SCSPBP3: IIS Protection

Article:TECH152822  |  Created: 2011-02-07  |  Updated: 2011-02-07  |  Article URL http://www.symantec.com/docs/TECH152822
Article Type
Technical Solution


Issue



SCSPBP3: IIS Protection


Error



n/a


Environment



n/a


Cause



n/a


Solution



The out-of-the-box CSP policies provide significant protection against these attacks. No policy updates are necessary. As soon as the injected code attempts behavior that is not normal for the program it was injected into, CSP blocks that behavior. Since the goal of most attacks is to use the program's privileges in unauthorized ways, most attacks will be blocked. Some specific examples:

 
  • All CSP policies provide tight confinement around the IIS service. Attacks that attempt to modify resources other than the small set of resources required by normal IIS service behavior are blocked.
  • All CSP policies block the IIS service from launching suspicious programs. So if the attack code tries to download and run a Trojan program, it won't be able to launch the Trojan. This is true whether the attack is made via this vulnerability or any other method.
  • All CSP policies block incoming network connections by default, thus preventing access to this vulnerability from remote systems. If inbound network connections are required, the customer must configure the policy to allow specific remote networks to connect. Unknown (and potentially malicious) remote systems would still be blocked.
  • IIS worker processes (w3wp) are confined by the Generic Windows Service Protection. These are somewhat less restrictive than the IIS-specific confinement because the work processes execute arbitrary application code and not IIS-specific code.
 
In addition, the CSP policies block other services from modifying the IIS content directories. (This is due to the standard CSP policy controls that only allow services access to the resources they need to do their jobs.) Thus, if attackers find vulnerabilities in other Windows Services that would allow them to add or modify files in the IIS content directories, the CSP policies would block those changes.
 
By default the CSP policies allow services read access to most of the file system. To protect against information disclosure vulnerabilities, customers can configure the policy so the IIS programs cannot even read certain files or folders. This would be appropriate for sensitive areas of the file system that are not normally accessed by the programs and would further limit the damage that information disclosure attacks could cause.




Article URL http://www.symantec.com/docs/TECH152822


Terms of use for this information are found in Legal Notices