Edward summed it up really well. Just wanted to add that some of the OWASP top 10 items can not be protected against no matter what you do with IIS. It's the underlying code. So it's more of a question of what product you are looking at instead of just IIS.
--T On Thu, Sep 13, 2012 at 7:34 AM, Ziots, Edward <[email protected]> wrote: > Carl, **** > > ** ** > > WebServers per-se do have security controls to limit the effects of the > OWASP top 10 but do not full protect against them. To test these you > really should be using a web application scanner like Cenzic, IBM APPSCAN, > HP WebInspect, etc etc to root out these issues. (Make the developers fix > the code is the best choice)**** > > ** ** > > Its because some of these are insecure coding issues, not webserver > configuration issues. (A6, A7, A8, A9, A10 can be mitigated with correct > configuration of SSL/TLS along with using request-filtering policy and > hardened configurations. )**** > > ** ** > > You can use Request Filtering in IIS 7.0 and IIS 7.5 much like Urlscan 3.1 > and earlier to do a “poor-mans” WAF functionality, which will reduce the > attack surface, but does not fix the underlying code issues which are > addresses in A1-A5. **** > > ** ** > > See Below:**** > > > http://www.iis.net/configreference/system.webserver/security/requestfiltering > **** > > ** ** > > See below:**** > > > https://www.owasp.org/?title=XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet > **** > > ** ** > > ** ** > > - A1: Injection (See) > https://www.owasp.org/index.php/Top_10_2010-A1-Injection**** > - A2: Cross-Site Scripting (XSS) (see) > https://www.owasp.org/index.php/Top_10_2010-A2-Cross-Site_Scripting_(XSS) > **** > - A3: Broken Authentication and Session Management (See) > > https://www.owasp.org/index.php/Top_10_2010-A3-Broken_Authentication_and_Session_Management > **** > - A4: Insecure Direct Object References (See) > > https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References > **** > - A5: Cross-Site Request Forgery (CSRF) (See) > https://www.owasp.org/index.php/Top_10_2010-A5-Cross-Site_Request_Forgery > **** > - A6: Security Misconfiguration (See) > https://www.owasp.org/index.php/Top_10_2010-A6-Security_Misconfiguration > **** > - A7: Insecure Cryptographic Storage (See) > > https://www.owasp.org/index.php/Top_10_2010-A7-Insecure_Cryptographic_Storage > **** > - A8: Failure to Restrict URL Access (See) > > https://www.owasp.org/index.php/Top_10_2010-A8-Failure_to_Restrict_URL_Access > **** > - A9: Insufficient Transport Layer Protection (See) > > https://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection > **** > - A10: Unvalidated Redirects and Forwards (See) > > https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards > **** > > After you review these links, I think you will see a trend, that business > impact and threat vectors are going to drive your efforts in showing that > your IIS configurations are sufficiently hardened and locked down and that > you have additional testing and controls surrounding the stability of > web-application code that will run on said servers. **** > > ** ** > > As a note: If you are getting COTS ( commercial off the shelf) software > from a vendor, you could have more problems getting the top 10 fixed, than > you would have if you developed internally. **** > > ** ** > > Most are going to WAF’s to provide protection from top 10, but even WAF’s > can be bypassed. Its like trying to put a hard shell around a soft gooey > egg, pound on it hard enough you can bypass the preventative/detective > control. **** > > > https://community.qualys.com/blogs/securitylabs/2012/07/25/protocol-level-evasion-of-web-application-firewalls > **** > > https://github.com/ironbee/waf-research**** > > ** ** > > HTH, if you need more information hit me offline. **** > > EZ**** > > ** ** > > Edward E. Ziots, CISSP, Security +, Network +**** > > Security Engineer**** > > Lifespan Organization**** > > [email protected]**** > > ** ** > > *From:* Webster [mailto:[email protected]] > *Sent:* Thursday, September 13, 2012 9:12 AM > *To:* NT System Admin Issues > *Subject:* IIS 7.5 and OWASP**** > > ** ** > > I am on a project where I have to document four Citrix products to meet > extreme regulatory qualification guidelines. One of the products is Web > Interface running on Server 2008 R2, which means IIS 7.5. The customer's > security team says I have to show that IIS 7.5 has measures to protect > against the OWASP Top-10 list. Since I had no idea what OWASP is, I had to > Bing it.**** > > ** ** > > https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project**** > > ** ** > > The Top-10 are:**** > > ** ** > > - A1: Injection **** > - A2: Cross-Site Scripting (XSS) **** > - A3: Broken Authentication and Session Management **** > - A4: Insecure Direct Object References **** > - A5: Cross-Site Request Forgery (CSRF) **** > - A6: Security Misconfiguration **** > - A7: Insecure Cryptographic Storage **** > - A8: Failure to Restrict URL Access **** > - A9: Insufficient Transport Layer Protection **** > - A10: Unvalidated Redirects and Forwards**** > > As someone who can't spell IIS much less OWASP, how do I find out if/how > IIS 7.5 prevents/rejects/protects against these 10 items?**** > > ** ** > > Thanks**** > > ** ** > > ** ** > > Carl Webster**** > > Consultant and Citrix Technology Professional**** > > http://www.CarlWebster.com <http://www.carlwebster.com/>**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
