11 April 2002

New IIS Patches from Microsoft Microsoft yesterday released a new set of Patches for IIS. The patch and the security holes it fixes are described here. While you're at it you might want to run the IIS Lockdown tool, which checks for common (read default) insecure configurations. I do hope they make this part of the standard setup procedure in future versions. 11:07:29 AM      comment []   SOAP security and external underwear. Jon Udell discusses the SOAPAction header and its uses for filtering SOAP requests through a firewall. The concept of the header is that the client making the SOAP Request, places a SOAPAction header in the HTTP request describing what it is they are going to be doing. For example what method they will be invoking. When I first read this a few years back it did send question marks buzzing up through my head, as you cant really on an external description of what is going to happen. Jon put's it great with his analogy of External Underwear: Did the notion advanced in DevelopMentor's FAQ -- that SOAP packets would declare intent by publishing interface and method names in the HTTP header -- make sense? At the time it seemed reasonable to me. But now, I wonder if a SOAPaction policy isn't rather like the scene in Bananas where the newly-installed dictator declares that "everybody must wear their underwear on the outside, so we can check." The interfaces that a company chooses to expose to the world are, in the end, a policy that will or won't be enforced, regardless of the SOAP toolkits in use or the translations performed in a request pipeline. Enforcement will always require more than checking for underwear on the outside. [Jon's Radio] Those of us who were writing perl CGI apps way back in the early days of the Web learnt that you can't rely on the format of a request. You really do need to verify all data before you make any assumptions about it, so a http SOAPAction header specifying a Stock ticker lookup interface, can just as easily have a Stock trading message within. All of this discussion though assumes that you only have one single SOAP gateway/router on your web server. This strikes me as a bit naive from a security standpoint. I think that only interfaces with the EXACT same security properties should be exposed in the same router. This way you can use the underlying web servers security as well as external firewall's to provide access control and authentication. Lets not reinvent the wheel here. 12:13:38 AM      comment []

26 March 2002

FrontPage Bug Opens Microsoft Sites To Attackers Microsoft released a bulletin and patch for the buffer overflow flaw, which allows attackers to run code of their choice on a vulnerable server, on Jun. 21, 2001.  [News Bytes] I did have to chuckle a bit after reading this. A couple of MS sites were defaced because they'd left an old unpatched version of the Front Page extensions on the server. The moral of the story is, get rid of anything that your are not using. If you happen to be using the Front Page extensions (not recommended) please keep an eye on security patches. 6:46:55 PM      comment []   Apache security configuration guide Included below is a recommended security configuration guide for the Apache web server, designed to provide security administrators with a method of configuring an installation based on the agreed security risk profile of the target system. The security configuration document divides recommendations into levels "Premium", "Standard", and "Basic", and covers a variety of installation, configuration and ongoing management tasks, including:  * Linux and Windows Installation Requirements  * Apache Base Installation  * Identification and Authentication  * Privacy and Encryption  * Access Control  * Auditing  * WebSphere [Open System Security Resources] If you use the Apache Web server or any of it's commercial derivatives including IBM Websphere or Oracle AppServer you might want to take a look at this guide.  While most of what it covers is standard practice, many people are moving to Apache from MS IIS. Apache uses configuration files and modules concepts that might be a bit foreign for IIS users. This guide makes it simple to do a quick security audit on your apache servers. 4:19:13 PM      comment []

22 March 2002

Fingerprinting Port 80 Attacks - Part II. Port 80 is the standard port for websites, and it can have a lot of different security issues. These holes can allow an attacker to gain either administrative access to the website, or even the web server itself. This second paper was written to help the average administrator and developer to have a better understanding of the types of threats that exist, along with how to detect them. [NewOrder]   8:47:44 AM      comment []

© Copyright 2002 Pelle Braendgaard. Last update: 27/03/2002; 09:25:44. <