|
|
 |
|
|
|
Designing Secure Web-Based Applications for Microsoft® Windows® 2000
|
|
|
Author |
|
Michael Howard
|
|
|
Pages |
528
|
|
Disk |
1 Companion CD(s)
|
|
Level |
Intermediate
|
|
Published |
07/26/2000
|
|
ISBN |
9780735609952
|
|
ISBN-10 |
0-7356-0995-0
|
|
Price(USD) |
$49.99
To see this book's discounted price, select a reseller below.
|
|
|
|
|
|
|
|
|
Index
Italicized page numbers indicate figures or tables.
Special Characters
"." (dot) attacks, 365
".." (parent paths), 357
| (pipe operator), 378
< and > (redirect operators), 378
3DES (Triple Data Encryption Standard), 74, 428, 451
200 status code – no error, 103
401 error, 102–3, 116–17
401.2 unauthorized error, 331–32
401.3 unauthorized error, 332–33
401.4 authorization denied error, 333–34
403 errors, 116
403.13 client certificate revoked error, 334–35
403.15 forbidden: client access licenses exceeded error, 335
A
accepting threats, 21
access
anonymous (see anonymous access)
authenticated (see authentication)
checks, 9
control, 24, 217
determination, 60–61
identified, 100–101
access control entries. See ACEs (access control entries)
access control lists. See ACLs (access control lists)
AccessFlags setting, 402
AccessSSLFlags setting, 402–3
Access This Computer From The Network privilege, 105–7
access violations (AVs), 13
Account Is Sensitive And Cannot Be Delegated option, 69–70
Account Is Trusted For Delegation option, 70
Account Logon category, 318–20
accounts. See also groups; user accounts
anonymous (see anonymous access)
COM+ startup, 161
IIS identity processes, 154
IUSR_machinename, 104
IWAM_machinename, 157–61
krbtgt, 414, 419
logon events log, 318–20
managing, 51–53
selection at logon, 173
SIDs (Security Identifiers), 53–54
startup, 161
viewing with WMI and ADSI, 393
ACEs (access control entries), 57
access determination, 60
audit, 67–68
Deny, 101–2
Everyone, 250
permission denied errors, 323–24
ACLs (access control lists), 9, 57–68
access determination, 60–61
ACEs (see ACEs (access control entries))
for audit logs, 277
Basic authentication, 106
COM+ access, 201–3
data-tampering threats, 250
editing, 61
groups with, 232
IIS, 231–32
least privilege principle, 62–66
permissions, 58–60
Permissions wizard, 152–54
restricted tokens, 62
SACLs, 67–68
tokens, 55
tools, 61
Active Data Objects (ADO), 38
Active Directory, 44–45
account management, 52–53
Basic authentication, 108–11
certificate mapping, 132–34
cleartext passwords, 115
COM+ 1.0, 206–7
delegation, 69–72
Digest authentication, 113–15
Domains And Trusts tool, 49–50
installing, 45
krbtgt account, 414, 419
Microsoft Certificate Services, 457
schema, extending, 52
setting user object options, 394
SPNs, 414
Store Password Using Reversible Encryption option, 114
User and Groups objects, 48
Users And Computers tool, 52, 71
Users And Groups tool, 70
Active Directory Services Interface. See ADSI (Active Directory Services Interface)
Active Directory Users And Computers MMC, 292–93, 293
Active Server Pages (ASP). See ASP (Active Server Pages)
ActiveX, 88–90
AdminACL setting, 403
administration
with ADSI, 391–95
querying security settings, 399–401
SQL Server, 398–99
technologies for, 391
with VBScript, 391–95
with WMI, 391–95
administrative delegation, 73
administrators group
secondary logons, 63
unauthorized error, 332–33
vulnerability, 66
Administrators Local Administration group, 174
ADO (Active Data Objects), 38
ADSI (Active Directory Services Interface), 390–91
Adsutil.vbs, 395–96
certificates, accessing, 393
compatible technologies, list of, 391
groups and users, enumerating, 392–93
IIsIPSecurity, 151
IIS settings, 395–97, 402–6
Adsutil.vbs, 395
affinitized connections, 147
AH (Authentication Header protocol), 74
Allow IIS To Control Password setting, 105–6
AllowSpecialCharsInShell Registry value, 403
anonymous access, 100–102
anonymous access only error, 332–33
AnonymousPasswordSync property, 403
Anonymous User accounts, 104–5
checking for, 346
disabling support for, 346
IIS authentication, 104–6
privacy and integrity, 253
setting with ADSI, 396
use in attacks, 345–48
Windows 2000 vs. IIS, 222
anonymous impersonation, 55
AnonymousPasswordSync property, 403
Anonymous User accounts. See anonymous access
AnonymousUserName, 403
AnonymousUserPass, 403
application design process, 15–39, 27
business model phase, 26–31
logical model phase, 26, 32–33
physical model phase, 26, 34–38
application-level authentication, 226–32
application-level identity flow, 222
Application Protection settings, 155–56
application roles, 180
applications. See also COM+
configuring, 294–302
databases, configuring, 300–302
High protection, 305
querying security settings, 399–401
shutdown time, setting, 306
user input attacks, 375–82
Web, 294–96
AS (authentication service), 410–11. See also Kerberos, AS (authentication service)
ASN.1, 438–39
ASP (Active Server Pages)
access settings, 402
blank passwords, 224
certificate enrollment controls, 462–63
certificate mapping, 130–32
ClientCertificate collection, 123
configuring Web applications, 294–96
cookies, 95, 241
cryptography, 242–44
IIsCertMapper object, 405
IPSecurity object, 405
Microsoft CryptoAPI, 242–44
Microsoft Script Encoder, 274–76
Netscape browsers, 462
privacy and integrity, 254
quotes in passwords, 234
script attacks with, 380
source code attacks, 274–76
source code disclosure weakness, 231
SQL Server passwords in, 230–31
vulnerable code, 231, 274–76, 380
X.509 client certificate authentication, 122
AspEncrypt, 243
assets, 4
assigning threats, 22
asymmetric keys, 430–34
attack amplification, 356
attacks, 12–13, 337–86
"." (dot) bug, 365
ASP, 231, 274–75, 380
Bonk, 357
buffer overflows, 367–69
DDoS (Distributed DoS), 360–62
dealing with actual, 383–84
detecting (see detecting attacks)
determining software used, 342–43
disclosure, 13, 19–20
DoS (denial of service), 13, 20, 352, 354–62
elevation of privilege (see elevation of privilege attacks)
evolution of, 353
hackers motivations, 338–39
HTML attacks, 375–82
HTTP "..", 357
HTTP "::$DATA," 358
ICMP flood, 361
IIS, fixed, 365
information disclosure, 357–59
integrity, 13
intrusion detection tools, 371–74
IP fragmentation, 358
LAND, 354–56
locating hosts, 339–40
looking for with Perl code, 366
Nestea, 357
NewTear, 357
ping flood, 358
posting HTML or Script, 358
prioritizing, 20–21
repudiability, 19
responding to, 383–84
scanning for open ports, 341–44
script, 274–76, 379–80
server information, gathering, 348–52
size of posted data, 381–82
Smurf, 356, 361
spoofing, 19, 354–56
Stacheldraht, 361
STRIDE model, 19
SynDrop, 357
SYN flood, 357, 361, 372–73
SYN scans, 344
tampering with data, 19
teardrop, 357
TFN (Tribe Flood Network), 361
tools for probing servers, 352
trace route, 359–60
Trinoo, 361
types of, 13
UDP flood, 361
user information, gathering, 345–48
user input attacks, 375–82
Windows NULL session, 358
audit ACEs. See SACLs (System ACLs)
Audit Object Access, 67–68
audits, 9–10, 30, 276–78. See also logging
detecting attacks with, 363–71
error codes, Account Logon, 320
IIS, 363–69
logon events, 315–20
SCE database, 80
SQL Server, 184–88, 364
Windows 2000, 363–64, 369–70
authentication, 7–8, 46, 217–18
anonymous access, 104–5
anonymous access only error, 332–33
application-level, 226–32
Authentication Ticket Request Failed event, 318–19
AuthFlags property, 403
AuthPersistence property, 404
Basic (see Basic authentication)
browser threats, 270–71
certificate requests, 467
certificates for, 449
challenge/response systems, 118
client configuration, 196
COM+ 1.0, 192–99, 194, 206
complete delegation scenario, 223–26
connection pooling, 304
cookie-based, 241–44
CTLs (certificate trust lists), 123–29
custom, warning about, 244–45
delegation, 69–73
Digest authentication, 113–15
forms-based, 233–39
HTTP Referrer header, 242
IIS (see IIS authentication)
Internet, 100–134 (see also IIS authentication)
IP packets, 74
IPSec vs. SSL/TLS, 263
Kerberos (see Kerberos authentication)
Microsoft Commerce Server 2000, 239
Microsoft Site Server Membership and Personalization, 239
MSV1_0, 318
mutual, 408
Negotiate protocol, 117–19
NTAuthenticationProviders, 405
NTLM (see NTLM authentication)
NTML vs. Kerberos, 120
operating system level preferred, 218–21
packages, logon, 318
performance by protocols, 222–23
persistence, 404
private keys (see private keys)
procedure on Web, 102–3
SQL Server, 164, 300–301
strong, 24
subauthenticators, 105–6
technologies, list of, 8
UNCAuthenticationPassthrough property, 406
UNCPassword property, 406
weak servers, 219–20
Web, 102–3 (see also IIS authentication)
Web server–based, 223–26 (see also IIS authentication)
X.509 client certificate authentication, 120–34
XML (Extensible Markup Language), 239
Authentication Header (AH) protocol, 74
authentication service (AS), 410–11
authentication service, Kerberos. See Kerberos, AS (authentication service)
AuthFlags property, 403
authorization, 9, 217–18
application-level, 226–32
COM+ 1.0, 192–93, 193, 199–209
complete delegation scenario, 223–26
IIS ACLs, 231–32
operating system level prefered, 218–21
unauthorized error, 331–33
weak servers, 219–20
Web server–based, 223–26
authorization denied error, 333–34
Authorization header, 102
AuthPersistence property, 404
AutoComplete, 269–70
availability, 11
AVs (access violations), 13
Axent Technologies, 371
B
backup permissions, 182
bandwidth throttling, 24
base64 encoding, 437, 456, 464
Basic authentication, 8, 106–13
ASP passwords, 227
Basic with Digest, 115
browser threats, 270–71
complete delegation, 225
Digest authentication with, 115
LogonMethod property, 405
setting logon types, 397
URL format passwords, 240–41
without dialog box, 239–41
basic templates, 78
batch files, 403
batch logon privileges, 107–9
BlackICE, 371
Bonk attacks, 357
broadcast pings, 356
browsers. See also Microsoft Internet Explorer 5
credentials cached by, 251–52
forcing to specific port, 341
buffer management, 25
buffer overflows, 367–69
BugTraq, 385
BulkAdmin role, 175
business models, 26–31
business requirements, 17, 28–29
business risks, 12
C
C++, CTL creation with, 125
caches
directives, 269
expiring immediately, 268
headers, 269
persistent data protection, 266–76
preventing caching, 268–69
privacy threats from, 251–52
SSL/TLS, 269
callbacks
CIS (COM Internet Service), 214
COM+ 1.0 library applications, 198
call failure events, 210–11
Call setting (COM+), 198
CALs (client access licenses)
client access licenses exceeded error, 335
with SSL/TLS, 261
canonicalization, 249
CAPI. See Microsoft CryptoAPI
CAs (certificate authorities), 134, 137, 439–44
authentication weakness, 449
certificate management, 447
Certificate Services tool, 457–58
hierarchies, 444–45
list of, Web site, 138
Microsoft Certificate Services, 457–62
stores, 452
CDPs (CRL distribution points), 125, 334–35, 448, 459
CD Universe attack, 255
CertCheckMode, 404
CERT Coordination Center, 384
certificate authorities. See CAs (certificate authorities)
Certificate dialog box, 453
certificate enrollment control, 462–63
Certificate Export wizard, 456
Certificate Import wizard, 454–55
certificate mapping, 126–34
certificates, 434–50
403.13 client certificate revoked error, 334–35
accessing public, 440
accessing using ADSI, 393
Active Directory, 45
authentication with, 449
authorities (see CAs (certificate authorities))
base64 encoding, 437
binding, 435
CDPs (CRL distribution points), 334–35, 448
Certificate dialog box, 453
Certificates tool, 463
CertUtil tool, 464
chains, 444–47
ClientCertificate collection, 123
vs. cookies, 449–50
CRLs (see CRLs (certificate revocation lists))
CryptoAPI, 450–57
CTLs (certificate trust lists), 123–29, 452
DER (distinguished encoding rules), 437
documentation sites, 465–66
empty client certificate dialog box, 328–29
enabling strong private key protection, 456
encryption not provided, 448
enrollment, 135–38, 462–63
expired, 461
exporting, 456–57
extensions, 435
file extensions, 454
hashes for, 435
hierarchies, 444–47
icons for, 454
IIsCertMapper object, 405
IIS performance with, 223
importing, 454–55
invalid, recovering from, 122
issuer names, 435
issuers, checking, 123
leaves, 444
management, 464
mapping, 126–34
Microsoft Certificate Services, 457–62
Microsoft Office 2000, 468
myths, 448–50
names of computers certified, 137
OIDs, 435, 438
PKCS (passphrase-based encryption), 438, 467
private keys (see private keys)
properties, viewing, 453–54
protocols for, 448
public keys, 137, 140, 430–34
replication, 146–47
request file, 138
REQUEST store, 140
revocation checking, 460–61
revoking (see CRLs (certificate revocation lists))
root, 442–44, 452
Security Alert dialog box, 331, 331
SelfCert.exe, 468
serial numbers, 435
SGC (Server Gated Cryptography), 137
SHA-1, 331
signatures (see digital signatures)
SSL/TLS, 134, 256
stores, 452
structure of, 435–36
subject names, 435–36
tools 447, 463–464
trust of, 439–44, 447
validity periods, 435, 462
VBA (Visual Basic for Applications), 468
verification of, 441, 442
VeriSign, 439–44
version numbers, 435
viewing, 464, 465
Web Server Certificate wizard, 463
Web servers, multiple, 146–47
wildcards with, 261–62
Windows 2000, 452–67
X.509 client certificate authentication, 120–34
Certificate Services. See Microsoft Certificate Services
Certificates management tool, 454
Certificates tool, 463
certificate stores, 452–53
certification authorities. See CAs (certificate authorities)
CertUtil tool, 464
CGI (Common Gateway Interface)
CreateProcessAsUser property, 404
source code attacks, 274–76
Challenge/Response authentication. See NTLM authentication
challenge/response systems, 118
challenges, 102
characters, unwanted, stripping, 376–79
CheckCertRevocation Registry setting, 404
CheckTokenMembership, 62
CIM (Common Information Model), 390
ciphers. See encryption algorithms
CIS (COM Internet Service)
callbacks, 214
COM+ 1.0, 212
enabling, 196
classes, 191
cleartext, 106–7, 272–74
ClientCertificate collection, 123
client certificate revoked error, 334–35
client computers
privacy and integrity, 251–52
vulnerability, 385–86
client configuration checklists, 305
client persistent data, 266–71
client-side caching, 74
cloaking, 208, 209
COM+, 36, 38, 191–215. See also DCOM (Distributed COM)
accessing methods and resources, 201–4
ACEs too restrictive, 322–23
Active Directory, 206–7
adding DBQuery.dll to, 298
adding roles to, 298
application-level authorization, 226–32
applications, 191–92, 297–300
Applications node, 159–61
architecture, 192–93
authentication, 192–99, 194, 206
authorization, 192–93, 193, 199–209
ball, spinning, 323
calling, 209–11, 295
Catalog, querying security settings, 399–401
certificate enrollment controls, 462–63
certificate mapping, 130–32
checklist for configuration, 306
CIS (COM Internet Services), 196, 212
clients, 195
cloaking, 208, 209
complete delegation, 223–26
components, 191–92
Component Services tool, 297
configuration, 195–98, 202–3, 297–300, 306
debugging, 210–11
delegation checklist, 306
distributed (see DCOM (Distributed COM))
Enable COM Internet Services On This Computer, 196
Enable Distributed COM On This Computer, 196
Enforce Access Checks For This Application, 197
example of secure solution, 291, 297–300
exporting proxies, 299
firewalls, 212
Identity tab, 198–99, 199
IIS identity processes, 155, 159–61
IIS interface, 395
impersonation/delegation model, 200, 200, 206–8, 224
IMSAdminBase, 395
Interactive user setting, 198–99
interfaces, 191–92, 202–3
Internet, with, 212–15
invoking applications, 300
Kerberos, 206, 420–22
library applications, 198
logging, 210
Login failed for user error, 326–27
method calls, 192, 192, 195, 201–3
negotiating authentication, 195, 195
network libraries, setting, 325
passwords in SQL Server, 230
permission denied errors, 322–23
pinging with Winsock, 401
policies, 205
process handling identity, 305
programming, 204, 207
protection levels, 197–98
proxies, 297–300
proxy servers, 212–13
querying application security settings, 399–401
roles, 200–202
scripts, 399–401
security settings, 196–97, 197, 202, 298
server applications, 198
services, 191–92
SOAP (Simple Object Access Protocol), 215
with SQL Server, 223–26
SQL Server passwords in, 230
startup accounts, 161
trusted application model, 200, 200, 205–6
Tunneling TCP protocol, 212–15
Visual Basic programming, 207–8
WAMUserName property, 406
COM Application Export Wizard, 299
COM Internet Service (CIS). See CIS (COM Internet Service)
Common Information Model (CIM), 390
compatws template, 79
components, COM+, 191–92
Computer Is Trusted For Delegation option, 71
confidentiality. See privacy
configuring
Active Directory Users And Computers MMC, 292–93, 293
applications, 294–302
checklists for, 305–7
COM+ 1.0, 195–98, 202–3
DNS servers, 292
domains, 292
example of secure solution, 291–96
IPSec with SSL/TLS, 264–65
SQL Server applications, 300–302
SSL/TLS, 134–49
users, 293–94
connection pooling, 304
Connect setting (COM+), 198
cookie-based authentication, 241–44
cookies, 95–97
ASP (Active Server Pages), 95
vs. certificates, 449–50
deleting, 97
IIS (Internet Information Server), 96
rejecting, 97
script injection attacks, 380
security settings, 89
corporate security policy. See security, policy
countermeasures to threats, 23–25
create permissions, 181–82
CreateProcessAsUser property, 404
CreateRestrictedToken, 62
credentials, 8
access levels, 101
cached by browser, 251–52
Digest authentication, 114–15
credit cards, 265–66
criticality, 21
CRL distribution points (CDPs), 125, 334–35, 448, 459
CRLs (certificate revocation lists), 125, 447–48, 467
CertCheckMode, 404
information contained, 458
Microsoft Certificate Services, 458–62
place of revocation checks, 460
publish periods, 461–62
setting with ADSI, 396
VeriSign, 459
viewing, 459
cross-site scripting, 379–80
CryptoAPI. See Microsoft CryptoAPI
CryptoAPI Service Providers (CSPs), 450–52
Cryptographic API. See Microsoft CryptoAPI
cryptographic protocols. See encryption algorithms
cryptography, 423–69. See also SSL/TLS (Secure Sockets Layer/Transport Layer Security
agreement on keys, 434
ASP, 242–44
AspEncrypt, 243
asymmetric keys, 430–34
certificates (see certificates)
ciphers (see encryption algorithms)
cost of decryption, 427
CryptoAPI (see Microsoft CryptoAPI)
data integrity, 429–30
DER, 437
DES, 74, 428
digital signatures, 433–34
EFS (Encrypting File System), 73–74, 271
encryption algorithms, 147–49, 424–25, 428
exhaustive key searches, 425
files, encrypting, 73–74
hardware acceleration for, 260
hash functions, 235–39, 429–30
IP packets, 74
keys, 74, 424–27, 430–34
MAC, 430
Microsoft Certificate Services (see Microsoft Certificate Services)
Microsoft Passport, 244
multiple location problem, 431
passwords with, 428
PGP (Pretty Good Privacy), 428
PKCS (passphrase-based encryption), 438
privacy, 424–28
private keys, 430–34
public key encryption, 430–34
RSA encryption, 432–33
secrets, 424
session keys, 233–39, 434
Skipjack, 428
SQL Server, 169–70
symmetric encryption, 424
symmetric keys, 424–27
timestamps, 235–37
Windows 2000, 450–69
X.500 names, 435, 437
CSPs (CryptoAPI Service Providers), 450–52
CTLs (Certificate Trust Lists), 123–29, 452
adding new, 124
certificate mapping, 128–29
creating in C++, 125
empty client certificate dialog box, 328–29
wizard, 124–25
CyberSafe Log Analyst, 313
D
DACLs. See ACLs (access control lists)
"::$DATA" attacks, 365
database connection pooling, 226
database roles, 178–80
databases. See also Microsoft SQL Server
configuring applications, 300–302
connection pooling, 304
enumerating with SQL-DMO, 398
persistent data protection, 266–76
privacy and integrity, 254–55
Data Encryption Standard (DES), 74, 428, 451
data integrity, 88, 429–30
data privacy, 424–28
data, protecting. See persistent data protection
data tampering, 19
countermeasures, 23
mitigation, 249–50
DBCreator role, 175
DBQuery.dll, adding to COM+, 298
db_ roles, 178–79
DCOM (Distributed COM), 212–15
COM+ 1.0 activation, 210
enabling clients, 196
Internet, with, 212–15
port range, 213
dcpromo tool, 292
DC Security template, 79
DDoS (Distributed DoS) attacks, 360–62
debugging. See troubleshooting
decryption. See cryptography
DefaultLogonDomain property, 111, 404
defending against threats, 22
delegation, 69–73
Basic authentication with, 108–9
vs. impersonation, 56, 304, 409
impersonation/delegation model (COM+), 206–10
Kerberos, 409–10
secure solution example, 295
SQL Server, 303
delete permissions, 182
demilitarized zone (DMZ), 75
denial of service attacks. See DoS (denial of service) attacks
Deny ACE, 101
Deny option, 172
deny permissions, 58–59
DER (distinguished encoding rules), 437, 456
DES (Data Encryption Standard), 74, 428, 451
design process, 15–39
Desktop Management Task Force (DMTF), 390
detecting attacks, 362–74
audit logs, 363–71
IIS, 363–69
intrusion detection tools, 371–74
Performance Monitor, 371
SQL Server, 364, 371
Windows 2000 auditing policy, 363, 369–70
DHCP server, 291
dictionary attacks, 236
Diffie-Hellman protocol, 74, 451
Digest authentication, 8, 113–15, 270–71
digest functions. See hash functions
digital signatures, 24, 433–35
ActiveX control for, 284
algorithms, 435
nonrepudiation, 282–83
Digital Signature Standard (DSS), 451
directories, setting options with ADSI, 396
Directory Browsing permission, 150
disclosure, 13, 19–20, 29–32
attacks, 357–59
countermeasures, 23
Internet Explorer, 88
threats, 249–50
DiskAdmin role, 175
distinguished encoding rules (DER), 437, 456
distinguished names (DNs), 437
DLLs
ACEs too restrictive, 322–23
DBQuery.dll, adding to COM+, 298
DllHost.exe, 157–58
DMTF (Desktop Management Task Force), 390
DMZ (demilitarized zone), 75
DNs (distinguished names), 437
DNS (Domain Name System)
lookups, 151
names, credentials prompting, 330
restrictions with IPSecurity object, 405
Round-Robbin load balancing, 342
servers, 291–92
UPNs, 49
documentation, security policy, 22
domain accounts, Kerberos, 293
Domain Name System (DNS). See DNS (Domain Name System)
domains, 48–50
configuring, 292
DefaultLogonDomain, 404
logon events, 317
LSA, 410
names, restrictions by, 151–52
Security Event Log of Kerberos authentication, 416, 419
setting default, 110
DoS (denial of service) attacks, 13, 20, 30
countermeasures, 23
Distributed, 360–62
Internet Explorer, 88
IP fragmentation, 358
LAND, 352–56
packets forged, 74
Ping Flood, 358
Smurf, 356
SYN Flood, 357
Teardrop, 357
dotless IP addresses, 91
driver signing, 82
DSS (Digital Signature Standard), 451
DumpAcl, 352
Dumpel, 313
Dump Event Log, 313, 370
E
effort, 21
EFS (Encrypting File System), 73–74, 271
elevation of privilege attacks, 20, 32
countermeasures, 23
Internet Explorer, 88
ElogDmp, 313
e-mail, 92. See also Microsoft Outlook
emergency procedures, 383–84
employees, as threats, 338–39
Encapsulating Security Payload (ESP) protocol, 74
Encrypting File System (EFS), 73–74, 271
encryption algorithms, 424–25. See also cryptography
DES, 74, 428, 451
RC5, 426
SSL/TLS, 147–49
symmetric key, 428
end-to-end security protocols, 255–66
enterprise CAs, 457
error codes, Account Logon, 320
errors, 322–35. See also troubleshooting
200 status code – no error, 103
401 HTTP status code, 102–3, 116–17, 330
401.4 authorization denied, 333–34
403 errors, 116
403.13 client certificate revoked, 334–35
403.15 forbidden: client access licenses exceeded, 335
anonymous access only, 332–33
authorization denied, 333–34
client access licenses exceeded, 335
client certificate revoked, 334–35
[DBNMPNTW] Access Denied, 325–26
EXECUTE permission denied, 327
forbidden: client access licenses exceeded, 335
Login failed for user, 324–27
logons, 322–35
permission denied, 322–23
Service Ticket Request Failed, 324–25
unauthorized, 331–33
ESP (Encapsulating Security Payload) protocol, 74
espionage, industrial, 338–39
Event Viewer, 310–12
Everyone ACE, 250
Everyone group, 54, 180
evidence, 8, 383
example of secure solution, 288, 289–303
COM+ application, 297–300
configuration, 291–92, 294–302
database applications, 300–302
delegation, 295
Microsoft Visual Basic 6.0, 297
scripts for, 289
execute permissions, 150, 182
exhaustive key search, 425
Extensible Markup Language (XML), 239
extranets, 38, 264
F
failover, 11
file canonicalization, 24
filenames, ".." in, 24
filenames, invalid, 379
file operations, limiting specific, 24
files, setting ACLs, 232–33
filtering event logs, 370
firewalls
COM+ 1.0, 212
packet-filtering, 30
privacy and integrity, 254
fixed database roles, 178–79
fixed server roles, 174–75
flood attacks, 361
forbidden: client access licenses exceeded error, 335
forms, 375–82
forms-based authentication, 233–39
Fortezza cards, 35, 93, 431
FTP, IPSec with, 263
G
gatekeepers, 218, 226–32
Geektools, 352
GEMPlus CSP, 451
GET verbs, 102
globally unique identifiers (GUIDs), 171
golden rules, 7–10
Grinder, 352
Group Policy Editor, 81
groups, 48
ACLs with, 232–33
administrators, 63
Administrators Local Administration, 174
COM+ roles, 201
enumerating, 392–93
Everyone, 54, 180
Interactive, 54
logons, 172–73
ShowGrps, 313
SQL Server, 176
tokens, 55
guest books, 375
GUIDs (globally unique identifiers), 171
H
hacking. See also attacks
motivations, 338–39
Phrack magazine, 344
tools for probing servers, 352
hash functions, 24, 235–39, 429–30
digital signatures, 433–34
persistent data protection, 272
signed, of certificate data, 435
SSLCertHash, 405
headers, creating false, 354–56
High (Isolated) application protection, 305, 325–26
hisecdc template, 79
hisecweb.inf Security Configuration Tool template, 361
hisecws template, 79
Host headers, 143–45
hosts, locating for attacks, 339–40
HTML
e-mail with, 92
forms, 375–82
frames, SSL/TLS, 87
posting attack, 358
PRE tags, 381
removing tags, 378
user input attacks, 375–82
".htr" attacks, 365
HTTP
".." (dot) attacks, 357
200 status code – no error, 103
401 errors, 102–3, 116–17
403 errors, 116
authentication, 8, 437
base64 encoding, 437
Basic authentication, 8
"::$DATA" attacks, 358
Digest authentication, 8
GET verbs, 102
Host headers, 143–45
preventing browser caching, 269
Referer, 242
HTTPS, 120–21
I
ICMP (Internet Control Message Protocol), 76
flood attacks, 361
ping flood attacks, 358
Smurf attacks, 356
IDEA, 428
identification impersonation, 56
identified access, 100–101
identifying connection pooling, 304
identities of processes, determining, 314
identity flow, 222–26
IEAK (Microsoft Internet Explorer 5 Administration Kit), 90–91
IETF (Internet Engineering Task Force), 436
IIS (Internet Information Services), 35, 38, 99–100
401 HTTP status code, 330
401.4 authorization denied error, 333–34
403.13 client certificate revoked error, 334–35
403.15 forbidden: client access licenses exceeded error, 335
ACLs, 231–32
ADSI, setting options with, 395–97
ADSI, settings, table of, 402–6
Adsutil.vbs, 395–96
anonymous access, 332–33, 396
application-level authorization, 226–32
applications, configuring, 294–96
ASP authentication code, 228
auditing policy, 363–64
authentication (See IIS authentication)
authorization, 149–54
Basic authentication logon type, 397
CALs with SSL/TLS, 261
certificate mapping, 126–34
Certificate wizard, 134–40, 463
client request execution, 154–62
COM+, calling, 294
Component Services tool, 295, 297
configuration checklist, 305–6
connection speeds, SSL/TLS, 260
cookies, 96
CRLs, 396, 460
CTL wizard, 124–25
directories, requiring Windows authentication for, 396
domain name restrictions, 151–52
empty client certificate dialog box, 328–29
Error: [DBNMPNTW] Access Denied, 325–26
example of secure solution, 291
exporting COM+ proxies to, 299
fixed vulnerabilities, 365
as gatekeeper, 226–32
High Protection, 325–26
HTTP "::$DATA" attacks, 358
identities, 154–62
Impersonation Level, 295, 296
IP address restrictions, 151–52, 397
logs, 10, 277, 321–22, 364–69
metabase, 106
parent paths, disabling, 357
Permissions wizard, 152–54
Permissions Wizard Template Maker, 154
protection levels, 155–58
root certificates, 442–44
sample code weakness, 231
session states, 96
setting anonymous accounts, 396
SSL/TLS, 260, 396
startup accounts, 161
suspicious activity in log, 365
unauthorized error, 331–32
usernames different error, 329
virtual hosting, 142–45
W3C Extended log format, 321
WebDAV, 100
Web permissions, 149–50
Web Server Certificate wizard, 463
IIS authentication, 100–149
Active Directory client certificate mapping, 132–34
Active Directory with Basic authentication, 108–11
Allow IIS To Control Password setting, 105–6
anonymous access, 104–6
Basic authentication, 106–13
ClientCertificate collection, 123
configuring SSL/TLS, 134–49
CTLs (certificate trust lists), 123–29
Digest authentication, 113–15
domains, setting default, 110–11
IISUBA.DLL, 113–14
logon types, 106–8
mapping certificates, 126–34
memory requirements, 223
multiple schemes, 133
multiple Web sites, 142–45
Negotiate protocol, 117–19
Network Logon With Cleartext setting, 107–9
NTLM authentication, 116–20
performance, 222–23
protocols supported, 103
realms, 112
REQUEST store, 140
revoked certificates, 125–26
SSL/TLS, 111–12
Web Server Certificate wizard, 134–40
Windows Directory Service mapping, 132–34
X.509 client certificate authentication, 120–34
IIsCertMapper object, 405
IIsIPSecurity object, 151
IIS Out-Of-Process Pooled Applications, 159–60
IISUBA.DLL, 113–14
IKE (Internet Key Exchange), 76
impersonation, 55–56, 68, 69
COM+ 1.0, 208, 209
connection pooling, 304
vs. delegation, 304, 409
IIS level, setting, 295, 296
Login failed for user error, 326–27
protection levels, 162
speed, 304
impersonation/delegation model (COM+), 206–10
IMSAdminBase, 395
InetInfo.exe, 155–58
information disclosure. See disclosure
information requirements, 17–18
insert permission, 182
installing
Active Directory, 45
SSL/TLS, 134–40
Intact, 374
Integrated Security Mode, 164–66
Integrated Windows authentication. See NTLM authentication
integrity, 10–11, 31, 248–55
anonymous access, 253
attacks, 13
client computers, 251–52
database, 254–55
end-to-end security protocols, 255–66
firewalls, 254
Internet, 252
IPSec, 262–65
proxy servers, 252
tools, 374
Web servers, 254
Interactive group, 54
interactive logon, 106
interfaces, COM+, 191
Internet, 38
authentication, 100–134 (see also IIS authentication)
privacy and integrity, 252
protocols enabled by SSL/TLS, 258
SOAP (Simple Object Access Protocol), 215
Internet Authentication Server, 115
Internet Control Message Protocol. See ICMP (Internet Control Message Protocol)
Internet Engineering Task Force (IETF), 436
Internet Explorer. See Microsoft Internet Explorer 5; Pocket Internet Explorer
Internet Information Services (IIS), 35, 38, 99–100. See also IIS (Internet Information Services)
Internet Information Services Permissions Wizard Template Maker, 154
Internet Key Exchange (IKE), 76
Internet Protocol Security. See IPSec (Internet Protocol Security)
Internet Security Systems, 371
Internet Server API (ISAPI). See ISAPI (Internet Server API)
intranets, 38
IPSec, 264
sites known to Internet Explorer, 330
Intruder Alert, 371
intrusion detection tools, 371–74
IP addresses
DDoS (Distributed DoS) attacks, 360–62
determining, 292
dotless, 91
forged, attack with, 254
in hashes, 239
restrictions by, 151–52
IP fragmentation attacks, 358
IP Grant lists, 397
IP packets, 74
bogus, creating, 353–56
creating, 353–56
low-level inspection, 76
IP restrictions
IPSecurity object, 405
setting with ADSI, 397
IPSec (Internet Protocol Security), 10–11, 24
certificates with, 448
server verification, 74–77
with SQL Server, 221
vs. SSL/TLS, 262–65
IPSecMon, 75, 312
IPSecPol.exe, 76–77
IPSecurity object, 405
ISAPI (Internet Server API)
protection levels, 161
W3Who, 314
issuer names, 435
IsTokenRestricted, 62
IUSR_machinename account, 104, 333
IWAM_machinename, 157–61
J
Java, 88
Next
Last Updated: Friday, July 6, 2001 |
