Windows Web Solutions UPDATE—-July 1, 2003
1. Commentary: The Newest IIS Security Rollup
2. Keeping Up with IIS - Deploy URLScan to Protect Your IIS Server - Results from Last Issue's Instant Poll: Microsoft TechEd 2003 - This Issue's Instant Poll: Rate Your Web Server Attacks
3. Announcements - Active Directory eBook Chapter 2 Published! - Take Our Brief Active Directory Survey!
4. Resource - Featured Thread: XP Users Can't Access Internet Applications
5. Events - New--Mobile & Wireless Road Show!
6. New and Improved - Analyze Web Site Traffic Data - Submit Top Product Ideas
7. Contact Us - See this section for a list of ways to contact us.
After engaging in numerous real-time cyber–sword fights against malicious intruders for weeks, I am particularly sensitive to Microsoft IIS security hotfixes these days. Although I don't yet have all the data I need to do a technically correct forensic analysis of the break-in I'm researching, it appears that intruders used a Trojan Horse to hijack the Web server for nefarious purposes. My top candidates for the hijacker activity include pushing spam files or stolen software through the Internet. The hijacking ended with a firewall that's now dead and refuses to boot.
I strongly encourage you to update all your Internet Information Services (IIS) 5.1, IIS 5.0, and Internet Information Server (IIS) 4.0 Web servers with the latest IIS security rollup, which you can learn about in the Microsoft article "MS03-018: May 2003 Cumulative Patch for Internet Information Services (IIS)" ( http://support.microsoft.com/?kbid=811114 ). The article contains download links for all affected IIS versions.
In the never-ending battle between developers and crackers, the latest IIS security rollup closes four new vulnerabilities, including a cross-scripting security problem, a buffer overflow, and two forms of Denial of Service (DoS) attacks. Although none of the fixes are rated critical, keeping your IIS servers patched and current is important. Failure to do so opens the door to more sophisticated exploits that leverage the same flaws in the future. The rollup does the following:
-- Eliminates a cross-site scripting vulnerability that lets an IIS server redirect an Active Server Pages (ASP) script meant for server A to an alternate IIS server, server B. Server B responds to the client request, and the redirected script executes using the security settings on server B rather than the settings on server A. If server B is less secure, the script runs with elevated privileges.
-- Eliminates a buffer overflow that occurs in Windows 2000 IIS servers because that version doesn't correctly validate requests for server-side include files. A malicious user can leverage this flaw by uploading a script that generates the buffer overflow to the unsecured server. After the buffer overflow occurs, the malicious user can run code with unrestricted access in the system's security context.
-- Eliminates a DoS vulnerability in Win2K and Windows NT IIS servers that occurs because IIS doesn't limit the amount of memory a script can allocate when creating the header for an HTTP response. To exploit this flaw, an attacker must first place a page with suitably programmed ASP script onto an unsecured server. If the script allocates a large enough block of memory, IIS dies.
-- Eliminates a second DoS vulnerability in Windows XP and Win2K IIS servers that occurs because of how IIS responds to errors when it processes a long WWW Distributed Authoring and Versioning (WebDAV) request. When an attacker exploits this flaw, IIS stops and immediately restarts. For servers that you've secured with the IIS Lockdown utility, Lockdown disables WebDAV authoring.
If you stay on top of security fixes, you no doubt have already used the identity spoofing hotfix in Microsoft Security Bulletin MS02-050 (Certificate Validation Flaw Could Enable Identity Spoofing) to update client systems that run Microsoft Office. If you haven't installed the client certificate hotfix, you should do so before you install the IIS security rollup. The bulletin has download links for this identity spoofing update for a variety of clients, including XP, Win2K, Windows 9x, and Macintosh. If you don't update your clients and IIS requires certificates for authentication, IIS will reject the client certificates when they attempt to connect to the updated IIS server.
I also want to remind you to update Microsoft Internet Explorer (IE) on all your systems with the security rollup Microsoft released on April 24. If you don't install the rollup, a malicious user can exploit the latest batch of vulnerabilities from a Web site or an HTML-based email message to download and run code on unpatched systems. I describe the risks and provide the download links for all versions of IE in my May 27 Keeping Up with Win2K and NT column ( http://www.winnetmag.com/articles/index.cfm?articleid=39094 ).
==== 2. Keeping Up with IIS ====
Deploy URLScan to Protect Your IIS Server URLScan is bundled as part of the IIS Lockdown Tool and is an Internet Server API (ISAPI) filter that intercepts every request your Web server receives from the Internet and scans each request for anything unusual. To find out more about how URLScan can protect your IIS server, go to the following URL:
Results From Last Issue's Instant Poll: Microsoft TechEd 2003 The voting has closed in the Windows & .NET Magazine Windows Web Solutions channel's nonscientific Instant Poll for the question, "Did you attend Microsoft TechEd 2003, and what is your opinion about it?" Here are the results from the 42 responses:
- 17% I went and was very satisfied. - 12% I went and was somewhat satisfied. - 2% I went but wish I hadn't. - 24% I didn't go but wish I had. - 45% I didn't go and don't regret it.
This Issue's Instant Poll: Rate Your Web Server Attacks The next Instant Poll question is, "How severe are the attacks that you usually experience in a given week on your Web servers?" Go to the Windows & .NET Magazine Windows Web Solutions home page and submit your vote for a) We don't receive attacks, b) We rarely receive attacks, c) We receive some attacks, but they aren't too severe, or d) We receive major attacks each week. http://www.windowswebsolutions.com
==== 3. Announcements ==== (from Windows & .NET Magazine and its partners)
Active Directory eBook Chapter 2 Published! The second chapter of Windows & .NET Magazine's popular eBook "Windows 2003: Active Directory Administration Essentials" is now available at no charge! Chapter 2 looks at what's new and improved with Active Directory. Download it now! http://www.windowsitlibrary.com/ebooks/administeringad/index.cfm?pc=adupd
Take Our Brief Active Directory Survey!
Windows & .NET Magazine would like to know how your organization uses Active Directory. Your feedback will be kept absolutely confidential, so take our brief survey today! http://www.zoomerang.com/survey.zgi?SR9V871GEDPDXA8232G9XG8S
==== 4. Resource ====
Featured Thread: XP Users Can't Access Internet Applications Forum member RohanRaju has a scenario in which Windows XP users can't access Internet applications that reside on a Windows 2000 IIS server. The problem is occasional; the rest of the time, users can access the Internet without any problems. The IIS server's security is set to use integrated authentication. The event logs reveal nothing related to the problem. To lend this forum member a helping hand, click the following URL: http://www.winnetmag.com/forums/rd.cfm?cid=41&tid=60540
==== 5. Events ==== (brought to you by Windows & .NET Magazine)
New--Mobile & Wireless Road Show! Learn more about the wireless and mobility solutions that are available today! Register now for this free event! http://www.winnetmag.com/roadshows/wireless
==== 6. New and Improved ==== by Sue Cooper, [email protected]
Analyze Web Site Traffic Data
Mach 5 Enterprises released Mach5 Fast Stats Analyzer 3, software that performs Web log file analysis to help you understand your Web traffic. New features include improved reporting, the ability to export to HTML, and a Hyper Link Tree view, which shows you how visitors are using your Web site. Mach5 is available in a Regular Edition for $99.95 and a Gold Edition for $199.95. The Gold Edition provides a Site Stickiness Report that measures total and average visitor stay length, average page views per session, site entry and exit pages, page view histograms, and session-length histograms. Both editions include a detailed breakdown of pages, files, images, and directories pulled; graphical and chart views of total hits; and a comprehensive summary of query string variables. http://www.mach5.com
Submit Top Product Ideas Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected]
==== Sponsored Links ====
FaxBack Integrate FAX into Exchange/Outlook (Whitepaper, ROI, Trial) http://www.faxback.com/w2ksponorlink
AutoProf Jerry Honeycutt Desktop Deployment Whitepaper http://www.AutoProf.com/Update_TextLinks_2003_06_23.html
==== 7. Contact Us ====
About the commentary -- [email protected] About the newsletter -- [email protected] About technical questions -- http://www.winnetmag.net/forums About product news -- [email protected] About your subscription -- [email protected] About sponsoring UPDATE -- [email protected]
Manage your email newsletter account on our Web site. Simply log in and you can change your email address, update your profile information, and subscribe or unsubscribe to any of our email newsletters all in one place. http://www.winnetmag.com/email
Copyright 2003, Penton Media, Inc.