Considerations for IIS Authentication

March 4th, 2002

NGSSoftware Insight Security Research Advisory

Name: Considerations for IIS Authentication

Systems Affected: Microsoft IIS 4/5/5.1

Platforms: Windows NT/2000/XP

Severity: Low/Medium Risk

Vendor URL: http://www.microsoft.com/

Author: David Litchfield (david@nextgenss.com)

Date: 4th March 2002

Advisory number: #NISR04032002

Advisory URL:

http://www.nextgenss.com/advisories/iisauth.txt

Issue: Information leakage and brute force attacks on

user accounts is possible.

Description

***********

Microsoft’s Internet Information Server offers web, ftp, mail and nntp services. It is possible to force the web service to authenticate a user even if anonymous access is allowed to the resource being requested. This may open three low risk vulnerabilities on the server - two problems with information leakage and the possibility to perform brute force attacks against system user accounts.

Details

*******

IIS supports anonymous access, Basic authentication and Integrated Windows authentication using NTLM. By making a request to the web server offering credentials the web server will attempt to authenticate the user. If authentication fails the server responds with a 401 Access Denied message. Depending upon what forms of authentication have been disabled or left enabled different actions can be performed.

To ascertain if the server supports Basic Authentication one would make a request with the following Authorization header:

GET / HTTP/1.1

Host: iis-server

Authorization: Basic cTFraTk6ZDA5a2xt

If the server responds with a 401 Access Denied response then Basic auth is enabled. If the server responds with a 200 OK then this means one of two things - the server does not support Basic auth (the most likely) or there is a system account on the server called “q1ki9″ with a password of “d09klm” (most unlikely!).

To ascertain if the server supports NTLM Authentication one would make a request with the following Authorization header:

GET / HTTP/1.1

Host: iis-server

Authorization: Negotiate TlRMTVNTUAABAAAAB4IAoAAAAAAAAAAAAAAAAAAAAAA=

Again if the server responds with a 401 Access Denied message then the server supports NTLM auth. If a 200 OK response is returned then the server does not support Integrated Windows authentication.

Provided at least one authentication method is supported an attacker can mount a brute force attack against system accounts. More than likely the default “administrator” account would be the target as normally this account can’t be locked out and is highly privileged.

In terms of information leakage, if Basic auth is supported when making a request whatever is entered in the client Host HTTP header is used as the Realm. The Realm information is served by the server to the client so the client can tell when it should or shouldn’t present authentication credentials. If the Host header field is left blank the server will, by default, use its IP address as the Realm. If the server is protected by a firewall that employs Network Address Translation and has a private IP address such as 10.x.x.x then this will be returned to the client. This information can aid an attacker when formulating other attacks.

If NTLM authentication is supported then it is possible to discover the NetBIOS name of the server and the Windows NT domain it resides in. This information is returned as Base64 encoded text in response to a client Authorization request.

Fix Information

***************

If the server is intended for public use then it may be possible to simply disable both Basic and Integrated Windows authentication. Sites that use forms based logins, for example when users are authenticated against a database, and track logged in users with cookies will be able to disable these authentication methods. Doing this will prevent such attacks.

If Basic or Integrated Windows authentication are required then it is possible to mitigate the risk.

Setting account lockout will help minimize the risk of successful brute force attacks. Using the “passprop” utility it is possible to enable account lockout for the default “administrator” account.

One should also seriously consider renaming this administrator account if this has not already been done.

To prevent internal IP address disclosure take the following steps.

Open a command prompt and change the current directory to

c:\inetpub\adminscripts or to where the adminscripts can be found.

Run the commands

adsutil set w3svc/UseHostName True

net stop iisadmin /y

net start w3svc

This will cause the IIS server to use the machine’s host name rather than its IP address.

Vendor Status

*************

Microsoft was informed of this but didn’t consider it to be a problem.

Section Navigation


SC Awards 2008


SC Magazine Awards 2008

NGSSoftware wins 'Best Security Company'.

ITA 2008


2008 International Trade Awards

NGSSoftware named as South-East England regional winners at the 2008 International Trade Awards.

SLBA 2008


South London Business Awards 2008

David Litchfield named as 'Entrepreneur of the Year' at the South London Business Awards 2008.

Latest Vacancies

Experienced CLAS consultant

NGSSoftware are seeking an experienced CLAS consultant capable of writing Security Targets and Evaluation Work Plans for CTAS.

Please send us your CV or resume.

NGS Offices

NGS have offices located in London & St Andrews (UK) and Sydney (Australia).

NGS Consulting

Why do companies around the world – and around the corner – turn to NGS?

Discover what we could do for your business »

NGS Security Training

Find out why we have provided training to some of the world's most security conscious organisations.

Learn from the best!

Speaking Events

We regularly present and speak at international security conferences throughout the world.

OWASP AppSec Europe 2008

AusCERT 2008

ITWeb Security Summit

Customer Testimonials

Read what some of our satisfied customers are saying about us.

NGS Publications

Web Application Hacker's Handbook

Oracle Hacker's Handbook

Database Hacker's Handbook

The Shellcoder's Handbook

SQL Server Security

Configuring IPCop Firewalls


CHECK