黑客攻击IIS的主要发式演示及安全防范措施胡雪美国微软公司顾问咨询部高级顾问SEC307日程:怎样黑的:TheInternetInformationServer(IIS)Unicodeexploit为什么有CodeRed和Nimda?微软的应对措施:STPPNewsecurityfeaturesinIIS6.0怎样加固IIS?网络管理员程序开发员HowItWorksCanonicalizationAroseisaroseisaroseisaroseGertrudeSteinOrisit?c:\myprograms\mydir\test.asp::$DATA..\mydir\test.aspc:\myprograms\mydir\test.asp.c:\myprograms\mydir\test.aspc:\myprog~1\mydir\test.asp演示:UnicodeExploitWindows2000是一个安全的平台吗?是的!YES!Securityisbuilt-inWinnerofeWeekOpenHackchallengeCustomerswhosurvivedCodeRedandNimdaCurrentonservicepacksandsecuritypatches“Lockeddown”systemssothatvulnerabilitieswerenotexposedWithstandattacksevenwithoutapplyingpatchesDidbothfor“defenseindepth”Microsoft’scommitmentSecurityResponseCenterSTPPWindows®SecurityPush7000engineersDedicatedSecurityPersonalSTPPAndIISStrategicTechnologyProtectionProgramSustainedcampaignforWindowsNT®4.0andWindows2000GetsecureFreeWindowsSecurityResourceToolkitCDHotfixRollupIISLockdownHFNetCHKURLScanSupport1-866-PCSafety,freesecurityissuesupportStaysecureBundleallsecurityfixessincemostrecentServicePackWindows2000ServicePack(SP3)WindowsUpdateCorporateEditionAutoupdate–ScheduledinstalldemoIISLockdownToolURLSCAN重要提示InstallnewIISSecurityRollupPackageSRP=/technet/security/bulletin/ms02-018.aspURLSCAN=37756IIS6.0安全方面的新设计:ReducedattacksurfaceIISisnotinstalledbydefaultServerLockdown:StaticfilesonlySecuredefaultsCodesecurityBufferoverflowchecksAutomatedintheWindowsbuildenvironmentVC++compilersupported(/Gs)RevisedcanonicalizationRemovedoldlegacycodeLowprivilegeaccountsSecuritythroughIsolationGreatpatchmanagementstoryNewauthenticationandauthorizationschemes实用措施BestPracticesRunIISLockdownwizardandURLScanLockdownyournetworkwithIPSecDonotuseFAT!HaveyourcontentonaseparatepartitionUseauthenticationDisableunneededsystemservicesStayInformedSecurity:AwayoflifeCheckfornewsecurityhotfixesSubscribetotheSecuritynotificationservice=/technet/security/bulletin/notify.aspUseHFCHECK/HFNETCHK=/technet/security/tools/tools/hfnetchk.aspQueryWindowsUpdate:AwayoflifeRemaininformed,vigilant,andeducated!AuditEventlogMonitorIISLogsMakeaplanforwhatneedstobedonewhenAnewsecuritybulletinisreleasedHackedDobackupsUsetoolstodetectintrusionsURLSCAN如果不幸被黑了…RemoveinfectedmachinesfromtheNetForensicsTakeanimage;FindouthowthehackerdiditCheckwithvendorsfornewvulnerabilitiesChecklogfilesExamineconnectedcomputersInstallcleanimageafterlowlevelformatChangepasswordsUpdateInstallationGuidesDocumentwhatyouhavelearnedMakeanincidentresponseplan编程方面可能出现的的安全问题假设说有的输入都有恶意!ThreemainthreatsCross-sitescriptingBufferoverflowsSQLinjectionClientHowCross-SiteScriptingWorksBAD.COMTRUSTED.COMhyperlinkError:InvalidURL+requestedlinkscriptMsgBox“hello”/scriptdemoCross-SiteScripting解决方法Filterinputparametersforspecialcharacters'%;)(&+-EncodeoutputbasedoninputparametersURLEncodeHTMLEncodeSetDataLimitsUseInputValidationControlsinASP.NETBufferOverrunsAndagain:Allinputisbad!BufferOverflowsHowitworksLocalvariablesCallingCodeProgramStackReturnAddressJMPESPLocalvariablesCallingCodeProgramStackReturnAddressMaliciousInputNewReturnAddresspushebppushecxmovebp,espsubesp,54hxorecx,ecxmovbyteptr[ebp-14h],'h'movbyteptr[ebp-13h],'a'movbyteptr[ebp-12h],'c'movbyteptr[ebp-11h],'k'movbyteptr[ebp-10h],'e'movbyteptr[ebp-0Fh],'d'movbyteptr[ebp-0Eh],'1'movbyteptr[ebp-0Dh],'.'movbyteptr[ebp-0Ch],'e'…demoBufferOverflow解决方法strcpystrcatmemcpysprintfmemcpymemsetgetssscanfreadstrstrstrrev…ValidateallinputsSee“WritingSecureCode”byMichaelHowardandDavidLeBlancDouble-checkordon’tuseunsafefunctionsSQLInjectionAndagain:Allinputisbad!if(isPasswordOK(Request.form(name),Request.form(pwd))){Response.write(Authenticated!);//Dostuff}else{Response.write(AccessDenied);}functionisPasswordOK(strName,strPwd){varfAllowLogon=false;varoConn=newActiveXObject(ADODB.Connection);varstrConnection=DataSource=c:\\auth\\auth.mdb;oConn.Open(strConnection);varstrSQL=SELECTcount(*)FROMclientWHERE+name='+strName+'+andpwd='+strPwd+';varoRS=newActiveXObject(ADODB.RecordSet);oRS.Open(strSQL,oConn);fAllowLogon=(oRS(0).Value0)?true:false;oRS.Close();deleteoRS;oConn.Close();deleteoConn;returnfAllowLogon;}坏蛋Username:b'or'1'='1Password:b'or'1'='1SELECTcount(*)FROMclientWHEREname='b'or'1'='1'andpwd='b'or'1'='1'为什么危险?好人Username:mikeyPassword:&y-)4Hi=Qw8SELECTcount(*)FROMclientWHEREname='mikey'andpwd='&y-)4Hi=Qw8'demoSQLInjection解决方法Telltheattackernothing!DeterminewhatisvalidinputBewareofquotesCheckSQLreturnvaluesDisableparentpathsinASPEnableParentPathsproperty工具和检查清单SecurityToolkitonlineLockdownToolHFNETCHKURLSCANWhitepapersChecklistsNSASecurityRecommendat