《怎樣使IIS更安全》PPT課件.ppt

1、WEB327怎樣使 IIS更安全,胡 雪高級顧問 美國微軟公司 顧問咨詢部 Microsoft Corporation,日程：,出名的病毒：Code Red (I ) ( / Do stuff else Response.write(Access Denied); function isPasswordOK(strName, strPwd) var fAllowLogon = false; var oConn = new ActiveXObject(ADODB.Connection); var strConnection=Data Source=c:authauth.mdb; oConn.Op

2、en(strConnection); var strSQL = SELECT count(*) FROM client WHERE + name= + strName + + and pwd= + strPwd + ; var oRS = new ActiveXObject(ADODB.RecordSet); oRS.Open(strSQL,oConn); fAllowLogon = (oRS(0).Value 0) ? true : false; oRS.Close(); delete oRS; oConn.Close(); delete oConn; return fAllowLogon;

3、 ,危險在哪？,好人 Username: jeff Password: &y-)4Hi=Qw8 SELECT count(*) FROM client WHERE name=jeff and pwd=&y-)4Hi=Qw8,壞人 Password: or 1 = 1,SELECT count(*) FROM client WHERE name=jeff and pwd= or 1=1,Unicode attack,IIS 檢查 . 防止進入父目錄。但IIS 5 Gold 沒檢查 UTF-8 的 或 /. 例如 %c0%af.,http:/localhost/scripts/.%c0%af./w

4、innt/system32/cmd.exe?/c+type%20d:boot.ini,http:/localhost/scripts/.%c0%af./winnt/system32/cmd.exe?/c+copy%20d:winntsystem32cmd.exe root.exe,http:/localhost/scripts/root.exe?/c+echo Your Website is Defaced d:inetpubwwwrootdefault.asp,對策,Tell the attacker nothing! Determine what is valid input Beware

5、 of quotes Check SQL return values Disable parent paths,如果您不幸被黑,Have a “Incident Response Plan” Remove machines from the net Find out how the hacker did it Perform low-level format Examine connected computers,IIS 4.0 and 5.0 新安全工具,Security hotfixes New: Cumulative Security Hotfixes New: No reboot ho

6、tfixes New: Windows Update Integration New: One-Button-Lockdown-Tool New: Lockdown ISAPI Filter New: HFCHECK v2.0,IIS 6.0安全防范措施,Server is locked down by default Only static files Secure defaults Content protection Secure timeouts and limits Code Security Buffer Overflow Checks automated in the Windo

7、ws build environment VC+ compiler supported (/Gs) Isolation through a new process model Worker Processes run as a low privileged by default Lets get real: WindowsDotNetT Always secure with AutoUpdate,工具和檢查清單, IIS5 Security Checklist HiSecWeb Template HFCheck IIS Lockdown Tool IISlockd.exe Using IPSec: “Designing Secure Web-based Applications” ,總結(jié)：,Windows 2000 and Windows.NET are robust platforms that can provide security against real-world attacks provide the tools and features ne