Friday, 13 June 2008

Publishing Certificate Revocation Lists with ISA Server 2006 - Part 2: Applying the HTTP Filter

Continuing on from Publishing Certificate Revocation Lists with ISA Server 2006 - Part 1: Creating the Publishing Rule this blog entry covers Part 2 which extends the existing publishing rule to include a more secure implementation of the HTTP filter configuration.

As discussed in a previous blog entry the use of the HTTP filter in this example introduces the concept of 'least privilige' to ensure that only the necessary HTTP protocol features are permitted by ISA Server in order to protect access to the CRLs located on the published web servers.

Using the example from Part 1 of this blog series, we can access the HTTP filter configuration by right-clicking on the Publish Certificate Revocation List rule and selecting the Configure HTTP option from the context menu.

Using the guidance provided in the Micorosft article titled HTTP Filtering in ISA Server 2004 it is possible to apply a Baseline Web Publishing HTTP Policy as a starting point. Once this policy has been applied, and tested, we can then modify additional HTTP parameters to further control/restrict the level of security provided by the filter.

The Baseline Web Publishing HTTP Policy provided by Microsoft in the above article is shown below in HTTP Policy XML format:

<Configuration BlockExecutables="false" ViaHeaderAction="0" NewViaHeaderValue="" ServerHeaderAction="0" NewServerHeaderValue="" MaxRequestBodyLen="-1"><UrlValidation NormalizeBeforeScan="true" VerifyNormalization="true" AllowHighBitCharacters="true" BlockDotInPath="false" MaxLength="260" MaxQueryLength="4096"><Extensions AllowCondition="2"><Extension Value=".exe" Description=""/><Extension Value=".bat" Description=""/><Extension Value=".cmd" Description=""/><Extension Value=".com" Description=""/><Extension Value=".htw" Description=""/><Extension Value=".ida" Description=""/><Extension Value=".idq" Description=""/><Extension Value=".htr" Description=""/><Extension Value=".idc" Description=""/><Extension Value=".shtm" Description=""/><Extension Value=".shtml" Description=""/><Extension Value=".stm" Description=""/><Extension Value=".printer" Description=""/><Extension Value=".ini" Description=""/><Extension Value=".log" Description=""/><Extension Value=".pol" Description=""/><Extension Value=".dat" Description=""/></Extensions></UrlValidation><Verbs AllowCondition="1"><Verb Value="GET" Description=""/><Verb Value="HEAD" Description=""/><Verb Value="POST" Description=""/></Verbs><RequestHeaders/><ResponseHeaders/><DeniedSignatures><Signature Name=".." Description="" SearchInType="0" SearchInHeader="" From="1" To="100" Pattern="[..]" FormatIsText="true" Enabled="true"/><Signature Name="./" Description="" SearchInType="0" SearchInHeader="" From="1" To="100" Pattern="[./]" FormatIsText="true" Enabled="true"/><Signature Name="\" Description="" SearchInType="0" SearchInHeader="" From="1" To="100" Pattern="[\]" FormatIsText="true" Enabled="true"/><Signature Name=":" Description="" SearchInType="0" SearchInHeader="" From="1" To="100" Pattern="[:]" FormatIsText="true" Enabled="true"/><Signature Name="%" Description="" SearchInType="0" SearchInHeader="" From="1" To="100" Pattern="[%]" FormatIsText="true" Enabled="true"/><Signature Name="&amp;" Description="" SearchInType="0" SearchInHeader="" From="1" To="100" Pattern="[&amp;]" FormatIsText="true" Enabled="true"/></DeniedSignatures></Configuration>

This can be applied in the same way as covered in the
previous blog entry using the HTTPFilterConfig.vbs script.

Using the baseline policy as a starting point, this can be extended to further restrict the following General features:

  • Block high bit characters
  • Block responses containing Windows executable content

The resulting configuration is shown below:

Using the baseline policy as a starting point, this can be extended to further restrict the Methods to:

  • GET

The resulting configuration is shown below:

Using the baseline policy as a starting point, this can be extended to further restrict Extensions to:

  • .crl
  • Block requests containing ambiguous extensions

The resulting configuration is shown below:

Using the baseline policy as a starting point, the default baseline list of blocked signatures can remain as shown below:

Based upon the parameters defined in the above HTTP filter parameters, it is therefore possible to define a HTTPFilterConfig XML policy as follows:

CRL HTTP Filter XML Policy

<Configuration BlockExecutables="true" ViaHeaderAction="0" NewViaHeaderValue="" ServerHeaderAction="0" NewServerHeaderValue="" MaxRequestBodyLen="-1"><UrlValidation NormalizeBeforeScan="true" VerifyNormalization="true" AllowHighBitCharacters="false" BlockDotInPath="true" MaxLength="260" MaxQueryLength="4096"><Extensions AllowCondition="1"><Extension Value=".crl" Description=""/></Extensions></UrlValidation><Verbs AllowCondition="1"><Verb Value="GET" Description=""/></Verbs><RequestHeaders/><ResponseHeaders/><DeniedSignatures><Signature Name=".." Description="" SearchInType="0" SearchInHeader="HTTP_" From="1" To="100" Pattern="[..]" FormatIsText="true" Enabled="true"/><Signature Name="./" Description="" SearchInType="0" SearchInHeader="HTTP_" From="1" To="100" Pattern="[./]" FormatIsText="true" Enabled="true"/><Signature Name="\" Description="" SearchInType="0" SearchInHeader="HTTP_" From="1" To="100" Pattern="[\]" FormatIsText="true" Enabled="true"/><Signature Name=":" Description="" SearchInType="0" SearchInHeader="HTTP_" From="1" To="100" Pattern="[:]" FormatIsText="true" Enabled="true"/><Signature Name="%" Description="" SearchInType="0" SearchInHeader="HTTP_" From="1" To="100" Pattern="[%]" FormatIsText="true" Enabled="true"/><Signature Name="&amp;" Description="" SearchInType="0" SearchInHeader="HTTP_" From="1" To="100" Pattern="[&amp;]" FormatIsText="true" Enabled="true"/></DeniedSignatures></Configuration>

This can be applied as discussed in a previous blog entry using the HTTPFilterConfig.vbs script.

I hope you have enjoyed these two blog entries and have a better understanding of publishing and protecting CRL web servers with ISA Server.

2 comments: