Step 12. Script Mappings

Previous page
Table of content
Next page

Script mappings associate a particular file extension, such as .asp, to the ISAPI extension that handles it, such as Asp.dll. IIS is configured to support a range of extensions including .asp, .shtm, .hdc, and so on. ASP.NET HTTP handlers are a rough equivalent of ISAPI extensions. In IIS, file extensions, such as .aspx, are first mapped in IIS to Aspnet_isapi.dll, which forwards the request to the ASP.NET worker process. The actual HTTP handler that processes the file extension is then determined by the <HttpHandler> mapping in Machine.config or Web.config.

The main security issues associated with script mappings are:

  • An attacker could exploit a vulnerability found in an extension .

    This could occur if a vulnerability in an extension remains unpatched. Unused extensions increase the area of potential attack. For example, if you do not use a particular extension, you might not pay attention to relevant updates.

  • Server-side resources could be downloaded by the client .

    This could occur when a file extension is not mapped correctly. Files that should not be directly accessible by the client should either be mapped to the appropriate handler, based on its extension, or should be removed.

During this step, you:

  • Map IIS file extensions .

  • Map .NET Framework file extensions .

Map IIS File Extensions

On Windows 2000, the IIS file extensions of interest include: .asp, .asa, .cer, .cdx, .htr, .idc, .shtm, .shtml, .stm, and .printer.

If you do not use any one of these extensions, map the extension to the 404.dll, which is provided by IISLockdown. For example, if you do not want to serve ASP pages to clients , map .asp to the 404.dll.

The mappings altered by IISLockdown depend on the server template that you choose:

  • Static Web Server . If you run IISLockdown and choose the Static Web server option, then all of the above extensions are mapped to the 404.dll.

  • Dynamic Web Server . If you choose the Dynamic Web server option, which is the preferred option when serving ASP.NET pages, then .htr, .idc, .shtm, .shtml, .stm, and .printer are mapped to the 404.dll, while .asp, .cer, .cdx, and .asa are not. In this case, you should manually map .cer, .cdx, and .asa to the 404.dll. If you are not serving .asp, then you can map that as well.

Why Map to the 404.dll?

By mapping file extensions to the 404.dll, you prevent files from being returned and downloaded over HTTP. If you request a file with an extension mapped to the 404.dll, a Web page with the message "HTTP 404 - File not found" is displayed. You are recommended to map unused extensions to the 404.dll rather than deleting the mapping. If you delete a mapping, and a file is mistakenly left on the server (or put there by mistake) it can be displayed in clear text when it is requested because IIS does not know how to process it.

 Task   To map a file extension to the 404.dll

  1. Start IIS.

  2. Right-click your server name in the left window, and then click Properties .

  3. Ensure that the WWWService is selected in the Master Properties drop-down list, and then click the adjacent Edit button.

  4. Click the Home Directory tab.

  5. Click Configuration . The tabbed page shown in Figure 16.4 is displayed.

    click to expand
    Figure 16.4: Mapping application extensions

  6. Select one of the extensions from the list, and then click Edit .

  7. Click Browse and navigate to \WINNT\system32\inetsrv\404.dll.

    Note  

    This step assumes that you have previously run IISlockd.exe, as the 404.dll is installed by the IISLockdown tool.

  8. Click Open , and then click OK .

  9. Repeat steps 6, 7 and 8 for all of the remaining file extensions.

Map .NET Framework File Extensions

The following .NET Framework file extensions are mapped to aspnet_isapi.dll: .asax, .ascx, .ashx, .asmx, .aspx, .axd, . vsdisco , .jsl, .java, .vjsproj, .rem, .soap, .config, .cs, .csproj, .vb, .vbproj, .webinfo, .licx, .resx, and .resources.

The .NET Framework protects file extensions that should not be directly called by clients by associating them with System.Web.HttpForbiddenHandler in Machine.config. The following file extensions are mapped to System.Web.HttpForbiddenHandler by default: .asax, .ascx, .config, .cs, .csproj, .vb, .vbproj, .webinfo, .asp, .licx, .resx, and .resources.

For more information on HTTP handlers, see "Step 16: Machine.config."

Additional Considerations

Because IIS processes a Web request first, you could map .NET Framework file extensions that you do not want clients to call, to the 404.dll directly. This does two tasks :

  • The 404.dll handles and rejects requests before they are passed to ASP.NET and before they are processed by the ASP.NET worker process. This eliminates unnecessary processing by the ASP.NET worker process. Moreover, blocking requests early is a good security practice.

  • The 404.dll returns the message "HTTP 404 - File not found" and System.Web.HttpForbiddenHandler returns the message "This type of page is not served ." Arguably, the "File not found" message reveals less information and thus could be considered more secure.



Previous page
Table of content
Next page
Improving Web Application Security. Threats and Countermeasures
Improving Web Application Security: Threats and Countermeasures
ISBN: 0735618429
EAN: 2147483647
Year: 2003
Pages: 613
Authors: Microsoft Corporation
BUY ON AMAZON
WebLogic: The Definitive Guide
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
Snort Cookbook
Information Dashboard Design: The Effective Visual Communication of Data
Python Standard Library (Nutshell Handbooks) with
Microsoft Visual Basic .NET Programmers Cookbook (Pro-Developer)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy