Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more ➡
Standard view
Full view
of .
Add note
Save to My Library
Sync to mobile
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Iis Security Countermeasures

Iis Security Countermeasures



|Views: 4,073|Likes:
Published by jasonddennis

More info:

Published by: jasonddennis on Aug 07, 2009
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See More
See less





 IIS Security and Programming Countermeasures
By Jason Coombs (jasonc@science.org)
This is a book about how to secure Microsoft Internet Information Services for administratorsand programmers whose work includes a requirement for information security, acomputer industry specialty field commonly referred to as infosec. In this book the termsinformation security and infosec are used interchangeably with the more friendly termdata security. This is not a book about hacking, cracking, and the tools and techniques of the bad guys, the so-called black hat hackers. This book teaches computer professionalsand infosec specialists how to build secure solutions using IIS. It is your duty to secureand defend networked information systems for the benefit of the good guys who are your end users, clients, or less technical coworkers.There is nothing you can do that will transform a programmable computer running MicrosoftWindows from its vulnerable condition to an invulnerable one. Every general purposeprogrammable computer is inherently vulnerable because it is controlled by software andis designed to allow new software to be installed or executed arbitrarily. Networkcomputing based on programmable general purpose computers will never be safe froman information security perspective. Eliminating the feature of general purposeprogrammability from a networked computer and replacing its software with firmwarereduces but does not eliminate vulnerabilities. These are immutable realities of presentday computing and, as always, reality represents your biggest challenge. Microsoft is inbusiness to get as much of your money as possible using whatever means will work at agiven moment and in this respect they know virtually no equal in the software business.Unfortunately, Microsoft truly does not care about security. You will see why in this book. ToMicrosoft, your possession of a microprocessor turns you into a customer, a source of potential profit. Just as your possession of a pair of eyeballs turns you into a potentialcustomer for media giants who would sooner see you put in prison for violating arbitraryintellectual property laws than thank you sincerely for the money you've paid to them over the years, Microsoft will never do anything (willingly) that reduces its competitive positionby reducing its access to your microprocessors or relinquishing some of its leverage over you. Never mind that these same corporations and media giants are responsible for lawssuch as the Digital Millennium Copyright Act (DMCA), that you may one day find yourself accused of violating based on something a microprocessor appears to have done over which you allegedly had control or authority, because of political contributions andspecial-interest lobbyist politics.Giving you real control over your computers is not in the best interest of capitalism nor lawenforcement because such control would reduce profits and hinder prosecutions. If youdon't think these issues are a part of the complex and volatile modern world of datasecurity then you'll be surprised how a little knowledge of the subject will change your perceptions. Just remember that if it becomes difficult for Microsoft to execute code onyour computers, it will become more difficult for them to extract money from your bankaccounts by selling you more software. The business methods used by Microsoft have sobadly compromised the safety of those who use Microsoft software that I've calledpublicly for Microsoft to give away, free of charge to all existing Microsoft customers, the
latest build of Windows code that incorporates, for the first time, security remediationsproduced as a result of the Trustworthy Computing Initiative. These architectural securityfixes are not just new features that you might like to have and may choose to pay for,they are the first attempt Microsoft has ever made to create a product that is safe to useand free from severe defects. That Microsoft has failed yet again to achieve a reasonablelevel of safety for its products will become apparent in the coming months, but this doesnot change the fact that Microsoft profited enormously by selling severely defectiveproducts in the past and owes a debt of apology to every person and business that hasbeen harmed by their actions and inactions. We'll never see this apology in the realworld, of course, just as we may never see Microsoft software that incorporates commonsense security countermeasures. It is just not in Microsoft's best-interest to do what is inyour best-interest, and this alone should cause you serious concern. Many other businesses draw a line that they choose not to cross, out of respect and care for their customers and for the benefit of the general public. Microsoft draws no such line, and ithas thus become a despicable company run by despicable people.Information security is a constant process that never achieves its objective. Given this fact,many people choose to do something else with their time and money. People who faint atthe sight of blood make poor surgeons. Likewise, computer programmers or administrators who insist that computers are inherently trustworthy under certaincircumstances make terrible information security professionals. Before you can expectany computer system to be trustworthy you must abandon any hope you might have thata technological solution may exist and reconsider the criteria by which you judge acomputer to be trustworthy. Technically, a computer can be considered trustworthy if it isprovably under your exclusive control, performing only operations that are known or expected, and you are certain to detect any behavior or condition that would indicateotherwise. Your risk exposure to a computer can be considered reasonable if thecomputer is trustworthy and you are aware of, and prepared to respond to, incidents thatmay occur due to malfunction or malfeasance.Unlike a guide to black hat hacker mischief, and more applicable to daily programming or administration tasks than a guide for so-called white hat hackers who conduct penetrationtests and employ hacking tools for the purpose of ensuring data security or discoveringnew vulnerabilities before malicious hackers do, IIS Security shows you where threatsexist in data networks and information systems built around Microsoft IIS to enable threatcomprehension but makes no effort to give detailed instructions on perpetrating exploits.There is plenty to read on the Internet on that subject. This book shows how to harden IISand its hosted Web applications and services against attacks so that all known, andhopefully all possible, black hat exploits can be prevented with solid data securitytechnology, secure Web application code, application-specific threat countermeasures,and a security policy appropriate to the level of protection required for each server box.IIS Security assumes that you are using IIS version 4, 5, 5.01, or 6.0 with an emphasis onversions 5 and 6. IIS versions 5 and 5.01 are only available for Windows 2000 or Windows XP Professional and IIS 6 only available in the Windows .NET Server OSfamily. Although some of the instructions in this book pertain specifically to one version of IIS and therefore imply use of a particular OS (NT 4, Win2k, XP or .NET Server) you willfind the majority of the instructions relevant to your environment because Windows XPProfessional and .NET Server share a common code base derived from Windows 2000

Activity (15)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
pranay1507 liked this
pranay1507 liked this
foxy4 liked this
thulasiramireddy liked this
banben liked this
iroko liked this
HiFromSabbir liked this
HiFromSabbir liked this

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->