Securing IIS

Camel · August 13, 2003, 02:23 PM

[old point]
From what I understand, the reason Apache is so insecure on the Win32 platform is for the most part because of flaws/insecurities in Windows itself, not in Apache.
[/old point]

Skywing · August 13, 2003, 04:29 PM

Quote from: Camel on August 13, 2003, 02:23 PM
[old point]
From what I understand, the reason Apache is so insecure on the Win32 platform is for the most part because of flaws/insecurities in Windows itself, not in Apache.
[/old point]

Of course, you'll have no trouble giving specific examples of these problems and exactly the trouble they cause, right?

Grok · August 13, 2003, 04:42 PM

Quote from: Skywing on August 13, 2003, 04:29 PM
Quote from: Camel on August 13, 2003, 02:23 PM
[old point]
From what I understand, the reason Apache is so insecure on the Win32 platform is for the most part because of flaws/insecurities in Windows itself, not in Apache.
[/old point]
Of course, you'll have no trouble giving specific examples of these problems and exactly the trouble they cause, right?

Of course he can. Apache, simply because it is Apache, is magically and inherently secure when run on secure platforms. When run on insecure platforms, it is magically and inherently insecure.

For me, that describes a product with no security build-in.

Adron · August 13, 2003, 04:59 PM

Quote from: Yoni on August 13, 2003, 11:38 AM
QuoteDirectory of C:\WINDOWS\system32\drivers

2003-04-03 14:00 334,336 http.sys

Yes, there it is

Ah, I thought so. That should make for some interesting exploits!

Thing · August 13, 2003, 07:23 PM

Quote2003-04-03 14:00 334,336 http.sys

Hey! How come you have a different version than me?

Code Select

2003-03-25 14:00 334,336 http.sysI want my money back!

Ok, I have composed a few tutorials on web server security. If you follow these instructions, you will be completely safe. I promise.

IIS on Windows
Apache on Windows
Apache on RedHat

Arta · August 14, 2003, 09:09 AM

I had no idea. My faith is shattered in an instant (once again). Can a Microsoft junkie possibly suggest *why* they might have done this? On the face of it, it seems so amazingly stupid.

Skywing · August 14, 2003, 09:41 AM

Quote from: Arta[vL] on August 14, 2003, 09:09 AM
I had no idea. My faith is shattered in an instant (once again). Can a Microsoft junkie possibly suggest *why* they might have done this? On the face of it, it seems so amazingly stupid.

Performance reasons - it probably uses TDI directly from kernel mode to eliminate overhead due to extra kernel <-> user mode transitions.

Banana fanna fo fanna · August 14, 2003, 11:04 AM

That's not a good enough reason to run one of the world's most exploited web servers in kernel mode. I was thinking about switching to ASP.NET, I guess I won't.

Skywing · August 14, 2003, 11:16 AM

Quote from: St0rm.iD on August 14, 2003, 11:04 AM
That's not a good enough reason to run one of the world's most exploited web servers in kernel mode. I was thinking about switching to ASP.NET, I guess I won't.

I don't think it really changes much security-wise, since before it was running as LocalSystem and could already do anything or give itself permissions to do anything, including loading and running kernel mode code.

Besides, you do know that virtually the entire Win32 subsystem runs in kernel mode since NT 4, right?

Adron · August 14, 2003, 04:40 PM

The Win32 subsystem normally doesn't directly respond to remote requests though. Considering how Apache on a unix system will typically switch to the user "nobody" to prevent security breaches, one could've wished that Microsoft would attempt to do the same - drop privileges so if the web server *is* exploited, nothing will be gained.

Banana fanna fo fanna · August 14, 2003, 05:38 PM

Plus, most of the winnt subsystem isn't meant to a be a public access system, HTTP is. Making security sacrifices for speed doesn't cut it for me; look at all the buffer overflows because no one does bounds check/data sanitation.

Grok · August 14, 2003, 09:42 PM

Quote from: Adron on August 14, 2003, 04:40 PM
The Win32 subsystem normally doesn't directly respond to remote requests though. Considering how Apache on a unix system will typically switch to the user "nobody" to prevent security breaches, one could've wished that Microsoft would attempt to do the same - drop privileges so if the web server *is* exploited, nothing will be gained.

What is RPC / MSBlaster all about? Is RPC kernel mode?

Kp · August 15, 2003, 01:57 AM

Quote from: Grok on August 14, 2003, 09:42 PMWhat is RPC / MSBlaster all about? Is RPC kernel mode?

On an initial install of Win2k, the built-in services, including RPC, run as LocalSystem. As Skywing pointed out earlier, the LocalSystem account can do essentially anything; therefore, any code which manages to run in the context of the RPC service can do anything. The RPC service isn't quite in kernel mode, but it has so many privileges that it's pretty dangerous despite being "only" in user mode.

Skywing · August 15, 2003, 09:26 AM

Quote from: Grok on August 14, 2003, 09:42 PM
Quote from: Adron on August 14, 2003, 04:40 PM
The Win32 subsystem normally doesn't directly respond to remote requests though. Considering how Apache on a unix system will typically switch to the user "nobody" to prevent security breaches, one could've wished that Microsoft would attempt to do the same - drop privileges so if the web server *is* exploited, nothing will be gained.

What is RPC / MSBlaster all about? Is RPC kernel mode?

While it's not kernel mode itself, it has permissions to load and run code in kernel mode (NtSetInformationSystem, NtLoadDriver - SeLoadDriverPrivilege).

Banana fanna fo fanna · August 15, 2003, 06:35 PM

Proving once again why Window's priviledge system sucks. Should see me at school demonstrating it

A mod_dotnet for Apache on Freebsd would be so awesome