The material in this section covers security issues specific to Internet Information Services 5.
Although this procedure is somewhat application-dependent, some rules of thumb apply, as described in Table F-1.
Table F-1. Recommended default ACLs by file type.
File Type | Access Control Lists |
---|---|
CGI (.exe, .dll, .cmd, .pl) | Everyone (X) Administrators (Full Control) System (Full Control) |
Script files (.asp) | Everyone (X) Administrators (Full Control) System (Full Control) |
Include files (.inc, .shtm, .shtml) | Everyone (X) Administrators (Full Control) System (Full Control) |
Static content (.txt, .gif, .jpg, .html) | Everyone (R) Administrators (Full Control) System (Full Control) |
Rather than setting ACLs on each file, you're better off creating new directories for each file type, setting ACLs on the directory, and allowing the ACLs to inherit to the files. For example, a directory structure might look like this:
Also, be aware that two directories need special attention:
The ACLs on both these directories are Everyone (Full Control) and should be overridden with something tighter depending on your level of functionality. Place the folder on a different volume than the IIS server if you're going to support Everyone (Write), or use Windows 2000 disk quotas to limit the amount data that can be written to these directories.
Make sure the ACLs on the IIS-generated log files (%systemroot%\system32\LogFiles) are
This is to help prevent malicious users deleting the files to cover their tracks.
Logging is paramount when you want to dtermine whether your server is being attacked. You should use W3C Extended Logging format by following this procedure:
The latter two properties are useful only if you host multiple Web servers on a single computer. The Win32 Status property is useful for debugging purposes. When you examine the log, look out for error 5, which means access denied. You can find out what other Win32 errors mean by entering net helpmsg err on the command line, where err is the error number you are interested in.
This is not a common option to set, but if you want to restrict your Web sites to certain users this is one option available to you. Note that if you enter Domain Name System (DNS) names IIS has to do a DNS lookup, which can be time-consuming.
It's difficult to know whether executable content can be trusted. One small test is to use the DumpBin tool to see whether the executable calls certain APIs. DumpBin is included with many Win32 developer tools. For example, use the following syntax if you want to see whether a file named MyISAPI.dll calls RevertToSelf:
dumpbin /imports MyISAPI.dll | find "RevertToSelf" |
If no result appears on screen, MyISAPI.dll does not call RevertToSelf directly. It might call the API through LoadLibrary, in which case you could use a similar command to search for this, too.
This is a two-step process: The first step is adding any new root certificate authority (CA) certificates you trust-most notably, any new root CA certificates you have created by using Microsoft Certificate Services 2.0. The second step is removing all root CA certificates you don't trust. Note that if you do not know the name of the company that issued the root certificate, you should not trust them!
All root CA certificates used by IIS reside in the computer's machine store. You can access this store by following these steps:
The right pane will show all the root CA certificates currently trusted. You can delete multiple certificates if you want.
Samples are just that, samples; they are not installed by default and should never be installed on a production server. Note that some samples install so that they can be accessed only from http://localhost, or 127.0.0.1; however, they should still be removed.
Table F-2 lists the default locations for some of the samples.
Table F-2. Sample files included with Internet Information Server 5.
Sample | Virtual Directory | Location |
---|---|---|
IIS Samples | \IISSamples | c:\inetpub\iissamples |
IIS Documentation | \IISHelp | c:\winnt\help\iishelp |
Data Access | \MSADC | c:\program files\common files\system\msadc |
Some COM components are not required for most applications and should be removed. Most notably, consider disabling the File System Object component, but note that this will also remove the Dictionary object. Be aware that some programs might require components you're disabling. For example, Site Server 3.0 uses File System Object. The following command will disable File System Object:
regsvr32 scrrun.dll /u |
This directory allows you to reset Windows NT and Windows 2000 passwords. It's designed primarily for intranet scenarios and is not installed as part of IIS 5, but it is not removed when an IIS 4 server is upgraded to IIS 5. It should be removed if you don't use an intranet or if you connect the server to the Web. Refer to Microsoft Knowledge Base article Q184619 for more info about this functionality.
IIS is preconfigured to support common filename extensions such as .asp and .shtm files. When IIS receives a request for a file of one of these types, the call is handled by a DLL. If you don't use some of these extensions or functionality, you should remove the mappings by following this procedure:
Remove these references:
Table F-3. Extensions to remove from IIS 5.
If you don't use... | Remove this entry: |
---|---|
Web-based password reset | .htr |
Internet Database Connector (all IIS 5 Web sites should use ADO or similar technology) | .idc |
Server-side Includes | .stm, .shtm and .shtml |
Internet Printing | .printer |
Index Server | .htw, .ida and .idq |
Many sites use input from a user to call other code or build SQL statements directly. In other words, they're treating the input as valid, well-formed, nonmalicious input. This should not be so; there are a number of attacks where user input is treated incorrectly as valid input and the user could gain access to the server or cause damage. You should always check each <FORM> input and query string before passing it on to another process or method call that might use an external resource such as the file system or a database.
You can perform text checking with the JScript V5 and VBScript V5 regular expression capabilities. The following example code will strip a string of all invalid characters (characters that are not 0-9a-zA-Z or _):
Set reg = New RegExp reg.Pattern = "\W+" ' One or more characters which ' are NOT 0-9a-zA-Z or '_' strUnTainted = reg.Replace(strTainted, "") |
The following sample will strip all text after a | operator:
Set reg = New RegExp reg.Pattern = "^(.+)\|(.+)" ' Any character from the start of ' the string to a | character. strUnTainted = reg.Replace(strTainted, "$1") |
Also, be careful when opening or creating files by using Scripting File System Object. If the filename is based on the user's input, the user might attempt to open a serial port or printer. The following JScript code will strip out invalid filenames:
var strOut = strIn.replace(/(AUX|PRN|NUL|COM\d|LPT\d)+\s*$/i,""); |
The pattern syntax in the Version 5 script engines is the same as that in Perl 5.0. Refer to the V5 scripting engine documentation at http://msdn.microsoft.com/scripting/default.htm for further detail and http://msdn.microsoft.com/workshop/languages/clinic/scripting051099.asp for examples.
The Parent Paths option allows you to use ".." in calls to functions such as MapPath. By default, this option is enabled, and you should disable it. Follow this procedure to disable the option:
The Content-Location header can expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) firewall or proxy server. Refer to Knowledge Base article Q218180 for further information about disabling this option.