Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-ms > 03 > 030525.html (Request Expert securityfocus.com Support)

RE: Microsoft Security Advisory MS 03-007

From: Colcord, Aaron <AColcord(at)rwbaird.com>
Date: Tue Mar 18 2003 - 15:20:15 EST


Great Post. Quick Question.

>2. Limit the length of requests (the url and any headers) by setting the
HKLM\SYSTEM\CurrentControlSet\Services\w3svc\parameters MaxClientRequestBuffer to something like 16k

I am curious if changing this setting will affect SSL Encrytion as it runs under an ISAPI filter. Following the links: 

http://support.microsoft.com/default.aspx?scid=KB;en-us;q260694 ->
http://support.microsoft.com/default.aspx?scid=kb;EN-US;255574 ->
http://support.microsoft.com/default.aspx?scid=kb;EN-US;239439. It looks
like it will, but isn't clear. Anyone done any testing on this setting?

Aaron Colcord

-----Original Message-----
From: M. Burnett [mailto:mb@xato.net]
Sent: Monday, March 17, 2003 5:16 PM
To: focus-ms@securityfocus.com
Cc: Douglas R. Wilson
Subject: Re: Microsoft Security Advisory MS 03-007

Setting the permissions on httpext.dll is not the preferred method for disabling WebDAV. Setting the DisableWebDAV registry key (mentioned below) will completely disable the WebDAV capability on IIS. Note that the IIS Lockdown wizard DOES NOT set this registry key, it only uses permissions.

It is, however, best to both set this key and tighten permissions. For permissions, I only allow administrators Write access to the file. That allows for updating the file when installing hotfixes and service packs.

As for this specific vulnerability, the following steps can also help prevent it:

  1. Completely disable WebDAV by setting the HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\DisableWebDAV registry key to 1
  2. Limit the length of requests (the url and any headers) by setting the HKLM\SYSTEM\CurrentControlSet\Services\w3svc\parameters MaxClientRequestBuffer to something like 16k
  3. Block the following WebDAV HTTP verbs using URLScan (either by specifically blocking them or by not listing them as allowed): OPTIONS, PROPFIND, PROPPATCH, MKCOL, DELETE, PUT, COPY, MOVE, LOCK, UNLOCK, OPTIONS, and SEARCH. Note that FrontPage does require the OPTIONS method to work properly.
  4. Block the following WebDAV-related headers using the [DenyHeaders] section of URLScan.ini: [DenyHeaders] DAV: Depth: Destination: If: Label: Lock-Token: Overwrite: TimeOut: TimeType: DAVTimeOutVal: Other: Translate:
  5. If you require WebDAV, you can limit the length of each individual header with these entries in the [RequestLimits] section (The exact values are obviously pretty generic and may need to be increased or decreased based on your particular configuration): [RequestLimits] Max-DAV=250 Max-Depth=250 Max-Destination=250 Max-If=250 Max-Label=250 Max-Lock-Token=250 Max-Overwrite=250 Max-TimeOut=250 Max-TimeType=250 Max-DAVTimeOutVal=250 Max-Other=250 Max-Translate=250
Do you need help?X

Here is the batch file I use to disable WebDAV:


@reg add hklm\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters /f /v DisableWebDAV /d 1 /t REG_DWORD
@xcacls %SystemRoot%\Inetsrv\httpext.dll /G:administrators:W @iisreset /restart

or, if you prefer using security templates, here is my template for disabling WebDAV:


; Disable WebDAV

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1

[Registry Values]
MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\DisableWebD AV1,0

[File Security]
"%SystemRoot%\system32\inetsrv\httpext.dll",1,"D:PAR(A;OICI;0x100116;; ;BA)"

Mark Burnett
www.iissecurity.info

On Mon, 17 Mar 2003 17:02:06 -0500, Douglas R. Wilson wrote:
>I developed this for my work environment -- however, I believe that


ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data! It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! http://www.spidynamics.com/mktg/sqlinjection33

Robert W. Baird & Co. is required by regulation to review and store both outgoing and incoming electronic correspondence. Baird may be required to produce-mail records for the SEC or other regulators in a criminal investigation. E-mail transmission cannot be guaranteed to be secure, timely or error-free. Baird therefore recommends that you do not send confidential information to us via electronic mail, including account numbers, social security numbers or any personal identification numbers. This is not an offer, or solicitation of an offer to buy or sell any security investment or other product. Any information regarding specific investment products is subject to change without notice. Any review, forwarding, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer on which it exists.

ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data! It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! http://www.spidynamics.com/mktg/sqlinjection33 Received on Wed Mar 19 16:26:43 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:28 EDT

Do you need more help?X
Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library