《怎样使IIS更安全》PPT课件.ppt

1、WEB327怎样使 IIS更安全,胡 雪高级顾问 美国微软公司 顾问咨询部 Microsoft Corporation,日程：,出名的病毒：Code Red (I ) ( / Do stuff else Response.write(Access Denied); function isPasswordOK(strName, strPwd) var fAllowLogon = false; var oConn = new ActiveXObject(ADODB.Connection); var strConnection=Data Source=c:authauth.mdb; oConn.Op

2、en(strConnection); var strSQL = SELECT count(*) FROM client WHERE + name= + strName + + and pwd= + strPwd + ; var oRS = new ActiveXObject(ADODB.RecordSet); oRS.Open(strSQL,oConn); fAllowLogon = (oRS(0).Value 0) ? true : false; oRS.Close(); delete oRS; oConn.Close(); delete oConn; return fAllowLogon;

3、 ,危险在哪？,好人 Username: jeff Password: &y-)4Hi=Qw8 SELECT count(*) FROM client WHERE name=jeff and pwd=&y-)4Hi=Qw8,坏人 Password: or 1 = 1,SELECT count(*) FROM client WHERE name=jeff and pwd= or 1=1,Unicode attack,IIS 检查 . 防止进入父目录。但IIS 5 Gold 没检查 UTF-8 的 或 /. 例如 %c0%af.,http:/localhost/scripts/.%c0%af./w

4、innt/system32/cmd.exe?/c+type%20d:boot.ini,http:/localhost/scripts/.%c0%af./winnt/system32/cmd.exe?/c+copy%20d:winntsystem32cmd.exe root.exe,http:/localhost/scripts/root.exe?/c+echo Your Website is Defaced d:inetpubwwwrootdefault.asp,对策,Tell the attacker nothing! Determine what is valid input Beware

5、 of quotes Check SQL return values Disable parent paths,如果您不幸被黑,Have a “Incident Response Plan” Remove machines from the net Find out how the hacker did it Perform low-level format Examine connected computers,IIS 4.0 and 5.0 新安全工具,Security hotfixes New: Cumulative Security Hotfixes New: No reboot ho

6、tfixes New: Windows Update Integration New: One-Button-Lockdown-Tool New: Lockdown ISAPI Filter New: HFCHECK v2.0,IIS 6.0安全防范措施,Server is locked down by default Only static files Secure defaults Content protection Secure timeouts and limits Code Security Buffer Overflow Checks automated in the Windo

7、ws build environment VC+ compiler supported (/Gs) Isolation through a new process model Worker Processes run as a low privileged by default Lets get real: WindowsDotNetT Always secure with AutoUpdate,工具和检查清单, IIS5 Security Checklist HiSecWeb Template HFCheck IIS Lockdown Tool IISlockd.exe Using IPSec: “Designing Secure Web-based Applications” ,总结：,Windows 2000 and Windows.NET are robust platforms that can provide security against real-world attacks provide the tools and features ne