Glad to assist,
Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization [email protected] From: Webster [mailto:[email protected]] Sent: Thursday, September 13, 2012 10:46 AM To: NT System Admin Issues Subject: Re: IIS 7.5 and OWASP Thanks Z, appreciate the info. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com <http://www.carlwebster.com/> From: <Ziots>, Edward <[email protected]> Subject: RE: IIS 7.5 and OWASP Carl, WebServers per-se do have security controls to limit the effects of the OWASP top 10 but do not full protect against them. To test these you really should be using a web application scanner like Cenzic, IBM APPSCAN, HP WebInspect, etc etc to root out these issues. (Make the developers fix the code is the best choice) Its because some of these are insecure coding issues, not webserver configuration issues. (A6, A7, A8, A9, A10 can be mitigated with correct configuration of SSL/TLS along with using request-filtering policy and hardened configurations. ) You can use Request Filtering in IIS 7.0 and IIS 7.5 much like Urlscan 3.1 and earlier to do a "poor-mans" WAF functionality, which will reduce the attack surface, but does not fix the underlying code issues which are addresses in A1-A5. See Below: http://www.iis.net/configreference/system.webserver/security/requestfilt ering See below: https://www.owasp.org/?title=XSS_(Cross_Site_Scripting)_Prevention_Cheat _Sheet * A1: Injection (See) https://www.owasp.org/index.php/Top_10_2010-A1-Injection * A2: Cross-Site Scripting (XSS) (see) https://www.owasp.org/index.php/Top_10_2010-A2-Cross-Site_Scripting_(XSS ) * A3: Broken Authentication and Session Management (See) https://www.owasp.org/index.php/Top_10_2010-A3-Broken_Authentication_and _Session_Management * A4: Insecure Direct Object References (See) https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_Re ferences * A5: Cross-Site Request Forgery (CSRF) (See) https://www.owasp.org/index.php/Top_10_2010-A5-Cross-Site_Request_Forger y * A6: Security Misconfiguration (See) https://www.owasp.org/index.php/Top_10_2010-A6-Security_Misconfiguration * A7: Insecure Cryptographic Storage (See) https://www.owasp.org/index.php/Top_10_2010-A7-Insecure_Cryptographic_St orage * A8: Failure to Restrict URL Access (See) https://www.owasp.org/index.php/Top_10_2010-A8-Failure_to_Restrict_URL_A ccess * A9: Insufficient Transport Layer Protection (See) https://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_La yer_Protection * A10: Unvalidated Redirects and Forwards (See) https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_an d_Forwards After you review these links, I think you will see a trend, that business impact and threat vectors are going to drive your efforts in showing that your IIS configurations are sufficiently hardened and locked down and that you have additional testing and controls surrounding the stability of web-application code that will run on said servers. As a note: If you are getting COTS ( commercial off the shelf) software from a vendor, you could have more problems getting the top 10 fixed, than you would have if you developed internally. Most are going to WAF's to provide protection from top 10, but even WAF's can be bypassed. Its like trying to put a hard shell around a soft gooey egg, pound on it hard enough you can bypass the preventative/detective control. https://community.qualys.com/blogs/securitylabs/2012/07/25/protocol-leve l-evasion-of-web-application-firewalls https://github.com/ironbee/waf-research HTH, if you need more information hit me offline. EZ Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization [email protected] From: Webster [mailto:[email protected]] Subject: IIS 7.5 and OWASP I am on a project where I have to document four Citrix products to meet extreme regulatory qualification guidelines. One of the products is Web Interface running on Server 2008 R2, which means IIS 7.5. The customer's security team says I have to show that IIS 7.5 has measures to protect against the OWASP Top-10 list. Since I had no idea what OWASP is, I had to Bing it. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The Top-10 are: * A1: Injection * A2: Cross-Site Scripting (XSS) * A3: Broken Authentication and Session Management * A4: Insecure Direct Object References * A5: Cross-Site Request Forgery (CSRF) * A6: Security Misconfiguration * A7: Insecure Cryptographic Storage * A8: Failure to Restrict URL Access * A9: Insufficient Transport Layer Protection * A10: Unvalidated Redirects and Forwards As someone who can't spell IIS much less OWASP, how do I find out if/how IIS 7.5 prevents/rejects/protects against these 10 items? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
