Technical: Microsoft – Information Integration Server (IIS) – Version 8 – Hardening\Securing

Background

Still morose with the IIS web site hijack that I covered in a previous post (https://danieladeniji.wordpress.com/2014/04/12/technical-microsoft-dnsiis-attack-2014-04-12/).

BTW, the culprit ended up being a virus that pasted “http:\\www.holybiblesearch.com” all over our web site.

Starting to take baby steps to harden IIS a bit.

 

Areas we will cover:

  • Web Server Extensions
  • Host Headers
  • Application Pools
  • Request Filtering – HTTP Verbs
  • Audit

 

Web Server Extensions

On the web server, here are the steps to review and adjust “ISAPI and CGI Restrictions”:

  • Launch IIS Manager
  • Select the Server
  • On the server level, make sure that you are viewing the “Features View”
  • Select the “ISAPI and CGI Restrictions” applet

Here is what our screen looks like:

ISAPIandCGIRestrictions

 

 

Interpretation

As we are not familiar with the hcap\hcapext.dll module, not so sure what to make of it, and so we changed his Restriction from “Allowed” to “Not Allowed”.

 

 

Host Headers

On the web server, here are the steps to effect Host Header

  • Launch IIS Manager
  • Select the Server
  • Access the web site
  • At the web site level, transverse to the “Access” panel
  • In the “Edit Site” branch, click the “Bindings” branch
  • Review listed bindings and make sure that you have specific URLs listed; including the one for localhost, if you will be browsing from the local machine

 


SiteBindings-AddSiteBinding

 

This helps shield you from fly by night visitors; i.e those that are just performing IP Sweeps.

 

 

Application Pools

Review registered Application Pools and make sure that you ‘re using Active Directory accounts or local accounts with the most basic permission set.

On the web server, here are the steps to effect Host Header

  • Launch IIS Manager
  • Select the Server
  • Access the “Application Pools”
  • Review each Application pool, service account
  • Select the Application Pool, right click on your selection, and from the drop-down menu, choose “Advanced Settings” entry
  • In the “Advanced Settings” window, navigate to the Identity entry and note the Account that you ‘re running under

 

ApplicationPool-AdvancedSettings-Identity

 

Please review the Application Pool user account on your Web Server, Active Directory, and Database, etc.

And, later be able to audit the account in terms of it activities.

 

Application – Request Filtering – HTTP Verbs

Aforementioned, we are quite concerned that some of our web site files are getting over-written.

To address, we will enable “Request Filtering” and only allow the following verbs – Get, Post.

To effect, we will slightly modify the Application’s web.config file:

 

Here is the snippet of code that filters out unlisted verbs; and adds\enables the two verbs that we want to allow – GET and POST.

<configuration>

	 <system.webServer>
	  <security>
	   <requestFiltering>
		<verbs
		   allowUnlisted="false"
		   >
		 <add verb="GET" allowed="true" />
		 <add verb="POST" allowed="true" />		 
		</verbs>
	   </requestFiltering>
	  </security>
	 </system.webServer>
	   
</configuration>


 

To view the settings:

  • Launch IIS Manager
  • Access the web site
  • Ensure that the “Features Views” is active
  • Within the “IIS” sub-section, choose “Request Filtering”
  • In the “Request Filtering” window, select “HTTP Verbs” tab

  Request Filtering:

RequestFiltering--HTTPVerbs

 

 

Audit

Audit – NTFS

Our primary hope at this time is to be better prepared to audit NTFS changes that is shamefully causing our website contents to be over-written.

Thankfully, Microsoft has built NTFS to be capably audit-able.

Steps:

There are two steps.  The first one is to select the object we will like to audit and specify which actions we will like to audit.

Steps – Specify actions to audit

  • Launch Windows Explorer
  • Access Folder that contains web site folders & files
  • Right click on your selection, and from the drop-down menu, choose “Properties” entry
  • In the “Properties” window, access the security tab, and click on the “Advanced” button
  • In the “Advanced Security Settings” window, access the “Auditing” tab window
  • Review the accounts that are currently being audited
  • In our case, we will be adding “Domain  Users” to our list
  • And, as we are not interested in execute nor read activities, but changes to the actual file, please click on “Show advanced permissions” button

Here are entries that we selected:

NTFS-Permissions-AuditingFolder

 

And, here is the completed list:

NTFS-Permissions-AuditingFolder-AdvancedSettings

 

 

Steps – Specify actions to audit

  • Launch Administrative Tools \ Local Security Settings
  • In the left panel, access Security Settings \ Local Policies\ Audit Policy
  • In the right panel, select “Audit object access” and double-click on your selection
  • In the “Audit object access properties” window, select “Success” and “Failure” — In many cases, it is OK to just audit failures — that is you want to know who is try gain access, but failure.  But, as I said, in our case, whomever or whoever is trying to gain access is successfully doing so
  • Click “OK” to enforce your changes

 

 

AuditPolicy-AuditObjectAccess-SuccessAndFailure

 

Completed:

Please pay close attention to the “Security Setting” column, as in many shops changes can not be effected, due to “Group Policy” settings.

LocalSecurityPolicy-AuditPolicy-Completed

 

 

Program Features

Review Program Features and see whether new applications have been installed.  In our case, we wanted to source hcapexet.dll.

Especially, as we have a file creation date.

ProgramAndFeatures

 

Good on Microsoft for augmenting “Add\Remove Programs” with an order-able “Installed On” column.   This way, we can correlate our initial problem date with Application Install days.

 

Conclusion

Who gets picked on ?  The security breach might very well be random in nature.  I know we sometimes feel picked on.  But, in the world wide web, there are no strangers and little anonymity.  We are all just IP friends and neighbors.

It seems the virus slash worm is targeting familiar folders; folders with names such as CascadingSyleSheets, Confide, DynamicData, and Northwind.

And, files with names such as default.asp and index.php.

Pasted below is a screen shot that shows infected folders and files.

 

familarFolders

The infected folders are:

  • App_Data
  • bin
  • Content
  • Controllers
  • Models
  • obj
  • Properties
  • Scripts
  • Views

And, the files are:

  • default.asp
  • index.php

The infection occurred on 4/7/2014 and the folders and files bear that DateModified timestamp .  Please keep in mind that even when we replace infected files with good ones, they are getting re-infected and the DateModified have the more recent dates.

 

 

References

References – General

References – Web Server Extensions

References – Web Server Extensions – IIS7

 

References – Host Headers

 

References – Request Filtering

 

One thought on “Technical: Microsoft – Information Integration Server (IIS) – Version 8 – Hardening\Securing

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s