Something I was pondering in class lecture today
Now suppose you have a theoretical server running server 2003 enterprise, new install, sp2 applied, all upates , anti virus in place an up to date but you think the server may have been compromised with a directory traversal attack , (yes throwing logic to
the window IIS 6.0 shouldnt suffer from these attacks) but for arguments sake say you suppose it had.
Question
How do you protect against a directory taversal attack and how can you check if the server has been compromised ?
Like i say this is all theoretical and stems from the lecture we had this afternoon on web server security 
Discuss ......
-
-
julianbenjamin
Giggity
IIS 6 by default has Parent Paths disabled. So Directory Traversal should not be possible.
-
your right it should not, but if you had reason to believe it had been possible ? how would you secure the sever ? i know in previous versions you could use a tool urlscan to normalize paths. Does urlscan still exist for iis 6.0 ?
-
julianbenjamin
Giggity
I'm sure it does. But why not just go in and disable parent paths? You'd have to run some sort of scan on the machine to catch anything that came in.
-
when you say disable parent paths ? where do you find that option in iis 6.0 (ive got windows nt 4.0 and server 2003 side by side in virtual pc and im comparing iis features)
-
ahh found it
ok so we know parent paths are disabled, is there any other "good pratices" to follow to make sure the server is safe from traversal attacks ? (apart from the obvious stuff) -
julianbenjamin
Giggity
umm. no clue, other than patching and such.
-
W3bbo
Work hard; increase production; prevent accidents, and be happy.
julianbenjamin wrote:umm. no clue, other than patching and such.
I use tight ACLs on my servers, every website runs under a user identity with minimal access. Trying to traverse to a directory you don't have explicit permission for (i.e. outside their "home" directory) lands you an Access Denied error.
Whilst this is as tight as I can currently get it, I don't know how ASP.NET, ISAPI, CGI, and worker-processes work when thrown into the mix.
So the "base website" runs under the identity of the user I told IIS to use, so any NTFS DACLs denying access to that user mean IIS cannot serve the files. But ASP.NET runs under w3wp.exe which runs under NETWORK SERVICE, but are the Requests it handles done under the IIS User or NetServ? What about "ASP.NET impersonation"? Does the same apply to extensions working through ISAPI and CGI, like PHP and Perl?
BTW, when I saw the subject, I thought it was about a traversal attack on LDAP... which might just be possible if the sysadmin hasn't set permissions on his OrganizationalUnits (more common than setting NTFS DACLs, I can imagine)
-
ZippyV
Fired Up
Put the inetpub folder on a separate drive/volume.
-
DoomBringer
Doom!
IIS Lockdown should still exist in some form or another. It might have been merged into Baseline security scanner, though.
-
figuerres
???
iis 6 also logs to a common error log, in that log you can see folks probiing for that kind of attack and failing.
it's trapped very early in the iis to http stack.
as i recall it's httperror.log ??
one per server for a all web sites bound to that server. -
Thanks all, some good pointers to research into. Spent a while trying to replicate the traversal attack in virtual pc using NT 4/2000/2003 trying IIS4 , IIS5 and IIS6 and I was able to replicate the attack on IIS 4 and 5 but not 6.
-
Don't you ppl use an IDS?
Umm, snort is free...
Thread Closed
This thread is kinda stale and has been closed but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.