1. Introduction


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

1. Introduction

  1. 1. Marc Liddell - 040001950<br />AC41006<br />E-commerce website and server report<br />Date: 19 December 2008<br />Contents TOC o " 1-3" h z u 1. Introduction PAGEREF _Toc217481102 h 32. Setting up the web server PAGEREF _Toc217481103 h 33. Setting up SSL PAGEREF _Toc217481104 h 43.1 Certificate and binding settings PAGEREF _Toc217481105 h 43.2 Adding a SSL directory PAGEREF _Toc217481106 h 43.3 Ensuring appropriate encryption is used PAGEREF _Toc217481107 h 44. Configuring the Windows firewall PAGEREF _Toc217481108 h 55. Closing the net bios ports (135 and 137) PAGEREF _Toc217481109 h 66. Closing file and printer sharing port (445) PAGEREF _Toc217481110 h 67. MySQL durability PAGEREF _Toc217481111 h 67.1 MySQL Security PAGEREF _Toc217481112 h 67.2 MySQL logging PAGEREF _Toc217481113 h 77.3 MySQL Backups PAGEREF _Toc217481114 h 78 Server durability PAGEREF _Toc217481115 h 78.1 Server logging PAGEREF _Toc217481116 h 78.2 Server back-up PAGEREF _Toc217481117 h 89 Error Redirection PAGEREF _Toc217481118 h 910 Coding Challenges PAGEREF _Toc217481119 h 910.1 Cross host compatible PAGEREF _Toc217481120 h 910.2 Seamless SSL PAGEREF _Toc217481121 h 910.3 PayPal PAGEREF _Toc217481122 h 1010.4 Downloading and uploading PAGEREF _Toc217481123 h 1010.5 CSS PAGEREF _Toc217481124 h 1010.6 MySQL Injection PAGEREF _Toc217481125 h 1011 Ecommerce PAGEREF _Toc217481126 h 1011.1 Privacy policy PAGEREF _Toc217481127 h 1011.2 Ecommerce Element PAGEREF _Toc217481128 h 1111.3 Artist accounts PAGEREF _Toc217481129 h 1112 Server Details PAGEREF _Toc217481130 h 1113 Security Report PAGEREF _Toc217481131 h 1213.1 Nessus scan PAGEREF _Toc217481132 h 1213.2 Ports PAGEREF _Toc217481133 h 1213.3 General vulnerabilities & website PAGEREF _Toc217481134 h 1313.4 Security conclusion PAGEREF _Toc217481135 h 13<br />1. Introduction<br />In this project I have been asked to set up a secure web server, host a website which can be used to pay for, upload and download music tracks, and investigate the security of a fellow student’s server.<br />2. Setting up the web server<br />The following steps should be followed to initially set up the web server.<br /><ul><li>I have used a PC running on Windows Vista, with SP1 installed.
  2. 2. Install IIS from the control panel:
  3. 3. Control Panel
  4. 4. Programs and Features
  5. 5. Turn Windows features on or off
  6. 6. Internet Information Services
  7. 7. Tick all boxes in all sub folders of this
  8. 8. Install MySQL server on the machine, the exe can be downloaded from:
  9. 9. http://dev.mysql.com/downloads/mysql/5.1.html
  10. 10. When doing this, the md5 hash given on the website should be compared to the md5 of the file downloaded, md5 file hashes can be generated using lots of free programs available on the web, or in command prompt.
  11. 11. Install MySQL GUI interface
  12. 12. http://dev.mysql.com/downloads/gui-tools/5.0.html
  13. 13. This download should again be checked against the md5 hash.
  14. 14. Install the php 5.2.8 binaries from </li></ul>http://uk.php.net/get/php-5.2.8-nts-Win32.zip/from/a/mirror<br /><ul><li>This download should again be checked against the MD5 hash.
  15. 15. These files should be extracted into the directory c:/php
  16. 16. Follow the steps on the following blog to set up php for IIS
  17. 17. http://blogs.iis.net/bills/archive/2006/09/19/How-to-install-PHP-on-IIS7-_2800_RC1_2900_.aspx</li></ul>Now these steps are implemented the following can be implemented in any order, to secure the server, and its affiliations.<br />3. Setting up SSL<br />3.1 Certificate and binding settings<br />I found the following web page useful for reference.<br />http://weblogs.asp.net/scottgu/archive/2007/04/06/tip-trick-enabling-ssl-on-iis7-using-self-signed-certificates.aspx<br />If you already have a signed certificate miss out steps 1-3.<br /><ul><li>From the root computer in connections, open Server Certificates
  18. 18. Depending on preference click “Create Self-Signed Certificate” or “Create Domain Certificate (for this project I creates a certificate using filegate.computing.dundee.ac.uk)
  19. 19. Follow the steps accordingly
  20. 20. Using the appropriate website in “Sites”, select “Bindings...” in the right hand panel
  21. 21. Select “Add...”
  22. 22. Type is https, IP address is All Unassigned, port is 443, select certificate as appropriate
  23. 23. Select ok, and close</li></ul>3.2 Adding a SSL directory<br /><ul><li>Select an appropriate director in the website, or the whole website if you so wish, in the connections panel.
  24. 24. Select “SSL settings”
  25. 25. Tick the appropriate options, for my server I used “Require SSL”, “Require 128-bit SSL” and Client certificates: Ignore.</li></ul>3.3 Ensuring appropriate encryption is used<br />Many encryption algorithms and ciphers which are still active on Windows Vista are now insecure, these must be disabled, to ensure encryption security.<br /><ul><li>Open up the registry (Run-> “regedit”)
  26. 26. Back-up the registry (File-> Export) (this can be used if it is corrupted during this process)
  27. 27. Go to the following location: Computer/HKEY_LOCAL_MACHINE/System/CurrentControlSet/Control/SecurityProviders/Schannel/Protocols
  28. 28. Create a folder named “PCT 1.0”, next create a new key named “Server”, finally in this Key, create a DWORD (32-bit) Value, with the name “Enabled” value 00 00 00 00
  29. 29. If SSL 2.0 is already present, go into the server key and change the Enabled DWORD to 00 00 00 00. If this does not exist create it as above.
  30. 30. Create a key named SSL 3.0, next create another key, named Server, in this key create a DWORD (32 bit) Value named “Enable” to the value ff ff ff ff
  31. 31. In the directory Computer/HKEY_LOCAL_MACHINE/System/CurrentControlSet/Control/SecurityProviders/Schannel/Ciphers, create the following Keys, and create a DWORD (32-bit) Value with the name Enabled and value 00 00 00 00 in the key;
  32. 32. DES 56/56
  33. 33. NULL
  34. 34. RC2 128/128
  35. 35. RC2 40/128
  36. 36. RC2 56/128
  37. 37. RC2 128/128
  38. 38. RC4 128/128
  39. 39. RC4 40/128
  40. 40. RC4 56/128
  41. 41. RC4 64/128
  42. 42. And finally, in the same directory, create a key named “TripleDES 168/168”, with a DWORD(32-bit) value, with the name Enabled and value ff ff ff ff.</li></ul>These settings are appropriate for the time of printing, over time encryptions have potential to become vulnerable, so these may need to be changed.<br />4. Configuring the Windows firewall<br />The windows firewall can be very useful to block ports an programs, it should be used, and configured as below.<br /><ul><li>Go to control panel -> Windows Firewall
  43. 43. Ensure the firewall is turned on.
  44. 44. Select “Allow a program through Windows Firewall” on the left hand side
  45. 45. Unselect all tick boxes, which are available to unselect. (Some were unavailable to select on my machine due to either access right, or windows vista blocking me.)
  46. 46. Add the following ports by clicking “Add port...”
  47. 47. Name: “http”, port number: “80”, TCP
  48. 48. Name:”https”, port number: “443”, TCP</li></ul>5. Closing the net bios ports (135 and 137)<br />These ports have to be closed down in another directory, as they are not in the firewall settings. These ports are potentially vulnerable to attackers, at minimum they can obtain computer information from these.<br /><ul><li>Go to Control Panel -> Network and security
  49. 49. On the left panel, go to “Manage network connections”
  50. 50. Go to properties of the LAN or access point
  51. 51. For Internet Protocol Version 4 (TCP/IPv4) and IPv6, go to properties, then advanced
  52. 52. In the WINS tab, select Disable NetBIOS over TCP/IP</li></ul>6. Closing file and printer sharing port (445)<br />Closing this port reduces an access point for hackers<br /><ul><li>Go to Control Panel -> Network and security
  53. 53. On the left panel, go to “Manage network connections”
  54. 54. Go to properties of the LAN or access point
  55. 55. Uncheck the following:
  56. 56. Client for Microsoft Networks
  57. 57. File and Printer Sharing for Microsoft Networks
  58. 58. Click “ok”</li></ul>7. MySQL durability<br />7.1 MySQL Security<br />To make MySQL secure to outside attacks, the remote access must be shut down. This means closing port 3302. This can be closed on the windows firewall (section 4). Closing this maintains access for the local host, but removes access from the web.<br />7.2 MySQL logging<br />This is necessary for database durability, should it fall over.<br /><ul><li>Open the MySQL Administrator in MYSQL GUI tools
  59. 59. Create a stored connection with the appropriate log-in information
  60. 60. Go to Start-up Variables -> Log Files and enable the following:
  61. 61. Binary Log file
  62. 62. Query Log file
  63. 63. Error Log file
  64. 64. Update Log file
  65. 65. Name them appropriate names.</li></ul>7.3 MySQL Backups <br />Backups are necessary for restoring the data base due to corruption or physical damage. These should be stored on a separate PC, preferably in a separate, secret location, however for this project I deemed this unnecessary due to cost and timescale.<br /><ul><li>Open the MySQL Administrator in MYSQL GUI tools
  66. 66. Go to the back-up tab
  67. 67. Select the appropriate database ( for my project this is marcliddell_website)
  68. 68. Select appropriate backup type. (I chose InnoDB online back-up, so that service was not disrupted)
  69. 69. Schedule as required. (For my set up, I backup up every day.)</li></ul>8 Server durability<br />This is vital to efficient recovery, and contingency plans. Also logging is good for statistics, which can be extremely useful.<br />8.1 Server logging<br /><ul><li>In IIS, go to the appropriate website in the connections panel/
  70. 70. Go to logging, under IIS
  71. 71. Set as required (for this project I set to daily log files, with no maximum size and using the default directory.)</li></ul>8.2 Server back-up<br />Although there are no actual menu settings for this I regularly backed up web files on a pen drive, which is normally kept offsite. This is essential if another server needs to be set up and the files be placed on it. Ideally a second server would be set up in parallel, so if the main server fell over, the secondary server could take its place.<br />9 Error Redirection<br />Error pages can expose critical information about a web server to attackers, these should be avoided as much as possible. One step I took to ensuring this information was not leaked was to implement a error redirection for errors 401, 403, 404, 405, 406, 412, 500, 501 and 502. <br />This was implemented by linking the appropriate pages as following:<br /><ul><li>Open IIS manager, go to the appropriate website in the connections panel
  72. 72. Go to Error pages, under IIS
  73. 73. Select “Edit Feature Settings...” in the right panel
  74. 74. Select custom error pages, and select “ok”
  75. 75. Then edit the path of each error page as appropriate. (For this project I simply named the pages 401.php, 403.php etc.)</li></ul>10 Coding Challenges<br />10.1 Cross host compatible<br />The nature of web page design, some page directories have to be hard coded. However there are method around this in php. Using variable such as $_SERVER[‘HTTP_HOST’], which returns the part of the URL between http:// and the first / for the directory. So if the web site moved domain names, the site would still operate fully. Many links are relative though, this is only used in cases where the file is in the above file directory.<br />10.2 Seamless SSL<br />The Majority of my site does not require SSL, however, there are several pages which do, Registration and login for example, where passwords are travelling on the wire. I achieve this by placing the form action pages in a secure directory, and referencing them using a full URL, to change to https. Then once the login is complete, the site reverts back to http. The reason for doing this is all traffic being encrypted would simply be too much over head, should the site get busy. <br />Also at first I believed that the login form had to be in SSL, however after research on the internet and using Wireshark to test this, I discovered this was not required, and only the action form had to be in SSL, this allowed my site to have the appearance of the login on the top of every page.<br />Before the password is sent over the wire it is also sha1 hashed (then SSL is applied) this helps ensure no sensitive information can be found on the wire or the database.<br />10.3 PayPal<br />To enable payment on my site, I decided to use PayPal. During development stage, and for the marking stage, I have left this on the PayPal sand box, so no real money is transferred. Using this gives the confidence to use the site as most users trust PayPal to handle their details securely. The PayPal script I have used works by posting multiple variables to PayPal, the user pays and once PayPal has completed, the transaction successfully, the user is returned to the website, along with a secure hash, which identifies the transaction, this is then used to allow the user access to the music.<br />10.4 Downloading and uploading<br />A core functionality to the site is uploading and downloading music. For this I have decided to restrict this to mp3 format. When uploading, files are stored off the server, so that they are not accessible to anyone on the web. When a user downloads the file it is moved into a hashed folder, and will be removed after a set time period so that no other users can access the file by typing in the URL directly.<br />10.5 CSS<br />I have decided to add a high contrast CSS to the web site, as the design I decided on may be too dark for some users. Also users may prefer the alternate style sheet. These can be altered on the top left of the website.<br />Also as a slight fun part to the project, and due to the festive time of year, I have added a java script to my website which shows snow falling down on the site.<br />10.6 MySQL Injection<br />I have protected my site from MySQL injection by using the php function MySQL_real_escape_string on every variable going into the MySQL engine. This will prevent attackers corrupting, deleting or editing the database.<br />11 Ecommerce <br />11.1 Privacy policy<br />I have included a privacy policy on the site, this is to let the users know how my site intends to user their data. Users Agree to this when registering, so must accept it to join the site.<br />11.2 Ecommerce Element<br />My Site demonstrates Ecommerce buy allowing users to upload music tracks, making them available to sell to other users. Other users will be charged a fee by the music owner. Of this fee, I, MusicLink will take 10% of the total as commission. This will fund the business, and also encourage users to use the site as they we take very little commission. The band can see how much money they have earned in their account page.<br />11.3 Artist accounts<br />I have decided to make every account have the potential to become a artist account. This is because smaller artists will be encouraged to put their songs up once listening to other artists. If more songs are available to download, more songs will be downloaded possibly, and the site will make more profit.<br />12 Server Details<br />Server IP address: (VistaLabPC020)<br />MySQL username: root, Password: password<br />A website user account, Username: marc, Password: marc<br />13 Security Report<br />13.1 Nessus scan<br />To assess the security of a fellow student’s site I started out by running Nessus Client on a default scan policy. I edited this scan policy so that a full and thorough scan took place.<br />This report can be view in the attached HTML document, named “scan.html”.<br />The report revealed 6 open ports, 20 low vulnerabilities and 0 medium or high. I will now discuss these in the following pages.<br />13.2 Ports<br /><ul><li>http(80/tcp) – This port is required to be open, to run the website. However, one of the vulnerabilities on this port is that some directories can be enumerated (discovered by dictionary attack). The /_vti_bin is used for ASP to deposit code on the server and /styles, which I assume will have the style sheets in it. This provide no risk, however, it maybe possible to guess script names in here, to run, and this could be hazardous.
  76. 76. Another discovery on this port is that the server is likely to be IIS 6.0 –SP1 Although this itself is not a risk, if an exploit is found, and is not patched instantly, the exploit could be applied to the server, with more confidence it will affect it.
  77. 77. Netbios-ns(137/udp) allows capture of system information, no risks, however should have been removed. It can be removed by following the procedure in section 5.
  78. 78. Netbios-ssn(139/tcp) SMB server runs here. It can be removed by following the procedure in section 5.
  79. 79. https ( 443/tcp) most vulnerabilities are unpreventable, for example public key data. There is one vulnerability which has a risk factor, of low (not none) which is that the IIS NTLM web server is running, and it may be possible to exploit authentication schemes, which are used for confidential web pages. These is however no fix available for this as of yet, this should be kept an eye on however, for a patch, when it is release.
  80. 80. MySQL(3306/tcp)There are no vulnerabilities on this port, however this should not be open at all. This can be disabled in the MySQL GUI administrator, as described in section 7.1.
  81. 81. Ms-wbt-server(3389/tcp) No vulnerabilities, however is a unused port, so should be shut down.</li></ul>13.3 General vulnerabilities & website<br /><ul><li>In general/tcp vulnerabilities, it is shown that tcp timestamps are being implemented, and can potentially lead to host corruption. To attempt to ensuring upheld security and reliability, this should be shut down.
  82. 82. SSL- switching between SSL and HTTP is seamless, very smooth. However I feel some directories could be taken out of SSL, to reduce the load on the server, for example browse artists.</li></ul>13.4 Security conclusion<br />Overall the security of the system is good, however, several ports should be closed, to pre-empt any problems/bugs on these ports.<br />