After the recent destruction of Internet Information Server (IIS)-based Web sites by the Code Red and Nimbda viruses, insuring security for Web applications has become everyone's job. This article gives a plan for recovering from virus attacks, securing the server, and protecting from further attacks. It points the user directly to resources that can speed the process. The outline of the plan is:
Recover from infection or rebuild
Install operating system upgrades and patches
Verify that the system is up to date
Protect the system from other attacks
Monitoring
Stay informed
Throughout the article, I'll refer to various files that you can download from Microsoft. Since Nimbda, Microsoft has become more serious about security. They've instituted a new security program called the Strategic Technology Protection Program (STPP). It includes free technical support to recover from a virus attack and the Microsoft Security Toolkit. The toolkit is a collection of system upgrade files and protection tools, including the tools discussed in this article. They also provide a blueprint for recovery and protection. Start at http://www.microsoft.com/security. I've ordered the CD, and it's on back order. It may be available by the time you read this.
However you get the files, by CD or download, let's get started.
1 Recover from Infection or Rebuild
If you have an infected IIS Server, the first step is to pick between recovery and rebuilding. Recovery involves cleaning viruses from your system and repairing any damage. Rebuilding means starting from scratch using trusted media.
Recovery is not insured and various authoritative sources (CERT, Microsoft, Symantec) recommend that servers that have been exposed to the public Internet be rebuilt from scratch. Yikes! They mean well, but they don't have to do the work. Rebuilding isn't fun, but it gives the best insurance that you're not leaving problems on your system. In some cases, enough files in the operating system have been destroyed that rebuilding is the only course of action. I've done both a recovery and a rebuild, and both seem to have worked. If you want to be safe, rebuild.
Assuming you decide to recover, the first step in protecting your system is to remove any infection. During this step, clean the system of viruses and take some steps to prevent instant reinfection. Perform the following steps:
Until the system is protected, stop the World Wide Web service and set it to not start automatically. Use the Control Panel/Services applet.
Install a virus scanner/cleaner from a company like Symantec, McAfee, etc. Download the latest virus definitions and scan your whole system. If you find any infection, consider a rebuild.
Remove any unnecessary file shares, including any default shares on the roots of the drives.
NTFS volumes are easier to protect than FAT volumes. Convert all volumes on your system to the NT File System (NTFS), including the system volume. When rebuilding, format drives as NTFS during the installation.
Whether you've cleaned out your infection or rebuilt your system from scratch, you can proceed safely.
2 Install Operating System Upgrades and Patches
The best way to upgrade is to use Windows Update from the Internet Explorer (IE) Tools menu. Be prepared for some long downloads and to reboot often. I suggest the following sequence of upgrades:
Windows Critical Update Notification: This tool is applies only to NT Workstation or W2K Professional. It checks every day for a critical update and pops up an offer to update your system. I mention it in case you're running IIS on an applicable OS. See http://support.microsoft.com/support/kb/articles/Q224/4/20.asp for a complete description.
Outlook: Outlook shouldn't be on an IIS server. Remove it and Outlook Express while you're at it. You can delete the EXE files.
Install the Resource Kit for your OS. Some of its tools will be used later when securing your system.
3 Verify that the System is Up to Date
Once you've used Windows Update to install the critical fixes, verify that you're up to date. While you can use Windows Update every day, there's a better tool: Network Security Hotfix Checker (or Hfnetchk.exe). Download it by starting at: http://support.microsoft.com/support/kb/articles/q303/2/15.asp
Hfnetchk.exe checks that you've installed available hot fixes for NT or W2K, IIS, and IE. It can be used to check all the computers in a domain, a subject that is beyond the scope of this article. Run IE's Windows Update until Hfnetchk.exe shows that "All necessary hot fixes have been applied."
Unfortunately, on NT 4 Server it isn't possible get Hfnetchk to report that patches are installed. Even after the latest critical update packages have been installed, the Hfnetchk continues to report specific patches that have not been applied. These have to be checked by hand. Other Microsoft bulletins may help you with the details of some of these hot fixes. The bulletins can be read at:
http://www.microsoft.com/technet/security/bulletin/MSYY-XXX.asp
Where YY-XXX is the year and number of the bulletin.
MS98-001 - Relates to the ability of nonadministrators to create groups. See Q169556. Fixed by running "Createals.exe -a" from the NT Resource Kit.
MS99-025 - Relates to disabling the RDS DataFactory. There are various ways to disable it, including removing the MSADC virtual directory. LockDownIIS, described in the next section, takes care of it.
MS99-036 - Relates to unattended installation of Windows NT. If you use unattended installation, and more power to you, check this out.
MS00-025 - This relates to the file dvwssr.dll, which is used by Visual Interdev. It can be removed from nondevelopment servers. Be sure it's gone from your system.
MS00-028 - Relates to the file htimage.exe and imagemap.exe, which should be removed from your system unless you're supporting imagemaps on very old browsers.
MS00-081 - Relates to a Microsoft Java virtual machine (VM) vulnerability. Bulletin leads to new Java VM install. Important if you're executing server-side Java, otherwise not essential.
MS01-048 - This one is new and deserves everyone's attention. Read the bulletin and apply its patch. However, as the text of the bulletin points out, the best protection against an attack on the Remote Procedure Call (RPC) mechanism is a properly configured firewall.
4 Protect the System from Other Attacks
4.1 URLScan: Don't Leave Home without It!
URLScan is a powerful tool for protecting your IIS. It examines every HTTP request before it is handed to IIS, which normally responds by returning the requested HTML file or running the requested ASP page. Before a request is allowed through to IIS, URLScan checks it for:
Malformed URLs, such as binary data in the URL
Attempts to run restricted file extensions such as EXE, HTA, IDA, etc.
Restricted HTTP Request types. Only GET, POST, and HEAD are needed by most sites.
Figure 1 shows how URLScan blocked a typical series of attacks from a Nimbda-infected system somewhere on the Internet. The IP addresses have been XXXed out for security reasons. There are plenty of infected computers out there on the Net, and I see a sequence like this every day.
Figure 1
[Tue, Oct 09 2001 - 12:05:32] Client at XXX.XXX.XXX.XXX: Sent verb 'OPTIONS', which is not specifically allowed. Request will be rejected.
[Wed, Oct 10 2001 - 11:08:53] Client at XXX.XXX.XXX.XXX: URL contains extension '.exe', which is disallowed. Request will be rejected. Raw URL='/download/win32/en/ie5setup.exe'
[Thu, Oct 11 2001 - 09:53:58] Client at XXX.XXX.XXX.XXX: URL contains extension '.exe', which is disallowed. Request will be rejected. Raw URL='/scripts/root.exe'
[Thu, Oct 11 2001 - 09:53:58] Client at XXX.XXX.XXX.XXX: URL contains extension '.exe', which is disallowed. Request will be rejected. Raw URL='/MSADC/root.exe'
[Thu, Oct 11 2001 - 09:53:59] Client at XXX.XXX.XXX.XXX: URL contains extension '.exe', which is disallowed. Request will be rejected. Raw URL='/c/winnt/system32/cmd.exe'
[Thu, Oct 11 2001 - 09:54:01] Client at XXX.XXX.XXX.XXX: URL contains extension '.exe', which is disallowed. Request will be rejected. Raw URL='/d/winnt/system32/cmd.exe'
[Thu, Oct 11 2001 - 09:54:03] Client at XXX.XXX.XXX.XXX: URL normalization was not complete after one pass. Request will be rejected. Raw URL='/scripts/..%255c../winnt/system32/cmd.exe'
[Thu, Oct 11 2001 - 09:54:04] Client at XXX.XXX.XXX.XXX: URL normalization was not complete after one pass. Request will be rejected. Raw URL='/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe'
[Thu, Oct 11 2001 - 09:54:08] Client at XXX.XXX.XXX.XXX: URL normalization was not complete after one pass. Request will be rejected. Raw URL='/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe'
[Thu, Oct 11 2001 - 09:54:09] Client at XXX.XXX.XXX.XXX: URL normalization was not complete after one pass. Request will be rejected. Raw URL='/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe'
[Thu, Oct 11 2001 - 09:54:09] Client at XXX.XXX.XXX.XXX: URL contains '.' in the path. Request will be rejected. Raw URL='/scripts/..%c1%1c../winnt/system32/cmd.exe'
[Thu, Oct 11 2001 - 09:54:13] Client at XXX.XXX.XXX.XXX: URL contains extension '.exe', which is disallowed. Request will be rejected. Raw URL='/scripts/..%c0%2f../winnt/system32/cmd.exe'
[Thu, Oct 11 2001 - 09:54:14] Client at XXX.XXX.XXX.XXX: URL contains extension '.exe', which is disallowed. Request will be rejected. Raw URL='/scripts/..%c0%af../winnt/system32/cmd.exe'
[Thu, Oct 11 2001 - 09:54:18] Client at XXX.XXX.XXX.XXX: URL contains extension '.exe', which is disallowed. Request will be rejected. Raw URL='/scripts/..%c1%9c../winnt/system32/cmd.exe'
[Thu, Oct 11 2001 - 09:54:19] Client at XXX.XXX.XXX.XXX: URL normalization was not complete after one pass. Request will be rejected. Raw URL='/scripts/..%%35%63../winnt/system32/cmd.exe'
[Thu, Oct 11 2001 - 09:54:23] Client at XXX.XXX.XXX.XXX: URL normalization was not complete after one pass. Request will be rejected. Raw URL='/scripts/..%%35c../winnt/system32/cmd.exe'
[Thu, Oct 11 2001 - 09:54:26] Client at XXX.XXX.XXX.XXX: URL normalization was not complete after one pass. Request will be rejected. Raw URL='/scripts/..%25%35%63../winnt/system32/cmd.exe'
[Thu, Oct 11 2001 - 09:54:29] Client at XXX.XXX.XXX.XXX: URL normalization was not complete after one pass. Request will be rejected. Raw URL='/scripts/..%252f../winnt/system32/cmd.exe'
4.2 Install IIS Lockdown
The IIS Lockdown tool uses the existing facilities of NT and IIS to protect it from Code Red, Nimbda, and other attacks, known and unknown. It does this by applying available security settings and installing a 404.dll file to protect from undesirable hits. See http://www.microsoft.com/technet/security/tools/locktool.asp.
When run on Windows NT 4, IIS Lockdown depends on the InetPub tree residing on a NTFS volume. So if you haven't already converted to NTFS, start by converting all volumes on your system to NTFS.
IIS Lockdown is a rather blunt tool. If allowed to, it turns off everything dangerous. That includes all the useful stuff Microsoft has added to IIS over the last six years. Unless you're using just plain HTML pages, use the Custom Installation option and keep features that your application uses. For example, if you're using ASP pages in your site, be sure to allow ASP pages to be run. Many of the protections implemented by IIS Lockdown overlap with those of URLScan, but there's no harm in that.
4.3 Internet Information Server Security Checklist
Microsoft provides an extensive security checklist that it recommends for sites that are exposed to the public Internet. It took about 6 hours to perform the 50-step list for IIS 4 to test that the application still worked, and to adjust the settings to allow the application to function. URLScan and IIS Lockdown, referenced above, implement many of the steps, so you should run them first. However, many steps secure NT and IIS in additional ways, such as protecting individual registry keys. Having done it once, and given what I know of IIS attacks, I'm pretty sure that implementing the check list would have protected IIS from the Code Red and Nimbda viruses.
Due to the number of steps I can't give step-by-step instructions here. Using the checklist requires knowledge of your server and your Web applications. Some of my notes from the installation process are:
The NT Event logs should have the Log Setting changed to allow for 10 megabytes of log file and choose "Overwrite Events as Needed." Do this for all three logs.
You'll be moving CMD.EXE. Be sure to set up shortcuts for the interactive user so a Command prompt can be run when performing maintenance interactively.
Since you'll be moving CMD.EXE and other powerful commands from their default location, you may want to put the path to their new location into the path of the login ID used for routine maintenance. This login ID shouldn't be "Administrator."
If your application uses a database, when configuring TCP/IP filtering, be sure you don't prevent your application from reaching the database. I did and the application couldn't get past the login screen. Of course, you must also allow other traffic needed by your application as FTP or SMTP.
Use access control lists (ACLs) and file protection (the good-old Read-only attribute) to protect your Web pages from modification. One of Nimbda's innovations is modifying HTML and ASP pages to insert a small JavaScript that downloads and runs a virus program.
Turn on security auditing and logging wherever possible. It should be turned on for NT, IIS, and your database. You'll need them for the daily monitoring to be discussed later.
4.4 Install a Firewall and Set Narrow Rules
A properly configured firewall offers an enormous degree of protection from attacks against your IIS. It should be configured to allow access only to ports 80 (HTTP) and, if you are using it, port 443 (HTTPS aka SSL). Doing so blocks Internet Control Message Protocol (ICMP) traffic, such as PING that is frequently used in attacks. As with TCP/IP filtering mentioned above, be sure to allow any legitimate traffic on other ports.
If you're running an extranet used by a limited number of business partners, consider restricting access to the IP address ranges of just those partners. Be sure to create rules to allow traffic to the backup servers.
5 Monitoring
Virus attacks and downed servers get attention, and everyone knows that you have to fix them and protect from future attacks. Now comes the hard part: monitoring your server. It's hard because someone has to do it every day. Not every week. Every day. Anything less leaves gaps in coverage that are just to long. Nimbda spread across the world in less than 24 hours.
As you monitor, you're going to look for unusual activity. What's unusual? To know what's unusual, you have to know what is usual. To know what's is usual, you have to establish a baseline. I'll discuss creating your baseline in each of the detailed sections that follow.
5.1 Virus Check
Start by checking to see if any viruses have been found in the last 24 hours. In addition to running the real-time virus protection, Schedule a complete virus scan every night around 1 a.m. when system usage is low. For good measure, run virus scanner's update program to check for new virus definitions 15 minutes before starting the scan. Your baseline for viruses is zero. There should be no viruses found.
5.2 NT Event Logs
All three logs should be checked.
The Security log should be checked for failed logins, unusual levels of activity, and modifications to the system's security configuration.
The System log should be checked for unusual activity, such as browser requests from unknown systems or incomplete data packets intercepted on the network.
The application log should also be checked for unusual activity.
5.3 Is Your System Software Up to Date?
Not only is the world supplied with an abundance of hackers, it also has an abundance of security consultants hunting for new vulnerabilities and publicizing them. Microsoft has been keeping up with new vulnerabilities by issuing a stream of Hotfixes to Windows, IIS, IE, and Office. You can't wait for a service pack to come out. There have been 52 security bulletins with fixes so far in 2001 without a service pack. Recently Microsoft has also made an effort to get the security consultants to stop publicizing new vulnerabilities.
As discussed above, there are two tools available for checking updates on a server:
Network Security Hotfix Checker
Windows Update from the IE Tools menu
Pick one or the other or both to do your daily monitoring.
With Network Security Hotfix Checker your baseline is the list of bulletins that are reported as necessary, but that you've determined are not needed, or don't show up as handled because their solution is manual. On Windows 2000, this list is usually nothing. On NT 4 Server, I always seem to have eight of these.
To be able to monitor this every day, create a baseline report using the command line:
hfixchk > HotFixBaseLine.log.
Next, create a Command (CMD) file with these two lines:
hfixchk > TodaysHotFix.log
fc /L HotFixBaseLine.Log TodaysHotFix.Log
Point a shortcut to the CMD file, run it, and you'll know in a few seconds if you're up-to-date. You'll have to update HotFixBaseLine.Log after any updates are applied.
When using IE's Windows Update I always install everything in the Critical Update category and most things in the Recommended category. If you don't install them, they continue to show up in their respective list. The list can be customized so you aren't reminded to install support for the Hungarian language, etc.
5.4 URLScan Log Check, Web Log Check
These two logs go together because they're reporting on the same traffic, your HTTP hits to your Web server. Start with URLScan. If a request is blocked by URLScan, it never gets to the Web server.
My baseline for URLScan entries is 15 entries for the day. URLScan adds all new entries to the end of one file, URLSCAN.LOG. You have to open it up and jump down to the bottom to see the new entries.
IIS logs every Web request to a log file that you can configure using Internet Services Manager. Set it to create a new log file every day. A simple but effective baseline is the number of kilobytes in the log. Either a spike or a trough in the size of this file would be a signal for concern.
Read the IIS log to get an idea about what's happening in your application and how your users use it. Some things to look for are application errors and visits to a login page without successful login.
In the IIS log will be the probes by the bots, spiders, crawlers, and other programs trying to index the entire Web. This type of probe is important for your site to show up in search engines and you may want to encourage it. On the other hand, if your application isn't open to the public, you might want to discourage it entirely.
Web-indexing programs query a file named robots.txt in the root directory of your site. This is based on the robot exclusion standard. Using robots.txt, they can be directed to the files you want indexed. To turn off all indexing, put the following two lines into your robots.txt file:
# Discourage all web indexing
User-agent: *
Disallow: /
5.5 Performance Monitor Alerts
NT's Perfmon and Windows 2000 can be set to create a log of activity instead of showing the current activity on the screen. By continuously gathering statistics about a system, unusual activity can be spotted. Alerts can also be configured and these alerts directed to the Event Log. This limits the need to examine the log every day. Just look in the Event Log. Start by logging Processor usage, ASP, IIS, and IP activity. You'll need to establish a baseline for your system before adding alerts.
Once you're familiar with what's usual, add alerts that spot the unusual. Figures 2 and 3 show how alerts look in Perfmon and in the NT Event Viewer. These CPU alerts correspond to the nightly virus scans on that system. If IIS is compromised by a Code Red-type virus, its CPU usage shoots to the sky as your server is used to attack other systems.
Figure 2
Figure 3
5.6 Database Log Files
This one is going to depend on the capabilities of your database. For SQL Server 2000 all logins/logouts can be audited in the system log files. If you want to go even further, you can create a baseline using the Profiler to record all Audit events into a table that can be used later for comparison to a running system.
Even more important! Check that your database backups are performed as scheduled and that the database can be restored from the backup.
6 Stay Informed
6.1 Real-Time Security Notifications
To keep up to date with the most important developments in Internet security, subscribe to two mailing lists:
I also get great explanations about how various attacks are performed and free tools to investigate security issues at Gibson Research's site: http://www.grc.com.
Are you exhausted yet? I'm wearing out, and I haven't even touched the subject of writing a secure application! That's a topic for another article some day. In the meantime I monitor my systems every morning, continue to read about security topics, and work to improve the security of my applications in every way possible. Unless the application developers and network administrators of the world are vigilant about security, the terrorists of the Internet will destroy the Internet's potential for improved productivity, convenient commerce, knowledge sharing, and just plain fun. I, for one, don't want that to happen.
About the Author
Andrew Novick develops business applications as an independent consultant using ASP, Visual Basic (VB), and SQL Server. He's a frequent contributor to the local VB Pro user group. The year 2001 marks his 30th year of computer programming, starting in high school with a PDP-8 and moving on to a degree in Computer Science, an MBA, and then programming mainframes, minicomputers, and for the last 15 years, PCs. When not programming he enjoys coaching tee-ball, mowing the lawn, and the occasional movie with his wife. He can be reached at anovick@world.std.com.
Built around the Microsoft CryptoAPI, AspEncrypt helps you harness all major encryption and hashing algorithms such as DES, Triple-DES, RC2, RC4, RSA, MD5 and SHA1 in just a few lines of code. The component can be used in tandem with AspEmail to send encrypted and signed mail in the industry-standard S/MIME format, or with AspUpload to encrypt files as they are being uploaded. AspEncrypt can also be used to issue and manage X.509 digital certificates.
AspPDF is an ASP/ASP.NET component which enables generation and management of documents in PDF format. Features include advanced text formatting, font embedding, form fill-in, images, tables, content and page extraction, document stitching, encryption, digital signatures, and more.
Migration to IIS 6 can present itself as a daunting challenge. Depending on your existing hosting configuration, the process can number in hours, days, or even weeks. Careful planning and research is integral to achieve a successful migration. [Read This Article][Top]
Microsoft's Trustworthy Computing initiative significantly changed the way in which Microsoft builds and designs software. In this article, Jeff Gonzalez explores some of the new options and architecture in Internet Information Services 6.0. [Read This Article][Top]
Upgrading your server? Brien Posey takes a look at the process and pitfalls of migrating IIS to a completely different server. [Read This Article][Top]
Spending countless hours developing a Web site only to discover that no one can access it is frustrating. This article guides you through the process of troubleshooting Web-site access problems. [Read This Article][Top]
Members of the 15Seconds discussion list may have found a way to run IIS on Windows XP Home Edition, so developers can run ASP pages. Attempt at your own risk! [Read This Article][Top]
Stop SPAM from sliding through your e-mail system. George Walker shows how to create an e-mail content filter for the Windows 2000 SMTP service using Microsoft Collaboration Data Objects. [Read This Article][Top]
Travis Giggy demonstrates how to put ASP tags inside of JavaScript blocks so developers can fit large amounts of data into one form on a single page. He offers an overview of things that can be done with dynamic JavaScript with ASP and data queries. [Read This Article][Top]
Collaboration Data Object (CDO) is a COM library designed to send mail through SMTP or Microsoft Exchange. If you install the SMTP server that comes with Microsoft Option Pack 4, you can send mail from an Active Server page using CDO. Because CDO is comes with Microsoft Option Pack 4, CDO is free. [Read This Article][Top]
Mailing List
Want to receive email when the next article is published? Just Click Here to sign up.
