Category Archives: IIS

MS KB2871997: Update to Improve Credentials Protection and Management

Nessus Output:

Description
The remote host is missing one or more of the following Microsoft updates: KB2871997, KB2973351, KB2975625, KB2982378, KB2984972, KB2984976, KB2984981, KB2973501, or KB3126593. 
These updates are needed to improve the protection against possible credential theft.
- For Windows 7 / 2008 R2 :
KB2984972, KB2871997, KB2982378, and KB2973351 are required; also, KB2984976 (if KB2592687 is installed) or KB2984981 (if KB2830477 is installed).
- For Windows 8 / 2012 :
KB2973501, KB2871997, and KB2973351 are required.
- For Windows 8.1 / 2012 R2 :
KB2973351 (if Update 1 is installed) or KB2975625 (if Update 1 isn't installed).
These updates provide additional protection for the Local Security Authority (LSA), add a restricted administrative mode for Credential Security Support Provider (CredSSP), 
introduce support for the protected account-restricted domain user category, enforce stricter authentication policies, add additional protection for users' credentials, and add a restricted administrative mode for Remote Desktop Connection and Remote Desktop Protocol.
Solution
Microsoft has released a set of patches for Windows 7, 2008 R2, 8, 2012, 8.1, and 2012 R2.

Output
A required registry setting is missing:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential = 0
More information: https://blogs.technet.microsoft.com/kfalde/2014/11/01/kb2871997-and-wdigest-part-1/

Continue reading →

Disable TSLv1.0 (Windows)

Best practice for systems running IIS, part of Hardening IIS:

Continue reading →

SSL Version 2 and 3 Protocol Detection

Nessus Output:

Description

The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0. These versions of SSL are affected by several cryptographic flaws. 
An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients.
NIST has determined that SSL 3.0 is no longer acceptable for secure communications. As of the date of enforcement found in PCI DSS v3.1, 
any version of SSL will not meet the PCI SSC'S definition of 'strong cryptography'.

Solution
Consult the application's documentation to disable SSL 2.0 and 3.0.
Use TLS 1.1 (with approved cipher suites) or higher instead.

Continue reading →

Disable SSLv3 (Windows)

Best practice for systems running IIS, part of Hardening IIS:

Continue reading →

Disable SSLv2 (Windows)

Best practice for systems running IIS, part of Hardening IIS:

Continue reading →

Ensure ‘deployment method retail’ is set

Best practice for systems running IIS, part of Hardening IIS:

Continue reading →

Ensure AES 256/256 Cipher Suite is enabled (Scored)

Best practice for systems running IIS, part of Hardening IIS:

Continue reading →

Ensure AES 128/128 Cipher Suite is configured

Best practice for systems running IIS, part of Hardening IIS:

Continue reading →

Ensure Triple DES Cipher Suite is configured

Best practice for systems running IIS, part of Hardening IIS:

Continue reading →

Ensure RC4 Cipher Suites is disabled

Best practice for systems running IIS, part of Hardening IIS:

Continue reading →

Ensure RC2 Cipher Suites is disabled

Best practice for systems running IIS, part of Hardening IIS:

Continue reading →

Ensure DES Cipher Suites is disabled

Best practice for systems running IIS, part of Hardening IIS:

Continue reading →

Ensure NULL Cipher Suites is disabled

Best practice for systems running IIS, part of Hardening IIS:

Continue reading →

Ensure ‘directory browsing’ is set to disabled

Best practice for systems running IIS, part of Hardening IIS:

Continue reading →

Ensure ‘host headers’ are on all sites

Best practice for systems running IIS, part of Hardening IIS:

Continue reading →

IIS version condition check for Nessus Audit file

Objective

Target your Nessus Auditfile checks to a specific version of IIS.

Continue reading →

Ensure web content is on non-system partition

Best practice for systems running IIS, part of Hardening IIS:

Continue reading →

Remove the X-AspNetMvc-Version HTTP header

Objective

Remove the X-AspNetMvc-Version HTTP header

Continue reading →

Remove the X-Powered-By HTTP header

Objective

Remove the X-Powered-By HTTP header

Continue reading →

Remove the X-Aspnet-Version HTTP header

Objective

Remove the X-Aspnet-Version HTTP header

Continue reading →

Missing or Permissive Content-Security-Policy HTTP Response Header

Nessus Output

Synopsis :

The remote web server does not take steps to mitigate a class of web
application vulnerabilities.

Description :

The remote web server in some responses sets a permissive
Content-Security-Policy (CSP) response header or does not set one at
all.

The CSP header has been proposed by the W3C Web Application Security
Working Group as a way to mitigate cross-site scripting and
clickjacking attacks.

Continue reading →

Nonexistent Page (404) Physical Path Disclosure

Nessus Output

The remote web server reveals the physical path of the webroot when a
nonexistent page is requested.

While printing errors to the output is useful for debugging
applications, this feature should be disabled on production servers.

Continue reading →

Web Server HTTP Header Internal IP Disclosure

Nikto Output

OSVDB-630: IIS may reveal its internal or real IP in the Location header via a request to the /images directory. The value is "http://<ipaddress>/images/".

Continue reading →

No Custom Errors implemented

Often, during a penetration test on web applications, we come up against many error codes generated from applications or web servers. It’s possible to cause these errors to be displayed by using a particular requests, either specially crafted with tools or created manually. These codes are very useful to penetration testers during their activities, because they reveal a lot of information about databases, bugs, and other technological components directly linked with web applications.

Continue reading →

ASP.NET DEBUG enabled

Nikto Output

DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.

Continue reading →

Excessive headers

You probably gonna find this issue in your manual browsing and spidering phase of your assessment and when performing the Fingerprint Web Server (Passive) and Fingerprint Web Server (Active) Tests.

Continue reading →

The X-Content-Type-Options header is not set

Nikto Output

The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

Continue reading →

The X-XSS-Protection header is not defined

Nikto Output

The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS

Continue reading →

The site uses SSL and the Strict-Transport-Security HTTP header is not defined

Nikto output

The site uses SSL and the Strict-Transport-Security HTTP header is not defined

Continue reading →

MS15-034: Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553)

Nessus Output

Description

The version of Windows running on the remote host is affected by a vulnerability in the HTTP protocol stack (HTTP.sys) due to improperly parsing crafted HTTP requests. A remote attacker can exploit this to execute arbitrary code with System privileges.

Continue reading →

Audit XML configuration files

A quick example to query a xml config file to retrieve a specific security setting

Powershell:

Select-Xml -path C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config -XPath "/configuration/system.web/membership/providers/add" | 
Select-Object -ExpandProperty node | 
Select-Object passwordFormat
 
passwordFormat
--------------
Hashed

Hardening IIS

Best practices and references used for hardening IIS.

Continue reading →