Remote applications iis
Download
1 / 27

Remote Applications & IIS - PowerPoint PPT Presentation


  • 94 Views
  • Uploaded on

Remote Applications & IIS. Terminal Services MW2K3 Chpt. 16. Benefits Centralized Deployment of Applications Supporting PC-Unfriendly Environments: Unclean, excessive heat, exposure to elements and theft. Less Processing Power Required on the Client Easier management of user interface.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Remote Applications & IIS' - chambray


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Terminal services mw2k3 chpt 16
Terminal Services MW2K3 Chpt. 16

  • Benefits

    • Centralized Deployment of Applications

    • Supporting PC-Unfriendly Environments:

      • Unclean, excessive heat, exposure to elements and theft.

    • Less Processing Power Required on the Client

    • Easier management of user interface.

    • Remote Server Administration


Is this the future of networking
Is this the Future of Networking

  • Not likely for two reasons:

    • Not all applications behave well in Terminal Server environment

      • Legacy applications

    • Some applications and users are just too demanding.

      • Computer-Assisted Drawing

      • Intensive Database applications


Windows nt 4 0 tse v w2k3
Windows NT 4.0 TSE v. W2K3

  • Windows Server now supports:

    • Client side now supports richer screen color

    • Client side now supports sound

    • Publish applications to Web page

    • Mapping client side printers and hard drives

    • Support for cut and paste between local and remote session via clipboard

    • Load balancing with Advanced Server

    • New Remote Desktop Protocol, supporting multiple channels, which means more communication between client and server.

    • Clustering solutions

    • Group policy enhancement


Citrix metaframe in a nutshell
Citrix Metaframe in a Nutshell

  • Multi protocol support

  • Application publishing

  • Seamless Windows

  • Load Balancing


What s missing in w2k3 ts
What’s Missing in W2K3 TS

  • Supports only Windows 32 Operating systems

  • Does not support DOS, Unix/Linux, or MacIntosh clients

    • Citrix Metaframe is required for those clients.

  • Multi Protocol Support

    • ICA supports IPX/SPX and Netbeui

  • Seamless Client session

  • Support more than 256 colors

  • Server Farming

  • Load Balancing


Server and client requirements
Server and Client Requirements

  • Server Hardware

    • Load up on RAM, Processors and NIC’s

      • 1 CPU should be able to support up to 20 users depending on usage.

      • 2GB-4GB minimum RAM


Server and client requirements1
Server and Client Requirements

  • Client Hardware

    • PC w/ a Win32 operating system loaded

    • Windows Terminal Thin Client

      • WYSE

      • HP

    • Handheld PC running Windows CE/PocketPC


Iis review
IIS Review

  • World Wide Web Server

    • Supports security and encryption

    • Host site for 1 to many domains

    • Pass through to access HTML documents on other machines. (virtual directories)

    • Supports Front Page Server Extensions for easy management and web publishing.

    • Default install only support static content


Iis continued
IIS Continued

The following technologies are supported in IIS 6 but are disabled after installation of IIS.

  • ASP: Active Server Pages

  • SSI: Server Side Includes

  • CGI: Common Gateway Interface

  • ISAPI: Internet Server Application Programming Interface


Iis continued1
IIS Continued

  • Read-Allows user to read files from your Web Server. In most instances, you will want this option set for the root of a new site. The primary reason for disabling this option is for directories that contain CGI or ISAPI apps, which will usually be set on a subdirectory level

  • Run Script-if you need to allow the execution of ASP’s on your site, enable this option

  • Execute-if you need to allow the execution of ISAPI or CGI apps on your site, enable this option. When you enable this option, it is inclusive of the Run Scripts option as well.

  • Write-If the client browsers either will need to upload files on your Web server or will be writing data to a file, you will need to have write permissions enabled.

  • Browse-if a user does not send a request for a specific file on the Web server and there is no default document defined on the system, IIS will return an HTML representation of the files and subdirectories in the root of the site.


Security considerations
Security Considerations

  • Design and implement your Web app with security as top priority.

  • All it takes is one “legitimate” anonymous or authorized user.

  • At the application level all it takes is one bad assumption in the logic of your site design

  • Don’t hesitate to bring in outside expertise to the development team as well as have an unbiased third party audit your solution.

  • ASSUME ALL INPUT IS MALICIOUS, AND VALIDATE IT!!!


Basic http
Basic Http

  • HTTP is essentially a basic file transfer protocol using the HTTP GET command

    • Ie. http://www.victim.com/files/index.html

    • This command requests the file index.html from the /files virtual directory for example, c:\inetpub\wwwroot\files

    • The server interprets the request as such:

      • GET /files/index.html HTTP/1.0


Remote applications iis 1347827
CGI

  • Common Gateway Interface

  • An executable variation of HTTP

    • Ie. http://www.victim.com/scripts/cgi.exe?variable1+variable2


Asp and isapi
ASP and ISAPI

  • Active Server Pages

  • Internet Server Application Programming Interface

  • Spawns inetinfo.exe process

    • Ie. http://www.victim.com/scripts/script.asp?variable1=x&variable2=Y

    • Ie. http://www.victim.com/isapi.dll?variable1&variable2


Http issues
HTTP Issues

  • What do hackers do????

    • Try to trick server into revealing data it otherwise shouldn’t

    • Ie. File system traversal using ../

      • http://www.victim.com/../../../winnt/secret.txt


How do we prevent
How do we prevent?

  • Do NOT do a default install, which does install IIS and turns everything on in Server 2000

  • Default install in Server 2003 does not turn anything on

  • After installation, install only necessary items for IIS

  • Once installed apply ALL necessary hotfixes http://windowsupdate.microsoft.com/ and keep up to date on a WEEKLY basis

  • Move the default location of IIS install off system drive

  • Shutdown unnecessary sites, ie. FTP


Additional prevention
Additional Prevention

  • Apply network level access control at routers, firewalls, or other devices that make up the perimeter around Web Servers. Block all non-essential communications in both directions.

  • Make sure to block outbound communications originating from web server to confound attackers who may compromise the web server in an attempt to tftp or ftp files from a remote system or shovel a shell to a remote listener


Additional
Additional

  • Block all non-essential communications to and from the web server at the host level to provide “defense ind depth”. Host-level network access control on Server 200x can be configured using TCP/IP Security or IPSec filters.


Secure iis checklist
Secure IIS Checklist

  • Read your corporate security policy

    • How do we react to a break-in?

    • Where are the backups stored?

    • Who is allowed access to the server?

      • http://www.sans.org

      • http://www.baselinesoft.com


Secure iis checklist1
Secure IIS Checklist

  • Review, Update and deploy the provided hisecweb.inf template

  • Configure IPSec Policy

    • Consider setting an IPSec packet-filtering policy on every server. This provides an extra level of security if your firewalls are breached.

  • In general, you should block all tcp/ip protocols other than those you explicitly want to support and the ports you want to open. You can use the IPSec administration tool or the IPSecPol command line to deploy IPSec Policy


Secure iis checklist2
Secure IIS Checklist

  • Set Appropriate IIS log file ACLs

    • Administrators (Full Control)

    • System (Full Control)

  • Secure Telnet server…or, better yet disable it in the services.(it is disabled by default)

  • Set Appropriate ACLS on virtual directories


Secure iis checklist3
Secure IIS Checklist

  • Enable Logging

    • Load IIS tool

    • Right click site in question and choose properties

    • Click web site tab

    • Check the enable logging check box

    • Choose w3c extended log file format from the active log format drop down list

    • Click properties

    • Click the extended properties and set the following properties

      • Client ip address

      • Username

      • Method

      • URI stem

      • Http status

      • Win32 status

      • Useragent

      • Server ip address

      • Server port


Iis basic log file sample
IIS Basic Log File Sample

#Software: Microsoft Internet Information Services 5.1

#Version: 1.0

#Date: 2005-03-11 12:50:34

#Fields: time c-ip cs-method cs-uri-stem sc-status

12:50:34 10.0.0.11 GET /non_existant_web_link123511.htm 404

12:50:38 10.0.0.11 HEAD /cgi-bin/ 404

12:50:38 10.0.0.11 HEAD /cgi-bin/a1stats/ 404

12:50:38 10.0.0.11 HEAD /cgi-bin/adcycle/ 404

12:50:38 10.0.0.11 HEAD /error/ 404

12:50:38 10.0.0.11 HEAD /doc/ 404

12:50:42 10.0.0.11 HEAD /~nobody/ 404

12:50:42 10.0.0.11 HEAD /site/eg/ 404

12:50:42 10.0.0.11 HEAD /cfdocs/ 404

12:50:42 10.0.0.11 HEAD /cfide/ 404

12:50:42 10.0.0.11 HEAD /cowsconf/ 404

12:50:42 10.0.0.11 HEAD /cgi-bin/cowsconf/ 404

12:50:42 10.0.0.11 HEAD /scripts/ 403

12:50:42 10.0.0.11 GET /scripts/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 500


Secure iis checklist4
Secure IIS Checklist

  • Set IP address/dns address restrictions

    • Not a common option to set, but if you want to restrict your website to certain users this one option is available to you.

  • Update Root CA certificates at the IIS Server


Secure iis checklist5
Secure IIS Checklist

  • Remove the IISADMPWD virtual directory

    • Directory allows you to reset NT and 2000 passwords. Used primarily for intranets

  • Remove unused script mappings

  • Disable Parent Paths

  • Disable IP Address in content-location

    • q218180


Windows security resources
Windows Security Resources

  • www.ntsecurity.com

  • www.ntsecurity.net

  • www.isaserver.org

  • www.winguides.com/security

  • www.microsoft.com/security

  • http://msdn.microsoft.com/library/default.asp?url=/nhp/default.asp?contentid=28001191

  • http://nsa2.www.conxion.com/win2k/download.htm