Web Service Extensions

IIS 6 is shipped in lockdown mode. This means that out of the box, IIS will deliver only static content, such as HTML pages. Active content, such as ASP, FrontPage, Server Side Includes (SSI), and WebDAV will not work. To make this content work in IIS, you need to use the Web Service Extensions portion of the IIS MMC. This allows you to enable and disable active content.

In the MMC, two tabs—Extended and Standard—control how you see the options of configuring the extensions. The Extended tab has buttons for Allow, Prohibit, and setting Properties, as well as hyperlinks to access to perform these tasks. On the Standard tab, you must use the menus to access those options. For this exercise, we cover the Extended tab, as shown in Figure 6-4.

click to expand
Figure 6-4: IIS Manager Web Service Extensions, Extended tab

A set of predefined web extensions are available, but you can define and add your own—for example, if you wrote your own ISAPI extension and wanted to add it granularly. You can add all unknown ISAPI or CGI extensions, but this is not recommended since it is a security risk.

The Web Service Extensions that are predefined are as follows:

  • All Unknown ISAPI Extensions

  • All Unknown CGI Extensions

  • Active Server Pages

  • Internet Data Connector

  • Internet Printing

  • Server Side Includes

  • WebDAV

Allowing Web Service Extensions to Run

To allow a web extension to run, highlight the extension in the IIS Manager and click the Allow button. The web extension will then be allowed. If you choose to allow one of the All Unknown extensions, you will see a warning that this is a security risk. Again, it’s much better to define and enable your ISAPI and CGI extensions one by one, to give you granular control over what active content is run in your site.

Prohibiting a Web Service Extension from Running

After you’ve enabled a web extension, you can prohibit it. Highlight the extension in the IIS Manager and click the Prohibit button. If the extension has any other extensions that depend on it, those extensions will cease to function as well. For example, Internet Printing depends on Active Server Pages. If ASP is prohibited, Internet Printing will not function.

This option can be used to prevent unwanted DLLs or executables (EXEs) from running under any circumstance. For example, you can lock out Code Red’s Admin.exe or Nimda’s Nimda.dll from running by adding it to the list and prohibiting it. This wouldn’t prevent the buffer overflow from happening, but it would prevent any payload DLL or EXE from running. On the other hand, an attack for IIS similar to the SQL Slammer worm, for example, would not be prevented in the Web Service Extension window, since that’s a buffer overflow attack that doesn’t copy any DLL or EXE file to the system.

Adding a New Web Service Extension

When you want to use an ISAPI or CGI extension that is not listed, you must add it to the list unless you have all extensions enabled. Here’s how to add a new extension:

  1. In the IIS Manager, click the Add A New Web Service extension hyperlink.

  2. The New Web Service Extension dialog box appears. Type the name of the extension in the text box. This is a “friendly” name, so type in something meaningful to you.

  3. Click the Add button to add the DLL or EXE files required to run this extension. Make sure to add all the required files.

  4. If you would like the extension to be allowed right away, check the box to set it to Allowed.

  5. Click OK.

Allow All Web Service Extensions for a Specific Application

If you want to enable all the extensions on which a component depends, you can use this hyperlink to enable them all at once. Here’s how:

  1. Click the Allow All Web Service Extensions For A Specific Application hyperlink.

  2. Select the component you want to allow in the drop-down box, such as Internet Printing.

  3. Note the components that will be allowed as a result of this—ASP in this case.

  4. Click OK. The extensions will now show up as allowed.

    Note 

    If you enable extensions with a component that is dependent on other components, it will not enable the selected component’s extensions, just the components it depends on to run successfully. The best use of this tool is in troubleshooting a component, to make sure that all the extensions it depends on are enabled.

Prohibit All Web Service Extensions

To turn off all web service extensions quickly, click this hyperlink. This is useful if you want to disable all active content in one fell swoop. When you click the hyperlink, a warning/confirmation message will appear. If you click Yes, all listed extensions will be prohibited.

Modifying the Properties for a Web Service Extension

To modify the properties for a web service extension, highlight the extension in the list and click the Properties button. A box pops up with two tabs: General and Required Files.

The General tab shows you which applications use this extension. This is a good place to check if you are considering disabling this extension, because it will help you evaluate dependencies on the extension so you don’t inadvertently break an application.

The Required Files tab allows you to add, remove, allow, or prohibit the files that are necessary for this component to run. You can add multiple files to your custom web service extension. The default extensions, such as ASP, are locked down, and you cannot add anything to them.




IIS 6(c) The Complete Reference
IIS 6: The Complete Reference
ISBN: 0072224959
EAN: 2147483647
Year: 2005
Pages: 193

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net