3 May 2002 Software giant Microsoft has emphasised the high security levels of its .Net web services platform, but according to one hacker and security consultant, there are still some issues that need to be addressed.
Speaking at the CanSecWest security conference in Vancouver, Canada, H.D. Moore, a ‘white hat’ hacker and senior security analyst at Digital Defense, said that while .Net can almost eliminate some of the vulnerabilities that currently affect other Microsoft products, the server software can still be easily misconfigured.
Misconfiguration is especially easy, said Moore, as much of the Microsoft documentation actually teaches insecure programming. “It doesn’t make a difference how secure products are initially, but how you program them that counts,” said Moore. “And developers are being told the wrong things to do in a lot of situations.”
Regarding ASP.Net, the web services part of the .Net framework, Moore found several vulnerabilities in some of the components of the framework. However, his main issue was with developer resources. His research showed that the five most popular ASP.Net books, for example, all neglected to mention at least one of a number of common .Net security problems.
Furthermore, Microsoft’s IBuySpy, the main example for programmers looking to develop .Net web services applications, has a Unicode vulnerability that leaves two project files configured so that they are accessible to anyone on the Internet, said Moore. The Microsoft Developer Network documentation also tells developers to create a file containing users’ passwords and to put it in a directory on the web — something that Moore strenuously advises against.
However, Moore’s analysis of .Net did generally back-up Microsoft’s claims that it is much more secure than the current web services infrastructure. “There are a lot more features to lock down web applications,” he said.
The default configuration for a computer running .Net with Microsoft’s web infrastructure and Internet Information Server (IIS) is more secure than before, but may break many services that the web server offers. Turning the services on in a secure manner may be a challenge, added Moore.
He advises that all developers take server configuration very seriously, as any changes to the default configuration could cause security vulnerabilities. “Research an option before making a change,” says Moore.