0

I have an IIS6 And II7 servers under my management.

all my application pools are running under a custom account which is a member of the IIS_IUSRS

Some of the websites on the webserver were hacked and malicious asp.net files was uploaded to the server.

Those files were used to act as a medium between the attacker and the OS to execute code

I have noticed that the user under which the application pool was running was able to list all the directories of my server and was actually a part of "Authenticated users" and hence "users" group which by default have permissions to execute files/create folders etc.

The hackers were able, using the application pool credentials, to be authenticated as an authenticated user and since authenticated user is part of the users group they were able to do what they want

you can easily recreate the issue by using process explorer to view a worker process security groups.

My Questions are:

  1. How should I secure correctly my server if I want to run the application pool as custom user and not as the built in identitty pool identity ? ( the reason I need to is because I'm using websitepanel management software )
  2. Is something wrong in my config or is it possible that on every MS server that uses custom user as the identity and has some security flaw in the website, a hacker can cause havoc to the entire server ?
Avi
  • 155
  • 8
  • Is Custom user is part of windows domain? If yes then is it working with list previleges? How this user got write access? Suggest to do Penetration testing. – Amit Jan 07 '15 at 12:16
  • the user is a local account created by the websitepanel software. it is assigned only to the IIS_IUSRS group – Avi Jan 07 '15 at 12:29
  • This question is difficult to answer in one shot. There might be loop holes at several places. – Amit Jan 07 '15 at 12:59
  • It's really easy to recreate though. a default windows 2008 install with default iis setup and a custom user as the identity and you can see the issue. What do you mean loop holes ? – Avi Jan 08 '15 at 13:50
  • Your system is internet or for intranet? If for internet then are exposing some kind of CPANEL to users to manage their sites? Please specify purpose for current implementation. – Amit Jan 08 '15 at 16:56
  • We use websitepanel in our company for developers to create the website in iis. the websitepanel software, creates the user in the windows accounts and assigns application identity to that user. I can create the user myself manually without the websitepanel and I still experience the same issue. so the websitepanel software is irrelevant. As I said you can check it on a clean windows server installed with just IIS ( no websitepanel) – Avi Jan 09 '15 at 17:04
  • Got your point. But as you are using this within organization why it is not exposed as intranet rather than internet? – Amit Jan 10 '15 at 14:23
  • the cpanel management is exposed to our offices alone. the websites that are created are internet websites so they are exposed to the world. the servers are hosted on a hosting provider (our isp) – Avi Jan 11 '15 at 10:48
  • I am not sure why this setup is like this. For distributed offices you can set up WAN network. Exposing to internet without having intention to do so will be risky. Do you have SSL atleast for CPANEL? Check if your website allows anonymous authentication. Check feasibility for switching to Windows authentication. – Amit Jan 11 '15 at 14:28

0 Answers0