
Thor’s Microsoft Security Bible

Chapter 2: Internet Information Server (IIS)Authentication and Authorization Models, and Locking Down File Access with EFSand WebDAV







We should look at another postulate of IT security: security in depth. In itssimplest form, security in depth is simply a serialized approach to buildingdefenses so that if one particular defense fails, another mechanism is there toimpede the progress of an attacker. Bank security controls are a good exampleof security in depth. There are locked doors, cameras, and guards. The guardsare armed. There is a safe on a timer and limited access to its contents. Thetellers have limited cash on hand and ink bombs. And of course the tellers arearmed with utterly crappy attitudes which should make thieves not even want tobother in the first place.


There is another fundamental aspect of bank security: It never costs more thanthe value of the safe’s contents. If it does, then someone is not doing theirjob.


In that respect, our jobsare the same.Before we set out to secure something, we need to have insightinto the valueof what we are securing. The data must be quantified before controlscan bequalified. Security professionals who not only command technology, butwho canalso embrace the total cost of ownership of their systems and proceduresarevery valuable assets to a company. As such, utilizing existing technologiesandfeatures is a key to your success, and that is what I like to talk aboutinthis book.




This now seems like a perfect time to introduce EFS into our model. Theconfigurations can become complex at this point, so it is critical tounderstand  the  ramifications  of  each  particular feature  configuration. As we did with our first milestone, we willcontinue to take iterative steps toward our final goal, and not only will wecontinue to support secure remote access to files over HTTP, but we will rollout a feature that will allow our users to have full read and write access totheir files right in Windows Explorer from anywhere they want, all over HTTP,and all in a secure manner. I believe you will find it to be quite cool.


We left Greg and Steve withthe ability toaccess their internal files exter- nally should they need asecure mechanism toretrieve files. It is hardly a dazzling feature, but atleast we have startedthe application off the right way. We are again in asituation whereconfiguring a real-world implemen- tation that does not requirea tremendousamount of administration has in- troduced some concerns. Greg andSteveobviously need read-write access to their shares, so we gave the gSharedgroupread-write access. Not only did this give them both access to eachother’sfiles (which is quite common in businesses), but since the MyWebApp userispart of that group, it also has read-write access.


This presents us with an interesting decision to make regarding adminis-tration. It is far easier to have a users directory where we set group permis-sions to, but that does not conform to least privilege standards. There reallyis not a right or wrong way—just a way that gives you the most benefit at theleast cost. Even if we carved out each user’s permissions per directory andlimited the MyWebApp user to read only, that user still has read rights to allthe files by operational requirement. One might think that you can drill downto the MyWebApp user and limit the rights to list folder contents only, butthat gets tricky quickly. The application pool needs full read access to anydirectory with a web.config file, and if it ever hits a web.config that itcannot read, or any other file that it actually has to read the contents of,your app will immediately throw a server error exception. That being said, youcan actually manually set the rights to list folder contents only for the useron directories that only need the files listed, which is the case for directorybrowsing. In production though, you will most likely have to live with readpermissions.


EFS and the Service User


This becomes a real-world threat when an error in a web application or someother vulnerability allows an attacker to execute functions in the context ofthe web application. If an attacker found such a security hole, then he wouldbe able to read whatever files the MyWebApp user had access to. This is why itis important to properly configure the permissions of service users: The scopeshould be limited to explicit assignment of permissions. Regardless, the usersdirectory would be open for read access and that could be dangerous. So we aregoing to explore another route.


If we leverage EFS properly, we can enforce transparent encryption of all userfiles per user. When this is done, no matter who has access permissions to thefiles themselves, they will never be able to view their contents unless theyhave the private key certificate, which the MyWebApp user will not be able toget. The application of this goes far beyond simple web access to files. Thiscan be deployed in any number of environments. As it relates to our example,the application pool will be able to fully perform its required function, butall encrypted files will be completely secured from it. The added benefit ofthis is a direct administration benefit because we can leave top level usersdirectory permissions set to read-write at the gShared group level, but stillprotect all user files from information disclosure to the MyWebApp user as wellas all other users—and that is sweet.


Setting up EFS on the Share


When deploying EFS strategies, one of the first things I have found helpful tounderstand is exactly where data gets encrypted. By that I mean, which physicalasset is applying the cipher algorithm during the encryption pro- cess. It maybe a bit counterintuitive, but when files are encrypted with EFS locally andwithin file shares, they are encrypted by the target system. If you encrypt afile on a local hard drive, your system is the target system, so it performsthe encryption. However, if you encrypt a file on a share or, more appropriately,if you create a file or copy a file into an encrypted folder on a share, thenthe file is actually encrypted and decrypted by the remote server. It may seemodd that with something so personal as user-based encryption the target serverdoes the encryption for shares, but that is the way it works. When I saypersonal I mean a process where a particular user’s EFS certif- icate must beused to encrypt and decrypt data, but where that processing happens on amachine other than the one the user is logged into. Again, this specificallyapplies to remote Server Message Block (SMB) shares, and with that come somedesign and security considerations.





