IIS 5 Security Considerations | Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM

[Previous] [Next]

The material in this section covers security issues specific to Internet Information Services 5.

Set Appropriate ACLs on Virtual Directories

Although this procedure is somewhat application-dependent, some rules of thumb apply, as described in Table F-1.

Table F-1. Recommended default ACLs by file type.

File Type	Access Control Lists
CGI (.exe, .dll, .cmd, .pl)	Everyone (X) Administrators (Full Control) System (Full Control)
Script files (.asp)	Everyone (X) Administrators (Full Control) System (Full Control)
Include files (.inc, .shtm, .shtml)	Everyone (X) Administrators (Full Control) System (Full Control)
Static content (.txt, .gif, .jpg, .html)	Everyone (R) Administrators (Full Control) System (Full Control)

Rather than setting ACLs on each file, you're better off creating new directories for each file type, setting ACLs on the directory, and allowing the ACLs to inherit to the files. For example, a directory structure might look like this:

c:\inetpub\wwwroot\myserver\static (.html)

c:\inetpub\wwwroot\myserver\include (.inc)

c:\inetpub\wwwroot\myserver\script (.asp)

c:\inetpub\wwwroot\myserver\executable (.dll)

c:\inetpub\wwwroot\myserver\images (.gif, .jpeg)

Also, be aware that two directories need special attention:

c:\inetpub\ftproot (FTP server)

c:\inetpub\mailroot (SMTP server)

The ACLs on both these directories are Everyone (Full Control) and should be overridden with something tighter depending on your level of functionality. Place the folder on a different volume than the IIS server if you're going to support Everyone (Write), or use Windows 2000 disk quotas to limit the amount data that can be written to these directories.

Set Appropriate IIS Log File ACLs

Make sure the ACLs on the IIS-generated log files (%systemroot%\system32\LogFiles) are

Administrators (Full Control)

System (Full Control)

Everyone (RWC)

This is to help prevent malicious users deleting the files to cover their tracks.

Enable Logging

Logging is paramount when you want to dtermine whether your server is being attacked. You should use W3C Extended Logging format by following this procedure:

Load the Internet Information Services tool.

Right-click site in question, and choose Properties from the context menu.

Click the Web Site tab.

Check the Enable Logging check box.

Choose W3C Extended Log File Format from the Active Log Format drop-down list.

Click Properties.

Click the Extended Properties tab, and set the following properties:

Client IP Address

User Name

Method

URI Stem

HTTP Status

Win32 Status

User Agent

Server IP Address

Server Port

The latter two properties are useful only if you host multiple Web servers on a single computer. The Win32 Status property is useful for debugging purposes. When you examine the log, look out for error 5, which means access denied. You can find out what other Win32 errors mean by entering net helpmsg err on the command line, where err is the error number you are interested in.

Set IP Address/DNS Address Restrictions

This is not a common option to set, but if you want to restrict your Web sites to certain users this is one option available to you. Note that if you enter Domain Name System (DNS) names IIS has to do a DNS lookup, which can be time-consuming.

Executable Content Validated for Trustworthiness

It's difficult to know whether executable content can be trusted. One small test is to use the DumpBin tool to see whether the executable calls certain APIs. DumpBin is included with many Win32 developer tools. For example, use the following syntax if you want to see whether a file named MyISAPI.dll calls RevertToSelf:

 dumpbin /imports MyISAPI.dll | find "RevertToSelf"

If no result appears on screen, MyISAPI.dll does not call RevertToSelf directly. It might call the API through LoadLibrary, in which case you could use a similar command to search for this, too.

Update Root CA Certificates at the IIS Server

This is a two-step process: The first step is adding any new root certificate authority (CA) certificates you trust-most notably, any new root CA certificates you have created by using Microsoft Certificate Services 2.0. The second step is removing all root CA certificates you don't trust. Note that if you do not know the name of the company that issued the root certificate, you should not trust them!

All root CA certificates used by IIS reside in the computer's machine store. You can access this store by following these steps:

Open the Microsoft Management Console (MMC).

Choose Add/Remove Snap-in from the Console menu, and click Add.

Select Certificates and click Add.

Click the Computer Account option button.

Click Next.

Select the machine in question.

Click Finish.

Click Close and then click OK.

Expand the Certificates node.

Expand Trusted Root Certification Authorities.

Select Certificates.

The right pane will show all the root CA certificates currently trusted. You can delete multiple certificates if you want.

Disable or Remove All Sample Applications

Samples are just that, samples; they are not installed by default and should never be installed on a production server. Note that some samples install so that they can be accessed only from http://localhost, or 127.0.0.1; however, they should still be removed.

Table F-2 lists the default locations for some of the samples.

Table F-2. Sample files included with Internet Information Server 5.

Sample	Virtual Directory	Location
IIS Samples	\IISSamples	c:\inetpub\iissamples
IIS Documentation	\IISHelp	c:\winnt\help\iishelp
Data Access	\MSADC	c:\program files\common files\system\msadc

Disable or Remove Unneeded COM Components

Some COM components are not required for most applications and should be removed. Most notably, consider disabling the File System Object component, but note that this will also remove the Dictionary object. Be aware that some programs might require components you're disabling. For example, Site Server 3.0 uses File System Object. The following command will disable File System Object:

 regsvr32 scrrun.dll /u

Remove the IISADMPWD Virtual Directory

This directory allows you to reset Windows NT and Windows 2000 passwords. It's designed primarily for intranet scenarios and is not installed as part of IIS 5, but it is not removed when an IIS 4 server is upgraded to IIS 5. It should be removed if you don't use an intranet or if you connect the server to the Web. Refer to Microsoft Knowledge Base article Q184619 for more info about this functionality.

Remove Unused Script Mappings

IIS is preconfigured to support common filename extensions such as .asp and .shtm files. When IIS receives a request for a file of one of these types, the call is handled by a DLL. If you don't use some of these extensions or functionality, you should remove the mappings by following this procedure:

Open Internet Services Manager.

Right-click the Web server, and choose Properties from the context menu.

Master Properties

Select WWW Service | Edit | HomeDirectory | Configuration

Remove these references:

Table F-3. Extensions to remove from IIS 5.

If you don't use...	Remove this entry:
Web-based password reset	.htr
Internet Database Connector (all IIS 5 Web sites should use ADO or similar technology)	.idc
Server-side Includes	.stm, .shtm and .shtml
Internet Printing	.printer
Index Server	.htw, .ida and .idq

Check <FORM> and Querystring Input in Your ASP Code

Many sites use input from a user to call other code or build SQL statements directly. In other words, they're treating the input as valid, well-formed, nonmalicious input. This should not be so; there are a number of attacks where user input is treated incorrectly as valid input and the user could gain access to the server or cause damage. You should always check each <FORM> input and query string before passing it on to another process or method call that might use an external resource such as the file system or a database.

You can perform text checking with the JScript V5 and VBScript V5 regular expression capabilities. The following example code will strip a string of all invalid characters (characters that are not 0-9a-zA-Z or _):

 Set reg = New RegExp  reg.Pattern = "\W+" ' One or more characters which                     '  are NOT 0-9a-zA-Z or '_'  strUnTainted = reg.Replace(strTainted, "")

The following sample will strip all text after a | operator:

 Set reg = New RegExp  reg.Pattern = "^(.+)\|(.+)" ' Any character from the start of                             '  the string to a | character. strUnTainted = reg.Replace(strTainted, "$1")

Also, be careful when opening or creating files by using Scripting File System Object. If the filename is based on the user's input, the user might attempt to open a serial port or printer. The following JScript code will strip out invalid filenames:

 var strOut = strIn.replace(/(AUX|PRN|NUL|COM\d|LPT\d)+\s*$/i,"");

The pattern syntax in the Version 5 script engines is the same as that in Perl 5.0. Refer to the V5 scripting engine documentation at http://msdn.microsoft.com/scripting/default.htm for further detail and http://msdn.microsoft.com/workshop/languages/clinic/scripting051099.asp for examples.

Disable Parent Paths

The Parent Paths option allows you to use ".." in calls to functions such as MapPath. By default, this option is enabled, and you should disable it. Follow this procedure to disable the option:

Right-click the root of the Web site, and choose Properties from the context menu.

Click the Home Directory tab.

Click Configuration.

Click the App Options tab.

Uncheck the Enable Parent Paths check box.

Disable IP Address in Content-Location

The Content-Location header can expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) firewall or proxy server. Refer to Knowledge Base article Q218180 for further information about disabling this option.