Nazim's Security Blog
All things security ...
-
Securing your FTP Server 101
I have to admit that FTP has always been a second-class citizen for the IIS security team, and we usually put all our efforts into the HTTP platform. There has always been a notion that our old FTP server (FTP 6.0-) was never really popular due to lack of features. With the recent FTP vulnerabilities it became evident that we were wrong on multiple counts, and so it seems like this is a good time to do a securing your FTP server 101 blog.
-
[Updated] IIS FTP server vulnerabilities for FTP 5.x and FTP 6
There have been two recently publicly disclosed vulnerabilities for FTP 5, FTP 5.1 and FTP 6. Wade has gone through great detail to explain what platforms are affected by each vulnerability in his blog post. Microsoft has released and refreshed an advisory that covers the details, mitigations and workarounds for the vulnerability. The Microsoft Security Research and Defense team has a blog about the exploit details for the original vulnerability. Here is the summary including both vulnerabilities:
-
Updated advisory for FTP Vulnerability on IIS
The public exposure of another vulnerability in the FTP stack has caused a revision in the Microsoft advisory. Please refer the advisory @ http://www.microsoft.com/technet/security/advisory/975191.mspx to get updated information on exposure and impact of vulnerabilities. I have previously discussed this information in an earlier blog post and have updated this post as well. Microsoft Security Response Center (MSRC) has a revised blog as well.
-
Update for WebDAV vulnerability on IIS 5.x and IIS 6
We now have a security update available to address the WebDAV extension vulnerability reported earlier. All customers affected should apply the update even if they have mitigated the issue through a workaround.
-
Update Released for Dynamic IP Restrictions Beta
We had a couple of forum threads that reported an issue in the Beta module for Dynamic IP Restrictions. Since we are doing a significant amount of change for Beta 2, we wanted to unblock customers affected by this issue be releasing a patch. So here it is:
-
WebDAV Authentication Bypass on IIS 5.0, 5.1 and 6.0
Microsoft has released advisory 971492 about an Elevation of Privilege issue with the WebDAV extension for IIS 5.0, 5.1 and 6.0. These versions of IIS reside on Windows Server 2000, Windows XP and Windows Server 2003 respectively. The advisory contains relevant information for who is affected and what the mitigations and workarounds are. The Microsoft Security Response Center (MSRC) has also release a blog outlining our response and the Security Research & Defense team has a blog outlining technical details.
-
Token Kidnapping fixed
I had gone into a little detail about explaining token kidnapping in an earlier post. Despite all the difficulties involved in fixing this, MS has released a comprehensive patch that addresses all the issues in MS09-012. This was a monumental effort, so kudos to all the teams involved in coordinating and getting this out the door.
-
Script to lock down IIS paths
In IIS 7 we have request filtering available to help with locking down files and directories that you don't want to serve out. This is useful for resources (like configuration) that you want your IIS worker process to have access to, but not serve it out to clients. Things like web.config files fall in to this bucket, and default IIS 7 request filtering configuration denies serving out this extension. However on IIS 6, you don't have request filtering functionality built into the IIS platform. You would need to install stand-alone tools like UrlScan.
-
Script to install UrlScan v3.0 as a site filter.
Although using WIX to create an MSI to do this task is a cleaner approach, it is too heavy duty for me. I do this often enough to warrant creating a script for it, so I though I would share it out.
-
Token Kidnapping in Windows