黑客攻擊IIS的主要發(fā)式演示及安全防范措施

1、黑客攻擊IIS的主要發(fā)式演示及安全防范措施 SEC 307日程：怎樣黑的: The Internet Information Server (IIS) Unicode exploit為什么有Code Red 和 Nimda? 微軟的應(yīng)對措施：STPPNew security features in IIS 6.0怎樣加固 IIS?網(wǎng)絡(luò)管理員程序開發(fā)員How It WorksCanonicalizationA roseis a roseis a roseis a roseGertrude SteinOr is it? c:myprogramsmydirtest.asp:$DATA.mydirte

2、st.aspc:myprogramsmydirtest.asp.c:myprogramsmydirtest.aspc:myprog1mydirtest.asp 演示：Unicode ExploitWindows 2000 是一個安全的平臺嗎？是的！ YES!Security is built-inWinner of eWeek OpenHack challengeCustomers who survived Code Red and NimdaCurrent on service packs and security patches“Locked down” systems so that v

3、ulnerabilities were not exposedWithstand attacks even without applying patchesDid both for “defense in depth”Microsofts commitmentSecurity Response CenterSTPP Windows Security Push7000 engineersDedicated Security PersonalSTPP And IISStrategic Technology Protection ProgramSustained campaign for Windo

4、ws NT 4.0 and Windows 2000Get secureFree Windows Security Resource Toolkit CDHotfix RollupIIS Lockdown HFNetCHK URLScan Support1-866-PCSafety, free security issue support Stay secureBundle all security fixes since most recent Service Pack Windows 2000 Service Pack (SP3)Windows Update Corporate Editi

5、onAuto update Scheduled install demoIIS Lockdown ToolURLSCAN重要提示Install new IIS Security Rollup PackageSRPURLSCANIIS 6.0 安全方面的新設(shè)計(jì)：Reduced attack surfaceIIS is not installed by defaultServer Lockdown: Static files onlySecure defaultsCode securityBuffer overflow checksAutomated in the Windows build en

6、vironmentVC+ compiler supported (/Gs)Revised canonicalizationRemoved old legacy codeLow privilege accountsSecurity through IsolationGreat patch management storyNew authentication and authorization schemes實(shí)用措施 Best PracticesRun IIS Lockdown wizard and URLScanLock down your network with IPSecDo not us

7、e FAT! Have your content on a separate partitionUse authenticationDisable unneeded system servicesStay InformedSecurity: A way of lifeCheck for new security hot fixesSubscribe to the Security notification service technet/treeview/default.asp?url=/technet/security/bulletin/notify.aspUse HFCHECK /HFNE

8、TCHK technet/security/tools/tools/hfnetchk.aspQuery Windows Update Stay InformedSecurity: A way of lifeRemain informed, vigilant, and educated!AuditEventlogMonitorIIS LogsMake a plan for what needs to be done whenA new security bulletin is releasedHackedDo backupsUse tools to detect intrusions URLSC

9、AN如果不幸被黑了Remove infected machines from the NetForensicsTake an image; Find out how the hacker did itCheck with vendors for new vulnerabilitiesCheck log filesExamine connected computersInstall clean image after low level formatChange passwordsUpdate Installation GuidesDocument what you have learnedMa

10、ke an incident response plan編程方面可能出現(xiàn)的的安全問題假設(shè)說有的輸入都有惡意!Three main threats Cross-site scriptingBuffer overflowsSQL injectionClientHow Cross-Site Scripting WorksBAD.COMTRUSTED.COMhyperlinkError: Invalid URL + requested linkMsgBox “hello” demoCross-Site Scripting解決方法Filter input parameters for special c

11、haracters % ; ) ( & + - Encode output based on input parametersURLEncodeHTMLEncodeSet Data LimitsUse Input Validation Controls in ASP.NETBuffer OverrunsAnd again: All input is bad!Buffer OverflowsHow it worksLocal variablesCalling CodeProgram StackReturn AddressJMP ESPLocal variablesCalling CodeProg

12、ram StackReturn AddressMalicious InputNew Return Addresspush ebp push ecx mov ebp,esp sub esp,54h xor ecx,ecxmov byte ptr ebp-14h,h mov byte ptr ebp-13h,a mov byte ptr ebp-12h,c mov byte ptr ebp-11h,k mov byte ptr ebp-10h,e mov byte ptr ebp-0Fh,d mov byte ptr ebp-0Eh,1 mov byte ptr ebp-0Dh,. mov byt

13、e ptr ebp-0Ch,e demoBuffer Overflow解決方法strcpystrcatmemcpysprintfmemcpymemsetgetssscanfreadstrstrstrrevValidate all inputsSee “Writing Secure Code” by Michael Howard and David LeBlancDouble-check or dont use unsafe functionsSQL InjectionAnd again: All input is bad!if (isPasswordOK(Request.form(name),

14、Request.form(pwd) Response.write(Authenticated!); / Do stuff else Response.write(Access Denied); function isPasswordOK(strName, strPwd) var fAllowLogon = false; var oConn = new ActiveXObject(ADODB.Connection); var strConnection=Data Source=c:authauth.mdb; oConn.Open(strConnection); var strSQL = SELE

15、CT count(*) FROM client WHERE + name= + strName + + and pwd= + strPwd + ; var oRS = new ActiveXObject(ADODB.RecordSet); oRS.Open(strSQL,oConn); fAllowLogon = (oRS(0).Value 0) ? true : false; oRS.Close(); delete oRS; oConn.Close(); delete oConn; return fAllowLogon; 壞蛋Username: b or 1 = 1Password: b o

16、r 1 = 1SELECT count(*) FROM client WHERE name=b or 1=1 and pwd=b or 1=1為什么危險？好人Username: mikeyPassword: &y-)4Hi=Qw8SELECT count(*) FROM client WHERE name=mikey and pwd=&y-)4Hi=Qw8 demoSQL Injection解決方法Tell the attacker nothing!Determine what is valid inputBeware of quotesCheck SQL return valuesDisab

17、le parent paths in ASPEnableParentPaths property工具和檢查清單Security Toolkit onlineLockdown ToolHFNETCHKURLSCANWhitepapersChecklistsNSA Security Recommendations guides/w2k-14.pdf總結(jié)Microsoft is committed to Windows 2000 and Windows NT 4.0Internet Information Server (IIS) 5.0 when managed, is a secure Platform that withstands real world attacksWe will provide the tools and features to make managing a secure computing environment, as easy as possibleIIS 6.0 with a