黑客攻击IIS的主要发式演示及安全防范措施

黑客攻击IIS的主要发式演示及安全防范措施胡雪美国微软公司顾问咨询部高级顾问SEC307日程：怎样黑的:TheInternetInformationServer(IIS)Unicodeexploit为什么有CodeRed和Nimda?微软的应对措施：STPPNewsecurityfeaturesinIIS6.0怎样加固IIS?网络管理员程序开发员HowItWorksCanonicalizationAroseisaroseisaroseisaroseGertrudeSteinOrisit?c:\myprograms\mydir\test.asp::$DATA..\mydir\test.aspc:\myprograms\mydir\test.asp.c:\myprograms\mydir\test.aspc:\myprog~1\mydir\test.asp演示：UnicodeExploitWindows2000是一个安全的平台吗？是的！YES!Securityisbuilt-inWinnerofeWeekOpenHackchallengeCustomerswhosurvivedCodeRedandNimdaCurrentonservicepacksandsecuritypatches“Lockeddown”systemssothatvulnerabilitieswerenotexposedWithstandattacksevenwithoutapplyingpatchesDidbothfor“defenseindepth”Microsoft’scommitmentSecurityResponseCenterSTPPWindows®SecurityPush7000engineersDedicatedSecurityPersonalSTPPAndIISStrategicTechnologyProtectionProgramSustainedcampaignforWindowsNT®4.0andWindows2000GetsecureFreeWindowsSecurityResourceToolkitCDHotfixRollupIISLockdownHFNetCHKURLScanSupport1-866-PCSafety,freesecurityissuesupportStaysecureBundleallsecurityfixessincemostrecentServicePackWindows2000ServicePack(SP3)WindowsUpdateCorporateEditionAutoupdate–ScheduledinstalldemoIISLockdownToolURLSCAN重要提示InstallnewIISSecurityRollupPackageSRP=/technet/security/bulletin/ms02-018.aspURLSCAN=37756IIS6.0安全方面的新设计：ReducedattacksurfaceIISisnotinstalledbydefaultServerLockdown:StaticfilesonlySecuredefaultsCodesecurityBufferoverflowchecksAutomatedintheWindowsbuildenvironmentVC++compilersupported(/Gs)RevisedcanonicalizationRemovedoldlegacycodeLowprivilegeaccountsSecuritythroughIsolationGreatpatchmanagementstoryNewauthenticationandauthorizationschemes实用措施BestPracticesRunIISLockdownwizardandURLScanLockdownyournetworkwithIPSecDonotuseFAT!HaveyourcontentonaseparatepartitionUseauthenticationDisableunneededsystemservicesStayInformedSecurity:AwayoflifeCheckfornewsecurityhotfixesSubscribetotheSecuritynotificationservice=/technet/security/bulletin/notify.aspUseHFCHECK/HFNETCHK=/technet/security/tools/tools/hfnetchk.aspQueryWindowsUpdate:AwayoflifeRemaininformed,vigilant,andeducated!AuditEventlogMonitorIISLogsMakeaplanforwhatneedstobedonewhenAnewsecuritybulletinisreleasedHackedDobackupsUsetoolstodetectintrusionsURLSCAN如果不幸被黑了…RemoveinfectedmachinesfromtheNetForensicsTakeanimage;FindouthowthehackerdiditCheckwithvendorsfornewvulnerabilitiesChecklogfilesExamineconnectedcomputersInstallcleanimageafterlowlevelformatChangepasswordsUpdateInstallationGuidesDocumentwhatyouhavelearnedMakeanincidentresponseplan编程方面可能出现的的安全问题假设说有的输入都有恶意!ThreemainthreatsCross-sitescriptingBufferoverflowsSQLinjectionClientHowCross-SiteScriptingWorksBAD.COMTRUSTED.COMhyperlinkError:InvalidURL+requestedlinkscriptMsgBox“hello”/scriptdemoCross-SiteScripting解决方法Filterinputparametersforspecialcharacters'%;)(&+-EncodeoutputbasedoninputparametersURLEncodeHTMLEncodeSetDataLimitsUseInputValidationControlsinASP.NETBufferOverrunsAndagain:Allinputisbad!BufferOverflowsHowitworksLocalvariablesCallingCodeProgramStackReturnAddressJMPESPLocalvariablesCallingCodeProgramStackReturnAddressMaliciousInputNewReturnAddresspushebppushecxmovebp,espsubesp,54hxorecx,ecxmovbyteptr[ebp-14h],'h'movbyteptr[ebp-13h],'a'movbyteptr[ebp-12h],'c'movbyteptr[ebp-11h],'k'movbyteptr[ebp-10h],'e'movbyteptr[ebp-0Fh],'d'movbyteptr[ebp-0Eh],'1'movbyteptr[ebp-0Dh],'.'movbyteptr[ebp-0Ch],'e'…demoBufferOverflow解决方法strcpystrcatmemcpysprintfmemcpymemsetgetssscanfreadstrstrstrrev…ValidateallinputsSee“WritingSecureCode”byMichaelHowardandDavidLeBlancDouble-checkordon’tuseunsafefunctionsSQLInjectionAndagain:Allinputisbad!if(isPasswordOK(Request.form(name),Request.form(pwd))){Response.write(Authenticated!);//Dostuff}else{Response.write(AccessDenied);}functionisPasswordOK(strName,strPwd){varfAllowLogon=false;varoConn=newActiveXObject(ADODB.Connection);varstrConnection=DataSource=c:\\auth\\auth.mdb;oConn.Open(strConnection);varstrSQL=SELECTcount(*)FROMclientWHERE+name='+strName+'+andpwd='+strPwd+';varoRS=newActiveXObject(ADODB.RecordSet);oRS.Open(strSQL,oConn);fAllowLogon=(oRS(0).Value0)?true:false;oRS.Close();deleteoRS;oConn.Close();deleteoConn;returnfAllowLogon;}坏蛋Username:b'or'1'='1Password:b'or'1'='1SELECTcount(*)FROMclientWHEREname='b'or'1'='1'andpwd='b'or'1'='1'为什么危险？好人Username:mikeyPassword:&y-)4Hi=Qw8SELECTcount(*)FROMclientWHEREname='mikey'andpwd='&y-)4Hi=Qw8'demoSQLInjection解决方法Telltheattackernothing!DeterminewhatisvalidinputBewareofquotesCheckSQLreturnvaluesDisableparentpathsinASPEnableParentPathsproperty工具和检查清单SecurityToolkitonlineLockdownToolHFNETCHKURLSCANWhitepapersChecklistsNSASecurityRecommendat