iis security: Hi,

I am having a discussion with my systems administrators at the moment
related to the security of ServerXMLHttp on an IIS 6 webserver.

Their current policy is to restrict all outgoing connections and only
allow connections to specific ports. This is based on a best practice
founded in a vulnerability that I feel is redundant and logically
impossible to exploit now from 2+ years ago.

Here is a link to the type of vulnerability:
http://www.governmentsecurity.org/articles/HackingIISTutorial.php

My suggestions are:

Both of these vulnerabilities can be prevented.
"Buffer overruns should be handled by a good firewall. However, if
this were ever compromised: "

(response was firewalls cant detect types of traffic, only expensive
addons can, but cant the firewall just prevent massive amounts of
simultaneous requests?)

"Listening programs should be prevented from receving connections
using software installed on the server. Only IIS-initiated connections
should be allowed. "

(response was it is not possible to restrict outgoing access to
specific apps, but surely it is?? can software like this handle it
http://www.eeye.com/html/products/secureiis/)

I'm sure there is a workable solution to this out there where any IP's
can be opened outgoing (my issue is that it is taking to long to open
each IP with the time to wait for IP range lists and the request being
processed up to 3 days)

Any suggestions would be appreciated!
Thanks,

What are you trying to accomplish?

Do you want to attempt to prevent your IIS server from being a victim
against zero-day exploits? If so, look at SecureIIS from eeye or
TrafficShield from www.f5.com or similar device

Do you want to allow a specific application hosted on your IIS server to
talk to specific hosts on specific ports? If so, look into Code Access
Security in the .NET Framework (if you apps solely use the .NET framework)

Do you want to lower your security so that you can have access to remote
hosts more quickly then the 3 day turn around that your admin staff is
providing? If so, either better plan your projects or talk to your
management.

smk

[quoted text, click to view]

All of those vulnerabilities are exploited by sending data /to/ the IIS
server (and to port 80). Not an IIS server sending data out to some remote
location.

If your firewall performs statefull packet inspection (SPI) it should easily
be able to determine which connections your IIS server initiated, and which
are unsolicited connections from external sources.

Now, if your webserver is a public server, and accepts connections on port
80 from anywhere, then this whole debate is moot. The firewall is going to
have to accept all incoming traffic to port 80. What you send /out/ is
completely different, and unrelated, question...

Cheers
Ken


[quoted text, click to view]
: Hi,
:
: I am having a discussion with my systems administrators at the moment
: related to the security of ServerXMLHttp on an IIS 6 webserver.
:
: Their current policy is to restrict all outgoing connections and only
: allow connections to specific ports. This is based on a best practice
: founded in a vulnerability that I feel is redundant and logically
: impossible to exploit now from 2+ years ago.
:
: Here is a link to the type of vulnerability:
: http://www.governmentsecurity.org/articles/HackingIISTutorial.php
:
: My suggestions are:
:
: Both of these vulnerabilities can be prevented.
: "Buffer overruns should be handled by a good firewall. However, if
: this were ever compromised: "
:
: (response was firewalls cant detect types of traffic, only expensive
: addons can, but cant the firewall just prevent massive amounts of
: simultaneous requests?)
:
: "Listening programs should be prevented from receving connections
: using software installed on the server. Only IIS-initiated connections
: should be allowed. "
:
: (response was it is not possible to restrict outgoing access to
: specific apps, but surely it is?? can software like this handle it
: http://www.eeye.com/html/products/secureiis/)
:
: I'm sure there is a workable solution to this out there where any IP's
: can be opened outgoing (my issue is that it is taking to long to open
: each IP with the time to wait for IP range lists and the request being
: processed up to 3 days)
:
: Any suggestions would be appreciated!
: Thanks,
: AndyC

I'm not sure I understand the whole scenario [what you need to do and why
you need to do it], but I tend to agree with the other side. I'm not sure
where these "outbound connections" are coming from or going to. But such
"egress filtering" is a best security practice. You do want to allow
traffic that is necessary to get the job done, or tunnel it through an
encrypted tunnel like IPSec or SSH which does not require you to open up
every port one by one.

All of the vulnerabilities on that page, while old, still very closely
resemble vulnerabilities and hacks from today and tomorrow. The details of
the specific buffer overflows and simple exploits change, but they typically
come in on TCP 80, launch netcat, and open outbound connections from the
server to just about anywhere.

Firewalls generally do not prevent buffer overflows or other attacks. They
generally just look at the traffic direction and the port number used, and
allow everything on that port. IPS, intrusion prevention, can block some
buffer overflows, but you still want the same excellent firewall rule set on
it just the same.

You don't really want your firewall to dynamically open up and permit
traffic to new IP addresses dynamically. If you need something to go
somewhere, you figure out the most secure way to do it within the current
security requirements, using SSH or IPSec or other workarounds if necessary.

What are you trying to do exactly, and why can't you do it?

[quoted text, click to view]