Security Basics for DNN Websites Michael Tobisch dnnWerk.at June 8,2019
1 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? Please support our valuable sponsors
June 08, 2019 Michael Tobisch, dnnWerk.at 2
2 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? What are the first words that come into your mind when you hear the term "IT-security"?
June 08, 2019 Michael Tobisch, dnnWerk.at 3
3 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? Do I need HTTPS? • “Secure” is the new normal in Chrome and Firefox • HTTPS impacts SEO • It protects your users • AMP (Accelerated Mobile Pages) require HTTPS • May prevent MitM attacks • https://doesmysiteneedhttps.com/
June 08, 2019 Michael Tobisch, dnnWerk.at 4
Accelerated Mobile Pages (AMP) AMP is an open-source project lead by Google and Twitter. The goal is to improve performance of web pages for mobile devices. • Stripped-down version of HTML • Lightweight version of CSS • Images load when they come into view • No forms are supported • Limited JavaScript library • HTTPS is required
Man in the Middle (MitM) Attacks This is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. The attacker must impersonate each endpoint to their satisfaction as expected from the legitimate ends.
4 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? Implement HTTPS • AAAA-Record in DNS (IP v6) • Install URL Rewriter Module • Install Let‘s Encrypt Client • Change “Ignore URL Regular Expression” • Add MIME type . • Get certificate • Force HTTPS
June 08, 2019 Michael Tobisch, dnnWerk.at 5
5 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? Implement HTTPS • AAAA-Record in DNS (IP v6) • Install URL Rewriter Module • Install Let‘s Encrypt Client • Change “Ignore URL Regular Expression” • Add MIME type . • Get certificate • Force HTTPS
June 08, 2019 Michael Tobisch, dnnWerk.at 6
Please note: The installation of the URL Rewriter Module is necessary for the last step of implementing HTTPS. In IIS 10.0 Version 1709 this process has been significantly simplified, therefore the installation of the module is not necessary anymore for this step. In other steps where it is necessary I will mention it separately like this:
URM needed!
6 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? Implement HTTPS • AAAA-Record in DNS (IP v6) • Install URL Rewriter Module • Install Let‘s Encrypt Client • Change “Ignore URL Regular Expression” • Add MIME type . • Get certificate • Force HTTPS
June 08, 2019 Michael Tobisch, dnnWerk.at 7
7 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? Implement HTTPS • AAAA-Record in DNS (IP v6) • Install URL Rewriter Module • Install Let‘s Encrypt Client • Change “Ignore URL Regular Expression” • Add MIME type .
• Get certificate (?
June 08, 2019 Michael Tobisch, dnnWerk.at 8
Ignore URL Regular Expression This was introduced in DNN 09.00.00 For earlier version, you can use the X3.DnnUrlManagement module by Jay Mathis • https://archive.codeplex.com/?p=dnnurlmanagement • https://github.com/mathisjay/X3.DnnUrlManagement (no release yet!)
8 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? Implement HTTPS • AAAA-Record in DNS (IP v6) • Install URL Rewriter Module • Install Let‘s Encrypt Client • Change “Ignore URL Regular Expression” • Add MIME type . • Get certificate • Force HTTPS
June 08, 2019 Michael Tobisch, dnnWerk.at 9
9 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? Implement HTTPS • AAAA-Record in DNS (IP v6) • Install URL Rewriter Module • Install Let‘s Encrypt Client • Change “Ignore URL Regular Expression” • Add MIME type . • Get certificate • Force HTTPS
June 08, 2019 Michael Tobisch, dnnWerk.at 10
10 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? Implement HTTPS
• AAAA-Record in DNS (IP v6)
June 08, 2019 Michael Tobisch, dnnWerk.at 11
How to implement on IIS? There were significant changes (and simplifications) to the HTTP to HTTPS redirect on IIS 10.0 version 1709. Please refer to https://docs.microsoft.com/en-us/iis/get- started/whats-new-in-iis-10-version-1709/iis-10-version-1709-hsts, it is described in detail there (also for older versions). The code above (in the slide) is used when the URL Rewriter Module is installed.
11 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? ASP.Net - Excessive Headers
Excessive Headers disclose Removed information about the server OS, since DNN 08.00.00 used technologies etc. Removed Hide them – or fake them if you since DNN want… 07.03.00
Removed since DNN 07.03.00
June 08, 2019 Michael Tobisch, dnnWerk.at 12
Remove „Server“ This can be done by an outbound rule in the web.config rewrite rules: URM 12 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? IIS - Clickjacking • Demo June 08, 2019 Michael Tobisch, dnnWerk.at 13 13 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? IIS – HTTP Strict Transport Security HSTS (HTTP Strict Transport Security) is a policy mechanism that allows a http://www.xyz.com web server to enforce the use of TLS in a compliant User Agent (UA), such as a web browser. https://www.xyz.com HSTS allows for a more effective implementation of TLS by ensuring all communication takes place over a secure transport layer on the client side. June 08, 2019 Michael Tobisch, dnnWerk.at 14 How to implement on IIS? There were significant changes (and simplifications) to implement HSTS on IIS 10.0 version 1709. Please refer to https://docs.microsoft.com/en-us/iis/get-started/whats- new-in-iis-10-version-1709/iis-10-version-1709-hsts, it is described in detail there (also for older versions). 14 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? CSP – Content Security Policy • A CSP defines rules which June 08, 2019 Michael Tobisch, dnnWerk.at 15 15 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? CSP – Content Security Policy • DNN (ASP.Net) Problem: • script-src 'unsafe-inline' is required • Recommendations • upgrade-insecure-requests; • block-all-mixed-content; • form-action https; • Only implement what is necessary! June 08, 2019 Michael Tobisch, dnnWerk.at 16 16 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? Referrer Policy June 08, 2019 Michael Tobisch, dnnWerk.at 17 17 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? Feature Policy New! • Contract between the browser and June 08, 2019 Michael Tobisch, dnnWerk.at 18 18 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? How secure is your SSL implementation? • https://www.ssllabs.com/ssltest/ • Encryption protocol resides in the transport layer • SSL 2.0 and SLL 3.0 are outdated • TLS 1.0 and 1.1 are turned off by many, but older browsers can‘t use TLS 1.2, and TLS 1.3 is still experimental • Eliminate insecure ciphers June 08, 2019 Michael Tobisch, dnnWerk.at 19 Cipher A cipher is an algorithm for performing encryption or decryption. 19 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? How secure is your SSL implementation? • Nartac IIS Crypto June 08, 2019 Michael Tobisch, dnnWerk.at 20 20 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? How secure is your SSL implementation? • DNS CAA is a record in the DNS that determines which authority is authorized to issue your certificate. • It provides a certain protection against fake certificates. • Use it, if you can – some DNS Servers don‘t support it yet June 08, 2019 Michael Tobisch, dnnWerk.at 21 21 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? Acces the SQL Database • Permissions needed by the CREATE ROLE db_executor Application Pool GO • Read data (db_datareader) GRANT EXECUTE TO db_executor • Insert, Update and delete data GO (db_datawriter) • Execute Stored Procedures and Functions (no database role for that) • Let‘s create one June 08, 2019 Michael Tobisch, dnnWerk.at 22 22 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? Acces the SQL Database • Additional permissions needed to install modules or update DNN • Create, update or change tables (db_owner) • Solution? • Grant db_owner membership to AppPool before and revoke after the installation process • Use upgradeConnectionString June 08, 2019 Michael Tobisch, dnnWerk.at 23 23 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? security.txt New! • Information for security researchers how to contact you • Placed in /.well-known • Examples: • BBC • Google June 08, 2019 Michael Tobisch, dnnWerk.at 24 24 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? Hiding the obvious • Disable Display Copyright • Use site (and page) specific keywords – not only for SEO reasons June 08, 2019 Michael Tobisch, dnnWerk.at 25 25 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? Links • https://www.dnnsoftware.com/community/security/security-center • https://doesmysiteneedhttps.com/ • https://letsencrypt.org/ • https://www.nartac.com/Products/IISCrypto • https://report-uri.com/ • https://securityheaders.com/ • https://www.ssllabs.com/ssltest/ • https://www.ssllabs.com/ssltest/viewMyClient.html • https://securitytxt.org/ • https://scotthelme.co.uk/, https://twitter.com/Scott_Helme • https://www.troyhunt.com/, https://twitter.com/troyhunt • https://www.michalspacek.com/ • https://www.dnnwerk.at/de/Blog June 08, 2019 Michael Tobisch, dnnWerk.at 26 26 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? • Where security starts: • Keep your (server and client) OS up to date (evaluate first, if possible) • Keep SQL Server up to date: http://sqlserverbuilds.blogspot.com/ • Keep all other services (virus scanner, mail service, etc.) up to date • Implement policies, e.g. https://www.dnnwerk.at/en/blocked-extensions • Help clients, family, friends etc. to keep their system, browser, virus scanners etc. up to date • Tell them about how malware is spread • Tell them not to open attachments from senders they don‘t know • Tell them that Microsoft would never phone them because of a computer problem - and they should not let them to connect by TeamViewer • etc. etc. etc. June 08, 2019 Michael Tobisch, dnnWerk.at 27 27 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? Do you have questions? Send an email to [email protected] Do you want an online session with me? Try to get a date via https://doodle.com/dnnwerk (Friday afternoon is a good opportunity normally) Hope to see you at June 08, 2019 Michael Tobisch, dnnWerk.at 28 28 Addendum: The Outtakes The slides that did not make it to the show… June 08, 2019 Michael Tobisch, dnnWerk.at 29 29 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? ASP.Net • Custom Errors June 08, 2019 Michael Tobisch, dnnWerk.at 30 30 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? ASP.Net - Tracing • Disabled by default since IIS 6 – but June 08, 2019 Michael Tobisch, dnnWerk.at 31 31 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? ASP.Net – HTTP Only and Secure Cookies • Cookies that are not marked June 08, 2019 Michael Tobisch, dnnWerk.at 32 32 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? ASP.Net - Request Validation Request validation examines HTTP June 08, 2019 Michael Tobisch, dnnWerk.at 33 Cross Site Scripting (XSS) XSS is an attack that allows an attacker to execute malicious JavaScript code in another user’s browser. This is not done by a direct attack, but by exploiting a vulnerability in a website that the victim visits. The visited website delivers the malicious JavaScript for the attacker, thus the website as an unintentional accomplice to the attacker. Consequences: • Cookie theft • Keylogging • Phishing 33 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? IIS – X-Xss-Protection X-Xss-Protection is an HTTP June 08, 2019 Michael Tobisch, dnnWerk.at 34 34 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? IIS – X-Content-Type-Options X-Xss-Protection is an HTTP June 08, 2019 Michael Tobisch, dnnWerk.at 35 35 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? June 08, 2019 Michael Tobisch, dnnWerk.at 36 36 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? June 08, 2019 Michael Tobisch, dnnWerk.at 37 37