Improving Web Application Security: Threats and - CGISecurity

More documents

Recommendations

Info

436 Part IV: Securing Your Network, Host, and ApplicationIf you are locking down a Windows 2000-based computer that hosts ASP.NET pages,select the Dynamic Web server template when the IISLockdown tool prompts you.When you select Dynamic Web server, IISLockdown does the following:●●●●●●It disables the following insecure Internet services:●●●File Transfer Protocol (FTP)E-mail service (SMTP)News service (NNTP)It disables script mappings by mapping the following file extensions to the 404.dll:●●●●●Index ServerWeb Interface (.idq, .htw, .ida)Server-side include files (.shtml, .shtm, .stm)Internet Data Connector (.idc).HTR scripting (.htr), Internet printing (.printer)It removes the following virtual directories: IIS Samples, MSADC, IISHelp, Scripts,and IISAdmin.It restricts anonymous access to system utilities as well as the ability to write toWeb content directories using Web permissions.It disables Web Distributed Authoring and Versioning (WebDAV).It installs the URLScan ISAPI filter.Note If you are not using classic ASP, do not use the static Web server template. This templateremoves basic functionality that ASP.NET pages need, such as support for the POST command.Log FilesIISLockdown creates two reports that list the changes it has applied:●●%windir%\system32\inetsrv\oblt-rep.log. This contains high-level information.%windir%\system32\inetsrv\oblt-log.log. This contains low-level details such aswhich program files are configured with a deny access control entry (ACE) toprevent anonymous Internet user accounts from accessing them. This log file isalso used to support the IISLockdown Undo Changes feature.Web Anonymous Users and Web Application GroupsIISLockdown creates the Web Anonymous Users group and the Web Applicationgroup. The Web Anonymous Users group contains the IUSR_MACHINE account.The Web Application group contains the IWAM_MACHINE account. Permissionsare assigned to system tools and content directories based on these groups and notdirectly to the IUSR and IWAM accounts. You can review specific permissions byviewing the IISLockdown log, %windir%\system32\inetsrv\oblt-log.log.
Chapter 16: Securing Your Web Server 437The 404.dllIISLockdown installs the 404.dll, to which you can map file extensions that must notbe run by the client. For more information, see “Step 12. Script Mappings.”URLScanIf you install the URLScan ISAPI filter as part of IISLockdown, URLScan settings areintegrated with the server role you select when running IISLockdown. For example, ifyou select a static Web server, URLScan blocks the POST command.Reversing IISLockdown ChangesTo reverse the changes that IISLockdown performs, run IISLockd.exe a second time.This does not remove the URLScan ISAPI filter. For more information, see “RemovingURLScan” in the next topic.More InformationSee the following articles for more information about the IISLockdown tool:●●●For more information on running IISLockdown, see “How To: UseIISLockdown.exe” in the “How To” section of this guide.For information on troubleshooting IISLockdown, see Microsoft Knowledge Basearticle 325864, “How To: Install and Use the IIS Lockdown Wizard.” (The mostcommon problem is receiving unexpected “404 File Not Found” error messagesafter running IISLockdown.)For information on automating IISLockdown, see Microsoft Knowledge Basearticle 310725, “How To: Run the IIS Lockdown Wizard Unattended in IIS.”Install and Configure URLScanURLScan is installed when you run IISLockdown, although you can download it andinstall it separately. To install URLScan without running IISLockdown1. Download IISlockd.exe from http://download.microsoft.com/download/iis50/Utility/2.1/NT45XP/EN-US/iislockd.exe.2. Run the following command to extract the URLScan setup:iislockd.exe /q /cURLScan blocks requests that contain unsafe characters (for example, characters thathave been used to exploit vulnerabilities, such as “..” used for directory traversal).URLScan logs requests that contain these characters in the %windir%\system32\inetsrv\urlscan directory.
Page 1:
Improving WebApplication SecurityTh
Page 4 and 5:
Information in this document, inclu
Page 6 and 7:
viImproving Web Application Securit
Page 8 and 9:
viiiImproving Web Application Secur
Page 10 and 11:
xImproving Web Application Security
Page 12 and 13:
xiiImproving Web Application Securi
Page 14 and 15:
xivImproving Web Application Securi
Page 16 and 17:
xviImproving Web Application Securi
Page 18 and 19:
xviiiImproving Web Application Secu
Page 20 and 21:
xxImproving Web Application Securit
Page 22 and 23:
xxiiImproving Web Application Secur
Page 27 and 28:
Contents xxvii.NET Remoting Securit
Page 29 and 30:
Contents xxixStaying Secure (contin
Page 31 and 32:
Contents xxxiASP.NET Architecture o
Page 33 and 34:
Contents xxxiiiSummary ............
Page 35 and 36:
Contents xxxvIndex of Checklists 68
Page 37 and 38:
Contents xxxviiChecklistSecuring Da
Page 39 and 40:
Contents xxxixHow ToIndex 743How To
Page 41 and 42:
Contents xliRestricting Server-to-S
Page 43 and 44:
ForewordsForeword by Mark CurpheyWh
Page 45 and 46:
Forewords xlvForeword by Joel Scamb
Page 47:
Forewords xlviiFinally, techniques
Page 50 and 51:
lImproving Web Application Security
Page 52 and 53:
liiImproving Web Application Securi
Page 54 and 55:
livImproving Web Application Securi
Page 56 and 57:
lviImproving Web Application Securi
Page 58 and 59:
lviiiImproving Web Application Secu
Page 60 and 61:
lxImproving Web Application Securit
Page 62 and 63:
lxiiImproving Web Application Secur
Page 64 and 65:
lxivImproving Web Application Secur
Page 66 and 67:
lxviImproving Web Application Secur
Page 68 and 69:
lxviiiImproving Web Application Sec
Page 70 and 71:
lxxImproving Web Application Securi
Page 72 and 73:
lxxiiImproving Web Application Secu
Page 75 and 76:
Fast Track — How To Implementthe
Page 77 and 78:
Fast Track — How To Implement the
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85:
Part IIntroduction to Threats andCo
Page 88 and 89:
4 Part I: Introduction to Threats a
Page 90 and 91:
Page 92 and 93:
Page 94 and 95:
10 Part I: Introduction to Threats
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Page 102 and 103:
Page 104 and 105:
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
Page 112 and 113:
Page 114 and 115:
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
Page 126 and 127:
Page 129 and 130:
3Threat ModelingIn This Chapter●
Page 131 and 132:
Chapter 3: Threat Modeling 47Threat
Page 133 and 134:
Chapter 3: Threat Modeling 49Archit
Page 135 and 136:
Chapter 3: Threat Modeling 51Figure
Page 137 and 138:
Chapter 3: Threat Modeling 53Identi
Page 139 and 140:
Chapter 3: Threat Modeling 55Docume
Page 141 and 142:
Chapter 3: Threat Modeling 57●●
Page 143 and 144:
Chapter 3: Threat Modeling 59●●
Page 145 and 146:
Chapter 3: Threat Modeling 61Note I
Page 147 and 148:
Chapter 3: Threat Modeling 63Risk =
Page 149 and 150:
Chapter 3: Threat Modeling 65Table
Page 151:
Part IIDesigning SecureWeb Applicat
Page 154 and 155:
70 Part II: Designing Secure Web Ap
Page 156 and 157:
Page 158 and 159:
Page 160 and 161:
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
100 Part II:Designing Secure Web Ap
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 211:
Part IIIBuilding Secure WebApplicat
Page 214 and 215:
130 Part III: Building Secure Web A
Page 216 and 217:
Page 218 and 219:
Page 220 and 221:
Page 222 and 223:
Page 224 and 225:
Page 226 and 227:
Page 228 and 229:
Page 230 and 231:
Page 232 and 233:
Page 234 and 235:
Page 236 and 237:
Page 238 and 239:
Page 240 and 241:
Page 242 and 243:
Page 244 and 245:
Page 246 and 247:
Page 248 and 249:
Page 250 and 251:
Page 252 and 253:
Page 254 and 255:
Page 256 and 257:
Page 258 and 259:
Page 260 and 261:
Page 262 and 263:
Page 265 and 266:
8Code Access Security in PracticeIn
Page 267 and 268:
Chapter 8: Code Access Security in
Page 269 and 270:
Page 271 and 272:
Page 273 and 274:
Page 275 and 276:
Page 277 and 278:
Page 279 and 280:
Page 281 and 282:
Page 283 and 284:
Page 285 and 286:
Page 287 and 288:
Page 289 and 290:
Page 291 and 292:
Page 293 and 294:
Page 295 and 296:
Page 297 and 298:
Page 299 and 300:
Page 301 and 302:
Page 303:
Page 306 and 307:
Page 308 and 309:
Page 310 and 311:
Page 312 and 313:
Page 314 and 315:
Page 316 and 317:
Page 318 and 319:
Page 320 and 321:
Page 322 and 323:
Page 324 and 325:
Page 326 and 327:
Page 328 and 329:
Page 330 and 331:
Page 332 and 333:
Page 334 and 335:
Page 336 and 337:
Page 338 and 339:
Page 340 and 341:
Page 342 and 343:
Page 344 and 345:
Page 346 and 347:
Page 348 and 349:
Page 350 and 351:
Page 352 and 353:
Page 354 and 355:
Page 356 and 357:
Page 358 and 359:
Page 360 and 361:
Page 362 and 363:
Page 364 and 365:
Page 366 and 367:
Page 368 and 369:
Page 370 and 371:
Page 372 and 373:
Page 374 and 375:
Page 376 and 377:
Page 378 and 379:
Page 380 and 381:
Page 383 and 384:
11Building Secure ServicedComponent
Page 385 and 386:
Chapter 11: Building Secure Service
Page 387 and 388:
Page 389 and 390:
Page 391 and 392:
Page 393 and 394:
Page 395 and 396:
Page 397 and 398:
Page 399 and 400:
Page 401:
Page 404 and 405:
Page 406 and 407:
Page 408 and 409:
Page 410 and 411:
Page 412 and 413:
Page 414 and 415:
Page 416 and 417:
Page 418 and 419:
Page 420 and 421:
Page 422 and 423:
Page 424 and 425:
Page 426 and 427:
Page 428 and 429:
Page 430 and 431:
Page 432 and 433:
Page 434 and 435:
Page 436 and 437:
Page 438 and 439:
Page 440 and 441:
Page 442 and 443:
Page 444 and 445:
Page 446 and 447:
Page 448 and 449:
Page 450 and 451:
Page 452 and 453:
Page 454 and 455:
Page 456 and 457:
Page 458 and 459:
Page 460 and 461:
Page 462 and 463:
Page 464 and 465:
Page 466 and 467:
Page 468 and 469:
Page 470 and 471: 386 Part III: Building Secure Web A
Page 485: Part IVSecuring Your Network,Host,
Page 488 and 489: 404 Part IV: Securing Your Network,
Page 570 and 571:
486 Part IV: Securing Your Network,
Page 572 and 573:
Page 574 and 575:
Page 576 and 577:
Page 578 and 579:
Page 580 and 581:
Page 582 and 583:
Page 585 and 586:
18Securing Your Database ServerIn T
Page 587 and 588:
Chapter 18: Securing Your Database
Page 589 and 590:
Page 591 and 592:
Page 593 and 594:
Page 595 and 596:
Page 597 and 598:
Page 599 and 600:
Page 601 and 602:
Page 603 and 604:
Page 605 and 606:
Page 607 and 608:
Page 609 and 610:
Page 611 and 612:
Page 613 and 614:
Page 615 and 616:
Page 617 and 618:
Page 619 and 620:
Page 621 and 622:
Page 623 and 624:
Page 625:
Page 628 and 629:
Page 630 and 631:
Page 632 and 633:
Page 634 and 635:
Page 636 and 637:
Page 638 and 639:
Page 640 and 641:
Page 642 and 643:
Page 644 and 645:
Page 646 and 647:
Page 648 and 649:
Page 650 and 651:
Page 652 and 653:
Page 654 and 655:
Page 656 and 657:
Page 658 and 659:
Page 660 and 661:
Page 662 and 663:
Page 664 and 665:
Page 666 and 667:
Page 668 and 669:
Page 670 and 671:
Page 672 and 673:
Page 674 and 675:
Page 676 and 677:
Page 678 and 679:
Page 680 and 681:
Page 682 and 683:
Page 684 and 685:
Page 686 and 687:
Page 689 and 690:
21Code ReviewIn This Chapter●●
Page 691 and 692:
Chapter 21: Code Review 607For exam
Page 693 and 694:
Chapter 21: Code Review 609Identify
Page 695 and 696:
Chapter 21: Code Review 611Check to
Page 697 and 698:
Chapter 21: Code Review 613Check th
Page 699 and 700:
Chapter 21: Code Review 615Buffer O
Page 701 and 702:
Chapter 21: Code Review 617Is Your
Page 703 and 704:
Chapter 21: Code Review 619●Does
Page 705 and 706:
Chapter 21: Code Review 621Do You S
Page 707 and 708:
Chapter 21: Code Review 623The foll
Page 709 and 710:
Chapter 21: Code Review 625●Do yo
Page 711 and 712:
Chapter 21: Code Review 627●Do yo
Page 713 and 714:
Chapter 21: Code Review 629●●Is
Page 715 and 716:
Chapter 21: Code Review 631Do You V
Page 717 and 718:
Chapter 21: Code Review 633Do You S
Page 719 and 720:
Chapter 21: Code Review 635Do You E
Page 721 and 722:
Chapter 21: Code Review 637Check th
Page 723 and 724:
Chapter 21: Code Review 639Do You P
Page 725 and 726:
Chapter 21: Code Review 641Search f
Page 727 and 728:
22Deployment ReviewIn This Chapter
Page 729 and 730:
Chapter 22: Deployment Review 645Pa
Page 731 and 732:
Chapter 22: Deployment Review 647
Page 733 and 734:
Page 735 and 736:
Chapter 22: Deployment Review 651Re
Page 737 and 738:
Chapter 22: Deployment Review 653Fo
Page 739 and 740:
Page 741 and 742:
Chapter 22: Deployment Review 657Ma
Page 743 and 744:
Page 745 and 746:
Chapter 22: Deployment Review 661Th
Page 747 and 748:
Chapter 22: Deployment Review 663Th
Page 749 and 750:
Chapter 22: Deployment Review 665Ac
Page 751 and 752:
Page 753 and 754:
Chapter 22: Deployment Review 669Ho
Page 755 and 756:
Page 757 and 758:
Chapter 22: Deployment Review 673Fi
Page 759 and 760:
Chapter 22: Deployment Review 675Au
Page 761 and 762:
Chapter 22: Deployment Review 677SQ
Page 763 and 764:
Page 765 and 766:
Related Security ResourcesRelated M
Page 767 and 768:
Related Security Resources 683Commu
Page 769:
Related Security Resources 685Commo
Page 772 and 773:
688 Improving Web Application Secur
Page 774 and 775:
Page 776 and 777:
Page 778 and 779:
Page 780 and 781:
Page 782 and 783:
Page 784 and 785:
Page 786 and 787:
Page 788 and 789:
Page 790 and 791:
Page 793 and 794:
Checklist:Securing Enterprise Servi
Page 795:
Checklist: Securing Enterprise Serv
Page 798 and 799:
Page 801 and 802:
Checklist:Securing Data AccessHow t
Page 803:
Checklist: Securing Data Access 719
Page 806 and 807:
Page 808 and 809:
Page 810 and 811:
Page 812 and 813:
Page 814 and 815:
Page 816 and 817:
Page 819 and 820:
Checklist:Security Review for Manag
Page 821 and 822:
Checklist: Security Review for Mana
Page 823 and 824:
Page 825:
Page 829 and 830:
How To:Implement Patch ManagementAp
Page 831 and 832:
How To: Implement Patch Management
Page 833 and 834:
Page 835 and 836:
Page 837 and 838:
Page 839 and 840:
How To:Harden the TCP/IP StackAppli
Page 841 and 842:
How To: Harden the TCP/IP Stack 757
Page 843 and 844:
Page 845 and 846:
Page 847:
Page 850 and 851:
Page 852 and 853:
Page 854 and 855:
Page 856 and 857:
Page 858 and 859:
Page 861 and 862:
How To:Use IPSec for Filtering Port
Page 863 and 864:
How To: Use IPSec for Filtering Por
Page 865 and 866:
Page 867 and 868:
Page 869 and 870:
Page 871 and 872:
How To:Use the Microsoft BaselineSe
Page 873 and 874:
How To: Use the Microsoft Baseline
Page 875 and 876:
Page 877:
Page 880 and 881:
Page 882 and 883:
Page 885 and 886:
How To:Use URLScanApplies ToSummary
Page 887 and 888:
How To: Use URLScan 803Throttling R
Page 889 and 890:
How To:Create a CustomEncryption Pe
Page 891 and 892:
How To: Create a Custom Encryption
Page 893 and 894:
Page 895 and 896:
Page 897 and 898:
Page 899 and 900:
Page 901 and 902:
Page 903 and 904:
Page 905 and 906:
Page 907 and 908:
How To:Use Code Access Security Pol
Page 909 and 910:
How To: Use Code Access Security Po
Page 911 and 912:
Page 913 and 914:
Page 915:
Page 918 and 919:
patterns & practicesProven practice
show all

Improving Web Application Security: Threats and - CGISecurity

Create successful ePaper yourself

Delete template?

Save as template?