Friday 1 June 2018

SPN for network service

The HOST service represents the host computer. The Kerberos protocol uses the HOST SPN to access the host computer. The Kerberos protocol uses the long-term key on the host computer to create a service ticket.
The HTTP service class is one of the built-in services that act as an alias to the HOST SPN. The HOST SPN is mapped to the host computer account. Therefore, when you use the default HTTP service class, the Kerberos protocol uses the computer account as the service account to request a service ticket.”

https://support.microsoft.com/en-gb/help/929650/how-to-use-spns-when-you-configure-web-applications-that-are-hosted-on

Translation – if you are using network service and tying to set the SPN – use the computer name as the account name.

Some simple secure development standards

These are mainly based around ASP.NET/IIS – but the same principles can be applied everywhere.

These are just a few that I’ve seen highlighted a lot in pen tests of late. 

Nothing is going to make you 100% secure but remember – defence in depth.  Lots of defences adds up.

I may get some others written up some time.

(HTML/URL) Encode everything

Why

This helps prevent Cross Site Scripting (XSS) attacks.  XSS attacks occur when user input (or other data) is displayed on the browser.  The attacker puts javascript in the input and this is then executed by the browser. 

Examples

sending the user a link with a query string which contains a value that is displayed on the target page – look at google and you’ll see the search is in the url and displayed on the browser.  (Reflected XSS).

Putting data in to the system that is displayed on someone elses browser (e.g. facebook page) (Stored XSS).  For a great example of this watch this watch  https://www.youtube.com/watch?v=EYMGAoIx8yk&feature=youtu.be FROM 8:30

How?

Use strongly typed parameterised queries (that’s stored procs or EF).

Why

To mitigate against SQL injection attacks.

Parameterised queries (and stored procs) should treat the input as input – not build sql strings from them so cannot be manipulated as easily.

How?

Use an ORM (Entity Framework) AND DO NOT GENERATE SQL ON THE FLY IN YOUR CODE.

Use strongly typed stored procedures and DO NOT GENERATE SQL ON THE FLY IN YOUR SQL.

Combine this with

  • least privilege (execute on stored procs or data reader/writer on appropriate tables for EF) – note SPROCS allow a more minimal access as an attaker owning the applications connection can still not read whole tables but needs to go through stored procs.
  • A defence mechanism for preventing developers from still generating sql on the fly.
    • e.g. for stored procs review them all.

EF does not particularly encourage sql on the fly but none the less be aware application developers now have a connection available that can do data reader/writer functions.  I have seen this result in a successful attack – not surprisingly on the last (hastily implemented) CR implementation.

Implement some secure configuration/hardening

These are some simple hardening recommendations – may not do much but will not make you less secure!

Why?

  • Your application and server (IIS) etc. uses technologies.  These may have known vulnerabilities.  Advertising the technologies is the same as advertising the weaknesses.  Security by obscurity is not security but giving attackers a list of sites to attack when a vulnerability is published is dumb.
  • Reduce the attack surface area.

How?

•Disclosure of server type / Disclosure of technology

* For azure - (https://azure.microsoft.com/en-us/blog/removing-standard-server-headers-on-windows-azure-web-sites/) – this should work in IIS too – but depends on later frameworks.

For IIS - https://www.saotn.org/remove-iis-server-version-http-response-header/

<configuration> <system.webServer> <security> <requestFiltering> <verbs allowUnlisted="false" > <add verb="GET" allowed="true" />
    
<add verb="POST" allowed="true" /></verbs>
  
</requestFiltering>
 
</security>
</system.webServer>
</configuration>

See - https://docs.microsoft.com/en-us/iis/manage/configuring-security/use-request-filtering

Use least privilege database access (or any other access!)

Why?

Defence in depth – if someone owns your web server or another defence (e.g. sql injection) fails – limits the damage can be done.

How

  • Don’t use dbowner/sa
  • Do use separate account for applications with privilege to execute stored procs (GRANT EXEC ON proc TO user) or (if using EF) data reader/writer as required on specific tables.
  • Do this from the beginning in all your environments so you don’t hit all the issues late in your dev cycle.

Configure your security headers and cookies

See - https://securityheaders.com/

Why?

Modern browsers are adding additional protection against vulnerabilities – xss, disclosure.

How?

See https://securityheaders.com/

If your are https (and you should be)

Enable hsts

<system.webServer>

<httpProtocol>

<customHeaders>

<add name="Strict-Transport-Security" value="max-age=31536000"/>

</customHeaders>

</httpProtocol>

</system.webServer>

Set requires SSL on all your cookies - <httpCookies requireSSL="true" />

(and your forms auth config too if you have it).

X-Frame-Options – do you want your pages to be embedded in another site.  Allowing this facilitates an attacker making a fake site.

X-XSS-Protection – tells the browser to turn on xss filters.

X-Content-Type-Options – stops content type sniffing

Content Security Policy – allows you to list where your page downloads from so you can protect from downloading malicious code.

Referrer Policy – limits the “Referrer” information in http requests.  For example, if you download fonts from google do you want google to be able to track people on your site through the referrer header.  Remember you may letting a third party know the IP (personal information under GDPR) the activity on your site.




Monday 9 April 2018

Azure–iterate resources in all tenants for GDPR

GDPR means that we now have a policy for all data to be in UK or Europe.

So – to find where all our azure resources are

1. Install the azure PowerShell toolkik (https://docs.microsoft.com/en-gb/azure/azure-resource-manager/powershell-azure-resource-manager)

2. Run the script below to check the location of your resources are in the list of allowed locations.

# login to azure this should request secure credentials
Login-AzureRmAccount
# get a list of tenants / subscriptions
$allowedlocations = 'northeurope', 'westeurope' , 'francecentral' , 'francesouth', 'ukwest' , 'uksouth', 'germanycentral' , 'germanynortheast'
$subscriptions = Get-AzureRmSubscription
foreach($sub in $subscriptions) {
     Select-AzureRmSubscription -Subscription $sub.Id
     $resources = Get-AzureRmResource
     $resources.where({ $_.Location  -notin $allowedlocations }) 
}

Sunday 1 October 2017

Strava open image script

Sometimes I want to download peoples photos from strava.

Click on image to get it full screen

run

$im = $('div[class="photo-slideshow-content"] > image[alt="Photo"]').src
window.open($im)

in console.

Will open the image in a new window so you can download.

Wednesday 20 September 2017

SSRS (2014) Load balancing woes

Symptoms

HTTPS to reporting services only working on prd-web01b, not on 01a.  Checked all  the config etc. and re imported certs from b to a.  SChannell errors were our only clue, although William found some of these on the other server too.  Even rebooted the server for good measure.

How we fixed it

This was the clue - https://support.microsoft.com/en-gb/help/956209/ssl-no-longer-works-after-you-remove-an-ssl-binding-from-sql-server-20

We added the cert into IIS (even though we are running in native mode) , removed it from IIS and rebound it to reporting services and everything now appears ok.

Explanation

Some months ago we upgraded all our certs – I think it was to 2056 bits or such like – as the old ones were becoming invalid.

My theory is on the a server we unbound the old cert – thus removing the crucial registry setting in the above link – and then bound in the new cert.

On the b server we probably just selected the new cert.

I’m not sure who did this work but since a good manager always takes the blame for their teams actions – it was probably me.  (Lesson – sooner we go to scripted deploy the better).

However this did not fix the problem!

2’nd problem

The ever clever mr***suggested looking at the logs – and I found them – FYI there in d:\ Program Files\Microsoft SQL Server\MSRS12.MSSQLSERVER\Reporting Services\LogFiles on our servers.

Found the errors –

library!ReportServer_0-36!1050!09/05/2017-08:54:29:: e ERROR: Error rending control: System.Web.HttpException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

http://go.microsoft.com/fwlink/?LinkID=314055 ---> System.Web.UI.ViewStateException: Invalid viewstate.

                Client IP: *****

                Port: 59222

                User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

                ViewState: /wEPDwUKMTEzMjExOTUxNA9kFgQCAQ8WAh4EbGFuZwUFZW4tR0JkAgMPZBYEAgQPZBYEAgEPFgIeBVZhbHVlZGQCAw9kFgJmD2QWAmYPFgIfAWRkAgUPFCsABQ8WCh4UU2hvd1Byb21wdEFyZWFCdXR0b25oHgxTY3JvbGxUYXJnZXRkHhNQcm9tcHRBcmVhQ29sbGFwc2VkZx4QVjFTdHlsZVNoZWV0TmFtZWQeDlJlbmRlcmluZ1N0YXRlCymRAU1pY3Jvc29mdC5SZXBvcnRpbmcuV2ViRm9ybXMuUmVwb3J0UmVuZGVyaW5nU3RhdGUsIFJlcG9ydGluZ1NlcnZpY2VzV2ViU2VydmVyLCBWZXJzaW9uPTEyLjAuMC4wLCBDd

..

How we fixed it

This was easy for a web farm person like me – when you have a .net application  in a web farm you need to add in encryption keys across the farm.

First I checked the instructions as I would have thought that SSRS might do this for me as you actually configure the thing for scale out but MS aren’t that bright – yes you do need to manually put in some keys (https://docs.microsoft.com/en-us/sql/reporting-services/report-server/configure-a-report-server-on-a-network-load-balancing-cluster).

So I generated some for each environment and did this.

Explanation

I always said the old load balancer was not load balancing.  The new ones (F5) are. 

Tuesday 4 July 2017

Import and bind a cert is IIS.

param (
[Parameter(Mandatory=$true)][String]$certpath,
[Parameter(Mandatory=$true)][String]$certpass,
[Parameter(Mandatory=$true)][String]$ip,
[Parameter(Mandatory=$false)][String]$website = "Default Web Site"
)

$mypwd = ConvertTo-SecureString -String $certpass -Force –AsPlainText
$cert  = Import-PfxCertificate -FilePath $certpath Cert:\LocalMachine\My -Password $mypwd -Exportable
$bind = Get-WebBinding -Protocol https -IPAddress $ip  -port 443
if($bind -ne $null) {
    Remove-WebBinding  -Protocol https -IPAddress $ip  -port 443
}

# -Name $website -IPAddress $ip -Protocol HTTPS -Port 443 -HostHeader '' -Binding $ip':433:'
new-WebBinding -Name $website -IPAddress $ip -Protocol https -Port 443 
$bind = Get-WebBinding -Protocol https -IPAddress $ip  -port 443
$bind.AddSslCertificate($cert.GetCertHashString(), "my")
This is for a cert to IP without host header.

Thursday 29 June 2017

Stop, start disable services on multiple machines

$Machines = Get-Content -Path ".\Machines.txt"
$service="Microsoft Deployment Agent"
$credential = Get-Credential
foreach($computer in $Machines) {
    #$result = (gwmi win32_service -computername $computer -filter "name='$service'" -Credential $credential).stopservice() 
    #$result = (gwmi win32_service -computername $computer -filter "name='$service'" -Credential $credential).ChangeStartMode("Disabled") 
    $result = (gwmi win32_service -computername $computer -filter "name='$service'" -Credential $credential).startservice()     
    $result = (gwmi win32_service -computername $computer -filter "name='$service'" -Credential $credential).ChangeStartMode("Automatic") 
}
# $result = (gwmi win32_service -computername $computer -filter "name='$service'" -Credential $cred).startservice() 
#Get-Service -Name $Services -ComputerName $Machines -Credential $credential | Set-Service -Status Started -StartupType Automatic 


As usual not really my code but plagiarised. Massive apologies to whoever/wherever I got it as I can’t find it again.  As usual – this is really for me!

The Get-Service /  Set-Service script was the obvious candidate to use but wont take a credential.

Put a list of machines in Machines.txt.

Original that I’ve lost also took a list of services!