see how Windows' privilege system sucks because services written for Windows choose to use too high of a user. That's up to the publisher, not Windows.

I concur with you about it being a problem with the services, not with the base OS model. However, I should point out that most of the services in question are written by Microsoft and distributed in the default Windows install. Some services, such as the RPC services, are actually vital for basic tools to work fully. For instance, Windows Explorer right-drag&drop facility breaks down if the RPC services get stopped.