Contents Overview 1 Lesson: Overview of Securing Files 2 Lesson: Windows Access Control 6 Lesson: Creating ACLs Programmatically 19 Lesson: Protecting ASP.NET Web Application Files 27 Review 38 Lab 6: Securing Files with ACLs 39 Module 6: Securing File System Data Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2001 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, ActiveX, Active Directory, Authenticode, Hotmail, JScript, Microsoft Press, MSDN, PowerPoint, Visual Basic, Visual C++, Visual Studio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Module 6: Securing File System Data iii Instructor Notes This module provides students with an explanation of how to manage user input in a secure way. The methods for checking user input, and a discussion of the consequences of not performing those checks, are the focus of this module. After completing this module, students will be able to secure their Web applications by validating user input. After completing this module, students will be able to: ! Identify the reasons for securing the Web application implementation files. ! Describe how Microsoft ® Windows ® access control mechanisms are used to protect file system data. ! Set ACLs on files and folders by using a script. ! Use Microsoft ASP.NET Web.config files to restrict access to files in an ASP.NET Web application. To teach this module, you need the following materials: ! Microsoft ® PowerPoint ® file 2300A_06.ppt ! HTML and Flash animation files: 2300A_06_A05_1664.htm, 2300A_06_A05_1664.swf To prepare for this module: ! Read all of the materials for this module. ! Complete the lab. ! Practice the steps for the demonstrations. ! Read Chapter 3, “Windows 2000 Security Overview,” in Designing Secure Web-Based Applications for Microsoft Windows 2000 by Michael Howard (Redmond, Microsoft Press ® ), 2000. ! Read the article, “Access Control Model,” which is available at http://www.microsoft.com/windows2000/techinfo/reskit/en/distrib/ dsce_ctl_mfxc.htm. ! Read the Microsoft MSDN ® article, “HOWTO: Control Access to a Windows NT, Windows 2000, and Windows XP Service,” which is available at http://support.microsoft.com/directory/ article.asp?ID=KB;EN-US;Q180116&. ! Read the MSDN article, “Setting User Security,” which is available at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ wmisdk/us_sec_8ozd.asp. ! Read the TechNet article, “Default Access Control Settings in Windows 2000,” which is available at http://www.microsoft.com/technet/treeview/ default.asp?url=/TechNet/prodtechnol/windows2000serv/maintain/security/ secdefs.asp. ! Read the TechNet article, “Working with Access Control Lists,” which is available at http://www.microsoft.com/technet/treeview/default.asp?url=/ TechNet/prodtechnol/winxppro/reskit/prdd_sec_jynl.asp. Presentation: 90 minutes Lab: 30 minutes Required materials Preparation tasks iv Module 6: Securing File System Data How to Teach This Module This section contains information that will help you to teach this module. Lesson: Overview of Securing Files This section describes the instructional methods for teaching each topic in this lesson. Discuss the weaknesses in a system that lead to attacks on Web application implementation files. This topic briefly covers security settings that are configured in the Microsoft Windows ® operating system, in Internet Information Services (IIS), and within a Web application in the Web.config file. Do not go into the details of security settings with this topic. Lesson: Windows Access Control This section describes the instructional methods for teaching each topic in this lesson. While explaining the elements of security descriptors, such as security identifiers (SIDs) and Access Control Entries (ACEs), tell students that each element has a structure and Application Programming Interfaces (APIs) associated with it. Open Microsoft Visual Studio ® .NET Help and look for the “Access Control” topic. Step through each element and show the structure and APIs associated with each element. This multimedia presentation describes the elements of security descriptor. Windows operating system protects securable resources from unauthorized access by employing discretionary access control, which is implemented through discretionary access control lists (DACLs). Tell students that the terms DACLs and access control lists (ACLs) are usually used interchangeably. This topic covers the best practices that can be used for securing Web application files. Some parts of this practice are performed only by the instructor, and some parts are performed by students along with the instructor. Make sure that your pace is slow when students are performing the steps along with you so that they are able to understand the procedure and perform the steps. Why Are Web Application Implementation Files Attacked? How to Protect Web Application Implementation Files Overview of a Security Descriptor Multimedia: Security Descriptors Setting File ACLs Best Practices Instructor-Led Practice: Viewing and Setting ACLs on a File Module 6: Securing File System Data v Lesson: Creating ACLs Programmatically This section describes the instructional methods for teaching each topic in this lesson. This lesson can be introduced by asking students how to move an ACL-secured Web application from one computer (for example, from a development computer to a test or production computer). Try to move the discussion toward using automated methods for setting ACLs. When explaining the syntax of calcs.exe, open the command prompt window, type the command c:\Cacls ManualAcl.htm, and show the output to the class. Windows Management Instrumentation (WMI) is a management infrastructure in Microsoft Windows 2000 that supports monitoring and controlling system resources through a common set of interfaces. WMI provides a logically organized, consistent model of Windows operation, configuration, and status. WMI is a common programmatic interface that can be used for managing the configuration of and the querying of computers, devices, and subsystems. WMI can also be used to configure many different software components, including IIS settings, file system settings and attributes, security settings, and the Active Directory ® directory service. Open Visual Studio .NET Help. Search for “Win32_Account” and show the students the WMI structures for all of the relevant security descriptor elements. Read Chapter 3, “Windows 2000 Security Overview,” in Designing Secure Web-Based Applications for Microsoft Windows 2000 by Michael Howard (Redmond, Microsoft Press ® ), 2000. For more information about WMI, read Chapter 5, “WMI Security,” in Windows Management Instrumentation by Matthew Levy and Ashley Meggitt (Indianapolis, New Riders press), 2002. Use this demonstration to show the students how to create a Microsoft Visual Basic ® , Scripting Edition (VBScript) file that can be used to add ACLs to a file. Lesson: Protecting ASP.NET Web Application Files This section describes the instructional methods for teaching each topic in this lesson. Use Windows Explorer and browse to the Machine.config file to show students where the file is located. Also, open Visual Studio .NET Help and show the students the Help information available for the System.Configuration namespace. Open the Machine.config file and step through the entries in the HttpHandlers and HttpModules sections. Open the Machine.config file and step through the HttpForbiddenHandler entries. Using Microsoft .NET Framework IL Disassembler (ILDASM), show the students the implementation for the HttpForbiddenHandler class. Perform the steps for IIS configuration for the students. Using Cacls.exe to Set ACLs Overview of WMI Using WMI to Set ACLs Demonstration: Setting ACLs Using WMI Overview of the .config Files ASP.NET Request Processin g The HttpForbiddenHandler Class vi Module 6: Securing File System Data Use this demonstration to show students how to create a VBScript file that can be used to add ACLs to a file. Lab 6: Securing Files with ACLs In this lab, students will secure ASP Web application files by using ACLs. Students will also configure and secure Microsoft ASP.NET Web applications by using the <authorization> configuration element in a Web.config file. Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. Lab Setup To complete this lab, students can either continue working in the Tailspin Toys Visual Studio .NET projects that they have already created, or they can start with new files. Students must also create a local Windows 2000 user account named WebUser. ! Create the Web applications for the ASP exercises 1. Copy all of the contents of the ASP starter folder install_folder\Labfiles\ Lab06\ASP\Starter\TailspinToys to the TailspinToys IIS virtual directory at C:\Inetpub\wwwroot\TailspinToys. 2. Copy all of the contents of the ASP starter folder install_folder\Labfiles\ Lab06\ASP\Starter\TailspinToysAdmin to the TailspinToysAdmin IIS virtual directory at C:\Inetpub\wwwroot\TailspinToysAdmin. ! Create the Web applications for the ASP.NET exercises 1. Copy all of the contents of the ASP.NET folder install_folder\Labfiles\ Lab06\ASPXVB\Starter\TailspinToys.NET to the TailspinToys.NET IIS virtual directory at C:\Inetpub\wwwroot\TailspinToys.NET. 2. Copy all of the contents of the ASP.NET folder, install_folder\Labfiles\ Lab06\ASPXVB\Starter\TailspinToysAdmin.NET, to the TailspinToysAdmin.NET IIS virtual directory at C:\Inetpub\wwwroot\ TailspinToysAdmin.NET. Demonstration: Using the HttpForbiddenHandler Class Module 6: Securing File System Data vii ! Configure IIS authentication 1. Run the IIS administrative tool. 2. Expand the computer node and the Default Web Site node in the tree. 3. Right-click the TailspinToysAdmin virtual directory, and click Properties. 4. Click Directory Security. 5. In the Anonymous access and authentication control group, click Edit. 6. Clear the Anonymous access check box. 7. Click OK twice to save your changes. 8. Right-click the TailspinToysAdmin.NET virtual directory, and click Properties. 9. Click Directory Security. 10. In the Anonymous access and authentication control group, click Edit. 11. Clear the Anonymous access check box. 12. Click OK twice to save your changes. Lab Results Performing the lab in this module introduces the following configuration changes: ! Adds a new local system user named WebUser ! Modifies the DACL on the TailspinToysAdmin\Private folder ! Adds a <location path="Private"> section to the TailspinToysAdmin.NET project Module 6: Securing File System Data 1 Overview ! Overview of Securing Files ! Windows Access Control ! Creating ACLs Programmatically ! Protecting ASP.NET Web Application Files ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** A Web application consists of files and folders that contain two types of data: Web application data and data that is related to the implementation details of the Web application. The Web application data includes files and folders that are used to display information to users and to process user requests. The implementation files and folders contain source code and other configuration details about the Web application. It is important to secure both the Web application data and the implementation data. In this module, you will learn how to protect file system data that is a part of a Web application. The two important security mechanisms that are covered in this module are using access control lists (ACLs) and using configuration files. After completing this module, you will be able to: ! Identify the reasons for securing the Web application implementation files. ! Describe how Microsoft ® Windows ® access control mechanisms are used to protect file system data. ! Set ACLs on files and folders by using a script. ! Use Microsoft ASP.NET Web.config files to restrict access to files in an ASP.NET Web application. Introduction 2 Module 6: Securing File System Data Lesson: Overview of Securing Files ! Why Are Web Application Implementation Files Attacked? ! How to Protect Web Application Implementation Files ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** Web application implementation files contain useful information about the Web application, and therefore, it is important to secure these files from any type of attack. One of the techniques that can be used for securing these implementation files is to restrict access to them. In this lesson, you will learn about the types of attacks that can occur on implementation files. After completing this lesson, you will be able to: ! Describe the types of attacks that occur on Web application implementation files. ! Describe the types of file security that are available for Web application implementation files. Introduction Lesson objectives [...]... disallowed are accessible through IIS by default If you add any new file types (for example, inc files) to your Web application, you must ensure that those file types are configured to be secured in IIS Module 6: Securing File System Data 5 How to Protect Web Application Implementation Files ! File and folder ACLs " ! IIS security " ! Use Windows file security to set ACLs on the pages and folders within a... architecture This implementation source code may also describe database structures Source code may also contain database connection strings, trusted user names and passwords, and other configuration data that can be useful to an attacker 4 Module 6: Securing File System Data Accessing implementation files Web application implementation files can become available to an attacker through a variety of... extended attributes of the file or folder Extended attributes vary by file type Create Files / Write Data The right to write data to the file For a folder, the right to add files and subfolders to the folder Create Folders / Append Data The right to append data to the file For a folder, the right to add subfolders Write Attributes The right to modify the attributes of the file or folder Attributes include... owner of the object 16 Module 6: Securing File System Data Best Practices File type ACLs settings Scripts (.asp, aspx) # Everyone (RX) # Administrators (Full Control) # System (Full Control) Include files (.inc, shtm, shtml) # Everyone (RX) # Administrators (Full Control) # System (Full Control) Static content (.htm, txt, gif, jpg) # Everyone (R) # Administrators (Full Control) # System (Full Control)... C:\InetPub\wwwroot\2300Demos\Mod06\ScriptAcl.htm file 3 Close the SetAcl.vbs file ! View security descriptors of the ScriptAcl.htm file 1 Right-click the C:\InetPub\wwwroot\2300Demos\Mod06\ScriptAcl.htm file, and then click Properties 2 Click Security Notice that the LONDON\DemoUser user has no individual rights on the file 3 Click OK to close the Properties dialog box 26 Module 6: Securing File System Data ! Run the SetAcl.vbs... SetAcl.vbs file in Windows Explorer to run it Wait for the Operation Successful! message box ! View security descriptors of the ScriptAcl.htm file again 1 Right-click the C:\InetPub\wwwroot\2300Demos\Mod06\ScriptAcl.htm file, and then click Properties 2 Click Security The LONDON\DemoUser now has Full Control on the file Module 6: Securing File System Data 27 Lesson: Protecting ASP.NET Web Application Files... to use the configuration files to secure Web application data Lesson objectives After completing this lesson, you will be able to: ! Describe the configuration files, Web.config and Machine.config ! Describe how ASP.NET responds to a request ! Describe how the HttpForbiddenHandler class can be used to secure files 28 Module 6: Securing File System Data Overview of the config Files ! ASP.NET Web applications... a file ! Define best practices for the security settings for common Web application file types Module 6: Securing File System Data 7 Overview of a Security Descriptor Securable Object Security Descriptor Domain Controller Domain Controller Owner SID DACL ACE – ACCESS_DENIED_ACE ACE – ACCESS_DENIED_ACE ACE – ACCESS_ALLOWED_ACE ACE – ACCESS_ALLOWED_ACE Group SID SACL ACE – SYSTEM_ AUDIT_ACE ACE – SYSTEM_ AUDIT_ACE... ACLs on files and folders ! Use the WMI object for setting ACLs programmatically 20 Module 6: Securing File System Data Using Cacls.exe to Set ACLs ! Console application for viewing and editing a DACL ! Syntax Cacls filename [/T] [/E] [/C] [/G user:perm] [/R Cacls filename [/T] [/E] [/C] [/G user:perm] [/R user] [/P user:perm] [/D] user] [/P user:perm] [/D] ! Limitations " Edits ACLs for files and... editing SACLs Cacls.exe edits only the DACL for a file or folder 22 Module 6: Securing File System Data Overview of WMI ! Windows Management Instrumentation " " ! Is a common interface for managing computers, devices, and subsystems Can be used to configure IIS, file settings, security settings, and Active Directory Programmatic access " " ! WMI COM interfaces System. Management namespace in NET Query-based . Web Application Files 27 Review 38 Lab 6: Securing Files with ACLs 39 Module 6: Securing File System Data Information in this document,. Introduction 2 Module 6: Securing File System Data Lesson: Overview of Securing Files ! Why Are Web Application Implementation Files Attacked? ! How