Search This Blog

Tuesday, June 21, 2011

IIS Web Server

Methods of Threats

Network Based

Host Based

Application Based

Network Based Threats

Information Gathering

Attackers usually start with port scanning. After they identify open ports, they use banner grabbing and enumeration to detect device types and to determine operating system and application versions.
tip2.png Configure routers to restrict their responses to foot printing requests. Configure operating systems that host network software to prevent foot printing by disabling unused protocols and unnecessary ports.

Sniffing

 It is the act of monitoring traffic on the network for data such as plaintext passwords or configuration information.
tip2.png Filter incoming packets that appear to come from an internal IP address at your perimeter. Filter outgoing packets that appear to originate from an invalid local IP address.

Session Hijacking

 Also known as man in the middle attacks; session hijacking deceives a server or a client into accepting the upstream host as the actual legitimate host.
 tip2.png Use encrypted session negotiation. Use encrypted communication channels. Stay informed of platform patches to fix TCP/IP vulnerabilities, such as Predictable packet sequences.

Spoofing

Spoofing is a means to hide one’s true identity on the network.
tip2.png  Filter incoming packets that appear to come from an internal IP address at your perimeter. Filter outgoing packets that appear to originate from an invalid local IP address.

Denial of Service

 Denial of service denies legitimate users access to a server or services.
 tip2.png Apply the latest service packs. Use a network Intrusion Detection System (IDS) because these can automatically detect and respond to SYN attacks.

Host Based Threats

Viruses, Trojan Horses, and Worms

A virus is a program that is designed to perform malicious acts and cause disruption to your operating system or applications. A Trojan horse resembles a virus except that the malicious code is contained inside what appears to be a harmless data file or executable program. A worm is similar to a Trojan horse except that it self-replicates from one server to another.
 tip2.png Be update with the latest operating system service packs and software patches. Block all unnecessary ports at the firewall and host. Disable unused functionality including protocols and services. Harden weak, default configuration settings.

Foot Printing

Foot printing like port scans, ping sweeps, and NetBIOS enumeration  can be used by attackers to get  valuable system-level information that are  more significant to attacks.
tip2.png Disable unnecessary protocols. Lock down ports with the appropriate firewall configuration. Use TCP/IP and IPSec filters for defense in depth. Configure IIS to prevent information disclosure through banner grabbing.

Password Cracking

 If the attacker cannot establish an anonymous connection with the server, he or she will try to establish an authenticated connection.
tip2.png Use strong passwords for all account types. Apply lockout policies to end-user accounts to limit the number of retry attempts that can be used to guess the password.

Denial of Service

Denial of service can be attained by many methods aimed at several targets within your infrastructure.
tip2.png Stay current with patches and security updates. Harden the TCP/IP stack against denial of service. Make sure your account lockout policies cannot be exploited to lock out well known service accounts.

Application Based Threats

Buffer Overflows

Buffer overflow vulnerabilities can lead to denial of service attacks or code injection. A denial of service attack causes a process crash. Code injection alters the program execution address to run an attacker’s injected code.
tip2.png When possible, limit your application’s use of unmanaged code, and thoroughly inspect the unmanaged APIs to ensure that input is properly validated

Cross-Site Scripting

 An XSS attack can cause arbitrary code to run in a user’s browser while the browser is connected to a trusted Web site.
tip2.pngUse HTML Encode and URL Encode functions to encode any output that includes user input. This converts executable script into harmless HTML.

SQL Injection

 A SQL injection attack exploits vulnerabilities in input validation to run arbitrary commands in the database.
tip2.pngPerform thorough input validation. Your application should validate its input prior to sending a request to the database. Use least privileged accounts to connect to the database. 

Network Eavesdropping

 If authentication credentials are passed in plaintext from client to server, an attacker armed with rudimentary network monitoring software on a host on the same network can capture traffic and obtain user names and passwords.
tip2.png Use authentication mechanisms that do not transmit the password over the network such as Kerberos protocol or Windows authentication.

Cookie Replay Attacks

With this type of attack, the attacker captures the user’s authentication cookie using monitoring software and replays it to the application to gain access under a false Identity.
tip2.png Use an encrypted communication channel provided by SSL whenever an authentication cookie is transmitted.

Data Tampering

Data tampering refers to the unauthorized modification of data.
tip2.png Use strong access controls to protect data in persistent stores to ensure that only authorized users can access and modify the data.

Man in the Middle Attacks

 A man in the middle attack occurs when the attacker intercepts messages sent between you and your intended recipient. The attacker then changes your message and sends it to the original recipient.
tip2.png Use Hashed Message Authentication Codes (HMACs). If an attacker alters the message, the recalculation of the HMAC at the recipient fails and the data can be rejected as invalid. 

Add To Google BookmarksStumble ThisFav This With TechnoratiAdd To Del.icio.usDigg ThisAdd To RedditTwit ThisAdd To FacebookAdd To Yahoo

0 comments:

Post a Comment