Security Considerations for Migrating from NT to Win2K, Part 5

In "Security Considerations for Migrating from NT to Win2K, Part 4," August 2001, I covered IP Security (IPSec), its implementation within Windows 2000, and how it can help improve the security of connections on your network. In Part 5, I look briefly at the new Win2K Service Pack 2 (SP2) and its major security fixes and describe a few simple steps for securing Microsoft Internet Information Services (IIS) 5.0, the IIS version included with Win2K.

You might be wondering what an article about Win2K SP2 and IIS 5.0 is doing in a series about migration from Windows NT 4.0 to Win2K. Many people have been waiting to upgrade to Win2K until it had been knocked around a bit and Microsoft had patched it up. With SP2, Win2K has arrived at that point. SP2 fixes enough problems—including some glaring IIS 5.0 problems—that you can now safely start your migration from NT 4.0.

A Pretty Good Fix
Win2K SP1 included a variety of fixes, patches, and security-vulnerability fixes. Win2K SP2 contains SP1's fixes plus a long list of security-vulnerability fixes that Microsoft has released since SP1. Microsoft released some patches and vulnerability fixes too late to include them in SP2. In addition, many Microsoft Internet Explorer (IE) 5.5 patches and security fixes are included in the IE service pack and not in SP2. Despite these omissions, SP2 fixes many security vulnerabilities. For a fairly comprehensive list of the security vulnerabilities that SP2 fixes (not including the ones SP1 fixes), go to http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/news/w2ksp2.asp. For a list of SP1's security fixes (which SP2 includes), go to http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/news/w2ksp1.asp.

You can install SP2 from the Windows Update Web site at http://windowsupdate.microsoft.com. If you prefer to download SP2 to your hard disk or network so that you can install it on several systems, go to http://www.microsoft.com/windows2000/downloads/servicepacks/sp2/sp2lang.asp. Be forewarned that Win2K with SP2 is a hefty download (more than 100MB).

As with any major software patch, before you install SP2 on a system, you should fully back up the system. You should also make sure that SP2 is compatible with any third-party software running on the system. If you can't find information about your software on Microsoft's TechNet Web site (http://www.microsoft.com/technet) or the Microsoft Knowledge Base Web site (http://search.support.microsoft.com/kb/c.asp), contact Microsoft or the third-party software vendor to confirm the product's compatibility with SP2.

SP2 includes a variety of fixes related to IIS 5.0 security. For example, SP2 remedies two IIS 5.0 Denial of Service (DoS)—related problems that Microsoft's MS01-014 and MS01-016 security bulletins describe. The MS01-023 security bulletin provides a particularly important fix for an IIS 5.0 buffer overrun exploit that, when executed, can give the intruder complete control over the Web server, including the ability to change Web pages, add users with administrative rights, or even format the hard disks.

After you install SP2, you should visit the TechNet Security site's Security Bulletin Search page at http://microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/current.asp and download any IIS-related patches that Microsoft has made available since SP2. For example, you should apply the major patch that the MS01-033 security bulletin provides. The MS01-033 patch covers another dangerous IIS buffer overrun exploit. For more information about this vulnerability, go to http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-033.asp.

IIS Vulnerabilities
Given the rate at which intruders find new vulnerabilities in IIS, you might think that IIS is impossible to secure. New vulnerabilities can be rather alarming, but taking some basic security precautions can prevent intruders from exploiting many of these vulnerabilities on your systems. Administrators who perform a few basic steps to secure IIS services on their servers will likely have no problem with the MS01-023 or MS01-033 vulnerabilities (however, keeping up with the latest security patches is still a good idea). I'll show you what these steps are in a minute.

MS01-023 pertains to an Internet Server API (ISAPI) extension that lets users print directly to a URL from a remote site and check the status of their print jobs. The extension has an unchecked buffer in a section of code that handles input parameters. MS01-033 pertains to a component of Indexing Service that provides support for administrative scripts (.ida files) and Internet Data Queries (.idq files). This component has an unchecked buffer in code that handles input URLs. Most organizations don't need or use these ISAPI extensions. However, IIS 5.0 installs the extensions by default, so they're there to exploit unless an administrator removes support for them, applies the MS01-023 and MS01-033 patches, or disables the IIS services.

To exploit the extensions' vulnerability, an intruder mounts a buffer overrun attack (i.e., sends more data than the program's memory buffer can handle), thus causing the program to fail. Not all programs are vulnerable to buffer overrun attacks; vulnerability entirely depends on how developers wrote the software.

If the extra data in a buffer overrun attack is random code (i.e., a jumble of characters or data that doesn't really mean anything), the program leaves behind a shell of itself when it fails. This shell usually has the same privileges as the program had when running—in the case of ISAPI, full system privileges. If the intruder data contains functioning program code, the ISAPI shell executes the code with the same system-level permissions as the ISAPI service would.

You can see that an intruder could take control of a system by performing a buffer overrun attack or two and having the ISAPI service launch with full system privileges whatever software he or she desires. Let's look at some IIS 5.0 settings that can help secure your Web server against such attacks. Remember that the settings and steps I describe are just a starting point in securing your IIS 5.0 server. You must also be vigilant about keeping up with the TechNet security bulletins and applying service packs and security patches.