Secure IIS

Previous page
Table of content
Next page

You often need to run IIS locally for Web development. If you run IIS, secure it. IISLockdown and URLScan significantly reduce your Web server's attack profile. IISLockdown points unused or forbidden script mappings to 404.dll and helps secure access to system directories and system tools. URLScan blocks known dangerous requests .

Although IISLockdown improves IIS security, if you choose the wrong installation options or do not modify the URLScan configuration file, URLScan.ini, you could encounter the following issues:

  • You cannot create new ASP.NET Web applications . NTFS file system permissions are configured to strengthen default access to Web locations. This may prevent the logged on user from creating new ASP.NET Web applications.

  • Cannot debug existing ASP.NET Web applications . URLScan blocks the DEBUG verb, which is used when you debug ASP.NET Web applications.

The following steps show you how to improve IIS security on your development workstation and avoid the issues listed above:

  • Install and run IISLockdown

  • Configure URLScan

  • Restrict access to the local Web server

Install and Run IISLockdown

 Task     To install and run IISLockdown

  1. Run the IISLockdown installation program (Iislockd.exe) from http://download.microsoft.com/download/iis50/Utility/2.1/NT45XP/EN-US/iislockd.exe .

    Note  

    If you run Iislockd.exe a second time, it removes all changes based on the log file \WINNT\System32\Inetsrv\oblt-log.log.

  2. During setup, choose the Dynamic Web Site option, and choose the option to install URLScan. ASP.NET Web Forms use the HTTP POST verb. Choosing the static option and installing URLScan blocks the POST verb in URLScan.ini.

    The Dynamic Web Site option does the following:

    • Adds POST to the [AllowVerbs] section as shown below. 

       [AllowVerbs] GET HEAD POST

    • Disables the following Internet Services: Web service (HTTP), File Transfer Protocol (FTP), the Simple Mail Transport Protocol (SMTP) e-mail service, and the Network News Transport Protocol (NNTP) news service.

    • Maps the following script maps to 404.dll: Index Server, Web Interface (.idq, .htw, .ida), server side includes (.shtml, .shtm, .stm), Internet Data Connector (.idc), HTR scripting (.htr), Internet printing (.printer)

    • Removes the following virtual directories: IIS Samples, MSADC, IISHelp, Scripts, and IISAdmin.

    • Restricts anonymous access to system utilities and the ability to write to Web content directories.

    • Disables Web Distributed Authoring and Versioning (WebDAV).

    • Installs the URLScan ISAPI filter.

Pitfalls

If you use IISLockdown, note the following pitfalls:

  • IIS metabase updates can be lost . If you undo IISLockdown changes by running Iislockd.exe a second time, you lose any changes made to the IIS metabase since the last time IISLockdown was run. For example, if you configure a virtual directory as an application root after running IIS lockdown , that change is lost when you run IISLockdown again.

  • Resources are blocked by 404.dll . If you receive a 404 error for a previously available resource, it might be because the resource type is blocked by 404.dll. To confirm whether or not this is the case, check the script mapping for the requested resource type in IIS.

Configure URLScan

The URLScan ISAPI filter installs when you run IISLockdown. If you do not explicitly allow the DEBUG verb, URLScan prevents debugging. Also, URLScan blocks requests that contain unsafe characters such as the period (.) used for directory traversal.

To configure URLScan, edit URLScan.ini in %Windir%\System32\inetsrv\urlscan\. To allow debugging with URLScan, add DEBUG to the [AllowVerbs] section in URLScan.ini as shown below. 

 [AllowVerbs] GET HEAD POST DEBUG

Pitfalls

If you install URLScan, note the following pitfalls:

  • When you debug an application by using Visual Studio.NET, you may see the following error: 

     Microsoft Development Environment: Error while trying to run project: Unable to start debugging on the Web server.  Could not start ASP.NET or ATL Server debugging. Verify that ASP.NET or ATL Server is correctly installed on the server. Would  you like to disable future attempts to debug ASP.NET pages for this project?

    You should see a log entry similar to the one shown below in URLScan< date >log in the \WINNT\system32\inetsrv\urlscan folder. 

     [01-18-2003 - 22:25:26] Client at 127.0.0.1: Sent verb 'DEBUG', which is not  specifically allowed. Request will be rejected.

  • Requests that you expect to work might get blocked.

  • You may not be able to create new Web projects in Visual Studio .NET because you use characters in the project name that URLScan rejects. For example, the comma (,) and the pound sign (#) will be blocked.

If you experience errors during debugging, see Microsoft Knowledge Base article 306172, "INFO: Common Errors When You Debug ASP.NET Applications in Visual Studio .NET," at http://support.microsoft.com/default.aspx?scid=kb;EN-US;306172 .



Previous page
Table of content
Next page
Improving Web Application Security. Threats and Countermeasures
Improving Web Application Security: Threats and Countermeasures
ISBN: 0735618429
EAN: 2147483647
Year: 2003
Pages: 613
Authors: Microsoft Corporation
BUY ON AMAZON
Systematic Software Testing (Artech House Computer Library)
Postfix: The Definitive Guide
Introduction to 80x86 Assembly Language and Computer Architecture
Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies)
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
Python Programming for the Absolute Beginner, 3rd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy