Security Basics for DNN Websites Michael Tobisch dnnWerk.at June 8,2019 1 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? Please support our valuable sponsors June 08, 2019 Michael Tobisch, dnnWerk.at 2 2 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? What are the first words that come into your mind when you hear the term "IT-security"? June 08, 2019 Michael Tobisch, dnnWerk.at 3 3 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? Do I need HTTPS? • “Secure” is the new normal in Chrome and Firefox • HTTPS impacts SEO • It protects your users • AMP (Accelerated Mobile Pages) require HTTPS • May prevent MitM attacks • https://doesmysiteneedhttps.com/ June 08, 2019 Michael Tobisch, dnnWerk.at 4 Accelerated Mobile Pages (AMP) AMP is an open-source project lead by Google and Twitter. The goal is to improve performance of web pages for mobile devices. • Stripped-down version of HTML • Lightweight version of CSS • Images load when they come into view • No forms are supported • Limited JavaScript library • HTTPS is required Man in the Middle (MitM) Attacks This is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. The attacker must impersonate each endpoint to their satisfaction as expected from the legitimate ends. 4 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? Implement HTTPS • AAAA-Record in DNS (IP v6) • Install URL Rewriter Module • Install Let‘s Encrypt Client • Change “Ignore URL Regular Expression” • Add MIME type . • Get certificate • Force HTTPS June 08, 2019 Michael Tobisch, dnnWerk.at 5 5 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? Implement HTTPS • AAAA-Record in DNS (IP v6) • Install URL Rewriter Module • Install Let‘s Encrypt Client • Change “Ignore URL Regular Expression” • Add MIME type . • Get certificate • Force HTTPS June 08, 2019 Michael Tobisch, dnnWerk.at 6 Please note: The installation of the URL Rewriter Module is necessary for the last step of implementing HTTPS. In IIS 10.0 Version 1709 this process has been significantly simplified, therefore the installation of the module is not necessary anymore for this step. In other steps where it is necessary I will mention it separately like this: URM needed! 6 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? Implement HTTPS • AAAA-Record in DNS (IP v6) • Install URL Rewriter Module • Install Let‘s Encrypt Client • Change “Ignore URL Regular Expression” • Add MIME type . • Get certificate • Force HTTPS June 08, 2019 Michael Tobisch, dnnWerk.at 7 7 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? Implement HTTPS • AAAA-Record in DNS (IP v6) • Install URL Rewriter Module • Install Let‘s Encrypt Client • Change “Ignore URL Regular Expression” • Add MIME type . • Get certificate (?<!linkclick\.aspx.+)(?:(?<!\?.+)(\.pdf$|\.gif$|\.png($|\?)|\ .css($|\?)|\.js($|\?)|\.jpg$|\.axd($|\?)|\.swf$|\.flv$|\.ico$| • Force HTTPS \.xml($|\?)|\.txt$)|\.well-known) June 08, 2019 Michael Tobisch, dnnWerk.at 8 Ignore URL Regular Expression This was introduced in DNN 09.00.00 For earlier version, you can use the X3.DnnUrlManagement module by Jay Mathis • https://archive.codeplex.com/?p=dnnurlmanagement • https://github.com/mathisjay/X3.DnnUrlManagement (no release yet!) 8 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? Implement HTTPS • AAAA-Record in DNS (IP v6) • Install URL Rewriter Module • Install Let‘s Encrypt Client • Change “Ignore URL Regular Expression” • Add MIME type . • Get certificate • Force HTTPS June 08, 2019 Michael Tobisch, dnnWerk.at 9 9 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? Implement HTTPS • AAAA-Record in DNS (IP v6) • Install URL Rewriter Module • Install Let‘s Encrypt Client • Change “Ignore URL Regular Expression” • Add MIME type . • Get certificate • Force HTTPS June 08, 2019 Michael Tobisch, dnnWerk.at 10 10 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? Implement HTTPS • AAAA-Record in DNS (IP v6) <rewrite> <rules> <rule name="HTTP to HTTPS redirect" stopProcessing="true"> • Install URL Rewriter Module <match url="(.*)" /> <conditions> <add input="{HTTPS}" pattern="off" ignoreCase="true" /> • Install Let‘s Encrypt Client </conditions> <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" /> • Change “Ignore URL Regular </rule> </rules> Expression” </rewrite> • Add MIME type . • Get certificate • Force HTTPS June 08, 2019 Michael Tobisch, dnnWerk.at 11 How to implement on IIS? There were significant changes (and simplifications) to the HTTP to HTTPS redirect on IIS 10.0 version 1709. Please refer to https://docs.microsoft.com/en-us/iis/get- started/whats-new-in-iis-10-version-1709/iis-10-version-1709-hsts, it is described in detail there (also for older versions). The code above (in the slide) is used when the URL Rewriter Module is installed. 11 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? ASP.Net - Excessive Headers Excessive Headers disclose Removed information about the server OS, since DNN 08.00.00 used technologies etc. Removed Hide them – or fake them if you since DNN want… 07.03.00 Removed since DNN 07.03.00 June 08, 2019 Michael Tobisch, dnnWerk.at 12 Remove „Server“ This can be done by an outbound rule in the web.config rewrite rules: URM <outboundRules> needed! <rule name="Remove Server Header"> <match serverVariable="RESPONSE_SERVER" pattern=".+" /> <action type="Rewrite" value="" /> </rule> </outboundRules> Remove „X-Powered-By Delete the header in IIS Manager (HTTP Response Headers) Remove „X-AspNet-Version“ Set the attribute “enableVersionHeader” in the httpRuntime tag to false: <httpRuntime enableVersionHeader="false" … 12 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? IIS - Clickjacking • Demo <customHeaders> <add name="X-Frame-Options" • Default Prevention value="DENY| since DNN 08.00.00 • X-Frame-Options SAME-ORIGIN| • only 1 option ALLOW-FROM uri" /> • Content Security Policy • Not supported by all browsers yet <customHeaders> <add name="Content-Security-Policy" value="frame-ancestors 'self' '\*.somesite.com' 'https://www.myfriend.org' ..." /> June 08, 2019 Michael Tobisch, dnnWerk.at 13 13 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? IIS – HTTP Strict Transport Security HSTS (HTTP Strict Transport Security) is a policy mechanism that allows a http://www.xyz.com web server to enforce the use of TLS in a compliant User Agent (UA), such as a web browser. https://www.xyz.com HSTS allows for a more effective implementation of TLS by ensuring all communication takes place over a secure transport layer on the client side. June 08, 2019 Michael Tobisch, dnnWerk.at 14 How to implement on IIS? There were significant changes (and simplifications) to implement HSTS on IIS 10.0 version 1709. Please refer to https://docs.microsoft.com/en-us/iis/get-started/whats- new-in-iis-10-version-1709/iis-10-version-1709-hsts, it is described in detail there (also for older versions). 14 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? CSP – Content Security Policy • A CSP defines rules which <add name="Content-Security-Policy-Report-Only" determine the allowed sources value="default-src 'self'; of trusted content, such as report-uri https://xy.report-uri.com/... scripts, stylesheets, images etc. ...r/d/csp/reportOnly;" /> • It is one remedy against XSS- attacks. • But if not implemented correctly it may block content and make the site unusable. June 08, 2019 Michael Tobisch, dnnWerk.at 15 15 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? CSP – Content Security Policy • DNN (ASP.Net) Problem: • script-src 'unsafe-inline' is required • Recommendations • upgrade-insecure-requests; • block-all-mixed-content; • form-action https; • Only implement what is necessary! June 08, 2019 Michael Tobisch, dnnWerk.at 16 16 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? Referrer Policy <add name="Referrer-Policy" • Defines which information value="no-referrer-when-downgrade" /> should be included in the referrer header • May also be included in the CSP, but is deprecated there June 08, 2019 Michael Tobisch, dnnWerk.at 17 17 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? Feature Policy New! • Contract between the browser and <add the devolper(s) to create (and name="Feature-Policy" value="default 'self'; maintain) high-quality web apps camera 'self'; • Examples: unoptimized-images 'none'; oversized-images 'self’; • I do not want that embedded Iframes document.write 'none'" /> access the visitors camera and microphone • I want to avoid unoptimized images • I want my developers to avoid outdated APIs (such as document.write) June 08, 2019 Michael Tobisch, dnnWerk.at 18 18 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? How secure is your SSL implementation? • https://www.ssllabs.com/ssltest/ • Encryption protocol resides in the transport layer • SSL 2.0 and SLL 3.0 are outdated • TLS 1.0 and 1.1 are turned off by many, but older browsers can‘t use TLS 1.2, and TLS 1.3 is still experimental • Eliminate insecure ciphers June 08, 2019 Michael Tobisch, dnnWerk.at 19 Cipher A cipher is an algorithm for performing encryption or decryption. 19 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? How secure is your SSL implementation? • Nartac IIS Crypto June 08, 2019 Michael Tobisch, dnnWerk.at 20 20 Intro HTTPS ASP.Net IIS Policies Qualys Database What else? How secure is your SSL implementation? • DNS