ch16.htm

Maximum Security (First Edition) 网络安全 英文版

</BLOCKQUOTE>

<PRE></PRE>
<H4><FONT COLOR="#000077"><B>The Microsoft FrontPage Web Server Hole</B></FONT></H4>
<P>Microsoft FrontPage is recognized as one of the best tools for designing WWW pages.
Coupled with Microsoft's Image Composer, FrontPage provides the average user with
a total Web solution. Moreover, the product distribution includes a personal Web
server. This utility serves Web pages directly from your home or office machine (without
requiring the use of an intermediate UNIX server). Thus, files and pages can be kept
local.</P>
<P>Unfortunately, early versions of Microsoft's FrontPage Web server were distributed
with a Practical Extraction and Report Language interpreter (<TT>PERL.exe</TT>).
If this is placed in the <TT>/cgi-bin/</TT> directory, a massive security hole develops.
It allows any remote user to execute arbitrary commands on your local machine.</P>
<P>I would not have mentioned this here, except that older demo versions of FrontPage
may surface in places other than the Microsoft home page. This is not unreasonable.
There are still early versions of Microsoft Internet Explorer circulating on demo
CD-ROMs from magazines and such.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>For more information
	about this hole, check out Microsoft's Web site at <A HREF="http://www.microsoft.com"><TT>http://www.microsoft.com</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H4><FONT COLOR="#000077"><B>The O'Reilly WebSite Server Hole</B></FONT></H4>
<P>O'Reilly's WebSite Server for Windows NT/95 version 1 had a hole. If you have
this Web server loaded on your machine, disable the DOS CGI interface. If the DOS
CGI interface is enabled, it allows files with a <TT>*.BAT</TT> command extension
to be executed. Through this hole, crackers can execute arbitrary commands on your
machine from a remote location (for example, they could effectively delete the contents
of your hard disk drive). The fix as reported by ORA is as follows:

<DL>
	<DD>Open the server's property sheet (server admin) and select the Mapping tab. Select
	the DOS CGI mapping list. Remove all entries. Close the property sheet.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The previous paragraph
	is excerpted from ORA's WebSite security alert at <A HREF="http://website.ora.com/devcorner/secalert1.html"><TT>http://website.ora.com/devcorner/secalert1.html</TT></A><TT>.
	03/96</TT>. Also, there is a sample CGI application, <TT>win-c-sample.exe</TT>, that
	shipped with version 1.0. This application is vulnerable to a buffer-overflow attack.
	
<HR>
</P>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Because no one seems
	to give credit to the individual who discovered the buffer overflow hole, it seems
	right that I do so. To the best of my knowledge, this hole was identified by a hacker
	going by the handle <I>Solar Designer</I>.<BR>
	
<HR>
</P>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>For more information
	about holes in O'Reilly's WebSite Server, check out <A HREF="http://website.ora.com/justfacts/facts.html"><TT>http://website.ora.com/justfacts/facts.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H2><FONT COLOR="#000077"><B>The Microsoft Internet Security Framework</B></FONT></H2>
<P>On December 20, 1996, Microsoft unveiled a white paper titled &quot;The Microsoft
Internet Security Framework: Technology for Secure Communication, Access Control,
and Commerce.&quot; In this paper, the company describes various aspects of its Internet
security plan. This new conglomeration of technologies has been dubbed the <I>MISF</I>.</P>
<P>MISF purportedly will integrate a series of technologies into Microsoft products,
thus making them secure for Internet use. I briefly discussed one of these technologies
earlier in this book: the certificate signature scheme for ActiveX controls (or in
fact, any code that you specify). It revolves around a technology called <I>Authenticode</I>,
a system whereby developers can digitally sign their applications. It consists of
a series of programs. By using these, the software developer ultimately earns a Software
Publisher's Certificate (SPC), which is used to sign the application. Interestingly,
you can sign the application in different ways: as a provider, a commercial software
developer, or an individual.</P>
<P>This system works effectively only if the signing party is honest. There is no
guarantee that signed code will be safe. Thus, the system actually subjects honest,
upright programmers to additional hassle (nonetheless, I am confident this system
will become exceedingly popular among developers of Microsoft products). However,
there is a darker side to this.</P>
<P>The greatest percentage of falsely signed code (code that is malicious and has
been signed as safe) will likely come from individuals. I suspect that many virus
developers will adopt this system, because it represents a chance to deposit their
code into a largely unwary community (if a control is signed, the average person
will probably download it). Because of this, widespread use of such signatures will
hurt the little guy. Here is why.</P>
<P>Because the technology is new, there have been no instances of signed malicious
code. However, as time passes and signed malicious code surfaces, the average user
will be less likely to download software from new companies or lone software developers
(certainly, the public will be <I>much</I> less likely to download unsigned code).
Moreover, this system may cause even further alienation of foreign developers (more
than once, the sense of alienation experienced by foreign developers has been blamed
for the high number of viruses believed to have originated on foreign soil). Finally,
there is something a bit ominous about having to provide a public key to engage in
commerce as a software developer. What happens to the remaining folks who refuse
to comply with the program? If they suffer in the market for lack of compliance,
antitrust issues may develop (particularly if this becomes the only accepted method
of okaying software).


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>In February 1997, members of the
	famed German hacker group known as the Chaos Computer Club used a signed application
	to demonstrate the weakness of the Microsoft platform and of application signing
	generally. On national television, they used this application to gain unauthorized
	access to a personal computer, start an instance of Quicken, connect to the victim's
	online bank account, and transfer money from the victim's account to another. This
	was a crushing blow to the signing model. I explain this in further detail in Chapter
	30, &quot;Language, Extensions, and Security.&quot; 
<HR>


</BLOCKQUOTE>

<P>In any event, Microsoft is at least going in the right direction. Public and private
key encryption schemes are among the most secure today. Moreover, the new technologies
presented within Microsoft's white paper about MISF suggest that Microsoft is quite
serious about solutions in Internet security.
<H2><FONT COLOR="#000077"><B>Microsoft Windows NT</B></FONT></H2>
<P>Microsoft Windows NT has a real security model and a good one. The most important
element of that security model concerns access control. Access control is a form
of security most often seen in UNIX-based operating systems. It involves the control
of who can access files, services, and directories. In certain instances, this also
involves times during which this access can occur.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>For basic networking, Novell NetWare
	has always been a fairly secure platform and has long supported access control. This
	does not mean NetWare cannot be cracked (see Chapter 18, &quot;Novell&quot;). However,
	control over file and time access has been an integral part of the Novell NetWare
	security model. 
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>DAC</B></FONT></H3>
<P>In security vernacular, DAC is generally referred to as <I>discretionary access
control </I>(DAC). DAC involves being able to completely control which files and
resources a user may access at a given time. For example, perhaps only a small portion
of your staff needs to access Microsoft Excel. In the Windows NT security model,
you can deny access to all other users who are unauthorized to use Excel.</P>
<P>In DAC, there are different levels of control. For example, some operating systems
or utilities offer only moderate control (perhaps one system might allow an administrator
to block user access to directories or partitions). This type of control is not really
suitable in large networks, where one or more directories may hold applications or
resources that other programs need in order to execute. The Microsoft Windows platform
is a good example of this. Most applications written for Windows sport multiple file
dependencies. That means the application may need files from different parts of the
system in order to function correctly.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>If you have ever had a bad installation
	of a product intended to run in Windows, you know something about this. The application
	so installed will, when executed, forward a series of error messages, requesting
	files that it cannot locate. In most cases, unless the program locates those files,
	it will not run (or if it does, it will probably GPF or exit on error). 
<HR>


</BLOCKQUOTE>

<P>The degree to which a DAC system can control file and directory access is referred
to in security vernacular as <I>granularity</I>. Granularity is, quite simply, an
index for measuring just how detailed that access control can be. If, for example,
you can choose a directory and restrict access to five files within it to a particular
group but also allow all users to access the remaining ten files in that directory,
then you are dealing with fairly advanced granularity.</P>
<P>DAC is a technology that has trickled down from defense sources. In defense environments,
administrators must be assured that only authorized personnel can access sensitive
data.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>For a greater understanding
	about DAC, how it evolved, and what it means in terms of national computer security,
	you should read DoD 5200.28-STD, the <I>Department of Defense Trusted Computer System
	Evaluation Criteria</I> (this publication is more commonly referred to as the <I>Orange
	Book</I>). It can be found at <A HREF="http://www.v-one.com/newpages/obook.html"><TT>http://www.v-one.com/newpages/obook.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>DAC is based on common sense: If crackers do not have access to the files, they
cannot crack the machine. Setting proper file permissions is the first phase of securing
a Windows NT machine. However, in order to do it, you must enable the NTFS option
at time of installation (alas, we must begin at the beginning).</P>
<P>NTFS is the enhanced file system included with the NT distribution. At installation,
you are confronted with the option of installing a FAT file system or an NTFS file
system. There is a sharp difference between the two. The FAT file system will grant
you some security, for you can control user access and authentication. However, for
severely granular control (control over each file and directory), you must convert
the partition to NTFS. This is a point often missed by new system administrators.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>CAUTION:</B></FONT><B> </B>Converting the partition to NTFS
	provides compressive security but is not infallible. For example, a kid sporting
	a Linux boot disk (only certain versions of Linux) can effectively bypass all of
	the file restrictions imposed by the NTFS DAC method (I am quite sure that CS lab
	administrators will be pleased to hear this). Also, this is not the only type of
	boot disk that will perform this task. When a file called <TT>NTFSDOS.EXE</TT>, which
	is being circulated on the Internet, is placed on a DOS or Windows 95 boot disk,
	it allows a cracker to bypass all file restrictions. Until this is fixed, NT will
	never get a higher rating than C2 on the EPL. Only those who rely solely upon Microsoft
	press releases and bug fixes actually believe that out-of-the-box NT is secure. 
<HR>


</BLOCKQUOTE>

<P>As noted, the NTFS security model is not perfect. For example, it is known that
in certain distributions (such as 3.51), users without privileges can delete files.
Microsoft has acknowledged this fact in an advisory. It involves any instance in
which a user creates a file and removes all permissions from it. Technically, that
file should still be untouchable to anyone but its author. However, for reasons not
yet determined, the unauthorized user can delete the file. As noted in a Microsoft
technical article titled &quot;Users Without Permissions Can Delete Files at Server,&quot;:

<DL>
	<DD>[The user] sees My.txt [the file] in the Testdir directory. All the security
	options in File Manager are greyed out with regard to My.txt. He is unable to change
	permissions on the file or take ownership of the fi