• Welcome to Valhalla Legends Archive.
 

Securing IIS

Started by Grok, August 11, 2003, 07:18 AM

Previous topic - Next topic

Camel

[old point]
From what I understand, the reason Apache is so insecure on the Win32 platform is for the most part because of flaws/insecurities in Windows itself, not in Apache.
[/old point]

Skywing

Quote from: Camel on August 13, 2003, 02:23 PM
[old point]
From what I understand, the reason Apache is so insecure on the Win32 platform is for the most part because of flaws/insecurities in Windows itself, not in Apache.
[/old point]
Of course, you'll have no trouble giving specific examples of these problems and exactly the trouble they cause, right?

Grok

Quote from: Skywing on August 13, 2003, 04:29 PM
Quote from: Camel on August 13, 2003, 02:23 PM
[old point]
From what I understand, the reason Apache is so insecure on the Win32 platform is for the most part because of flaws/insecurities in Windows itself, not in Apache.
[/old point]
Of course, you'll have no trouble giving specific examples of these problems and exactly the trouble they cause, right?

Of course he can.  Apache, simply because it is Apache, is magically and inherently secure when run on secure platforms.  When run on insecure platforms, it is magically and inherently insecure.

For me, that describes a product with no security build-in.

Adron

Quote from: Yoni on August 13, 2003, 11:38 AM
QuoteDirectory of C:\WINDOWS\system32\drivers

2003-04-03  14:00           334,336 http.sys

Yes, there it is

Ah, I thought so. That should make for some interesting exploits!

Thing

#19
Quote2003-04-03  14:00          334,336 http.sys
Hey! How come you have a different version than me?2003-03-25  14:00          334,336 http.sysI want my money back!

Ok, I have composed a few tutorials on web server security.  If you follow these instructions, you will be completely safe.  I promise.

IIS on Windows
Apache on Windows
Apache on RedHat
That sucking sound you hear is my bandwidth.

Arta

#20
I had no idea. My faith is shattered in an instant (once again). Can a Microsoft junkie possibly suggest *why* they might have done this? On the face of it, it seems so amazingly stupid.

Skywing

Quote from: Arta[vL] on August 14, 2003, 09:09 AM
I had no idea. My faith is shattered in an instant (once again). Can a Microsoft junkie possibly suggest *why* they might have done this? On the face of it, it seems so amazingly stupid.
Performance reasons - it probably uses TDI directly from kernel mode to eliminate overhead due to extra kernel <-> user mode transitions.

Banana fanna fo fanna

That's not a good enough reason to run one of the world's most exploited web servers in kernel mode. I was thinking about switching to ASP.NET, I guess I won't.

Skywing

#23
Quote from: St0rm.iD on August 14, 2003, 11:04 AM
That's not a good enough reason to run one of the world's most exploited web servers in kernel mode. I was thinking about switching to ASP.NET, I guess I won't.
I don't think it really changes much security-wise, since before it was running as LocalSystem and could already do anything or give itself permissions to do anything, including loading and running kernel mode code.

Besides, you do know that virtually the entire Win32 subsystem runs in kernel mode since NT 4, right?

Adron

The Win32 subsystem normally doesn't directly respond to remote requests though. Considering how Apache on a unix system will typically switch to the user "nobody" to prevent security breaches, one could've wished that Microsoft would attempt to do the same - drop privileges so if the web server *is* exploited, nothing will be gained.

Banana fanna fo fanna

Plus, most of the winnt subsystem isn't meant to a be a public access system, HTTP is. Making security sacrifices for speed doesn't cut it for me; look at all the buffer overflows because no one does bounds check/data sanitation.

Grok

Quote from: Adron on August 14, 2003, 04:40 PM
The Win32 subsystem normally doesn't directly respond to remote requests though. Considering how Apache on a unix system will typically switch to the user "nobody" to prevent security breaches, one could've wished that Microsoft would attempt to do the same - drop privileges so if the web server *is* exploited, nothing will be gained.

What is RPC / MSBlaster all about?  Is RPC kernel mode?

Kp

Quote from: Grok on August 14, 2003, 09:42 PMWhat is RPC / MSBlaster all about?  Is RPC kernel mode?
On an initial install of Win2k, the built-in services, including RPC, run as LocalSystem.  As Skywing pointed out earlier, the LocalSystem account can do essentially anything; therefore, any code which manages to run in the context of the RPC service can do anything.  The RPC service isn't quite in kernel mode, but it has so many privileges that it's pretty dangerous despite being "only" in user mode.
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

Skywing

Quote from: Grok on August 14, 2003, 09:42 PM
Quote from: Adron on August 14, 2003, 04:40 PM
The Win32 subsystem normally doesn't directly respond to remote requests though. Considering how Apache on a unix system will typically switch to the user "nobody" to prevent security breaches, one could've wished that Microsoft would attempt to do the same - drop privileges so if the web server *is* exploited, nothing will be gained.

What is RPC / MSBlaster all about?  Is RPC kernel mode?
While it's not kernel mode itself, it has permissions to load and run code in kernel mode (NtSetInformationSystem, NtLoadDriver - SeLoadDriverPrivilege).

Banana fanna fo fanna

Proving once again why Window's priviledge system sucks. Should see me at school demonstrating it :)

A mod_dotnet for Apache on Freebsd would be so awesome :)

|