|
|
IIS 6 is shipped in lockdown mode. This means that out of the box, IIS will deliver only static content, such as HTML pages. Active content, such as ASP, FrontPage, Server Side Includes (SSI), and WebDAV will not work. To make this content work in IIS, you need to use the Web Service Extensions portion of the IIS MMC. This allows you to enable and disable active content.
In the MMC, two tabs—Extended and Standard—control how you see the options of configuring the extensions. The Extended tab has buttons for Allow, Prohibit, and setting Properties, as well as hyperlinks to access to perform these tasks. On the Standard tab, you must use the menus to access those options. For this exercise, we cover the Extended tab, as shown in Figure 6-4.
Figure 6-4: IIS Manager Web Service Extensions, Extended tab
A set of predefined web extensions are available, but you can define and add your own—for example, if you wrote your own ISAPI extension and wanted to add it granularly. You can add all unknown ISAPI or CGI extensions, but this is not recommended since it is a security risk.
The Web Service Extensions that are predefined are as follows:
All Unknown ISAPI Extensions
All Unknown CGI Extensions
Active Server Pages
Internet Data Connector
Internet Printing
Server Side Includes
WebDAV
To allow a web extension to run, highlight the extension in the IIS Manager and click the Allow button. The web extension will then be allowed. If you choose to allow one of the All Unknown extensions, you will see a warning that this is a security risk. Again, it’s much better to define and enable your ISAPI and CGI extensions one by one, to give you granular control over what active content is run in your site.
After you’ve enabled a web extension, you can prohibit it. Highlight the extension in the IIS Manager and click the Prohibit button. If the extension has any other extensions that depend on it, those extensions will cease to function as well. For example, Internet Printing depends on Active Server Pages. If ASP is prohibited, Internet Printing will not function.
This option can be used to prevent unwanted DLLs or executables (EXEs) from running under any circumstance. For example, you can lock out Code Red’s Admin.exe or Nimda’s Nimda.dll from running by adding it to the list and prohibiting it. This wouldn’t prevent the buffer overflow from happening, but it would prevent any payload DLL or EXE from running. On the other hand, an attack for IIS similar to the SQL Slammer worm, for example, would not be prevented in the Web Service Extension window, since that’s a buffer overflow attack that doesn’t copy any DLL or EXE file to the system.
When you want to use an ISAPI or CGI extension that is not listed, you must add it to the list unless you have all extensions enabled. Here’s how to add a new extension:
In the IIS Manager, click the Add A New Web Service extension hyperlink.
The New Web Service Extension dialog box appears. Type the name of the extension in the text box. This is a “friendly” name, so type in something meaningful to you.
Click the Add button to add the DLL or EXE files required to run this extension. Make sure to add all the required files.
If you would like the extension to be allowed right away, check the box to set it to Allowed.
Click OK.
If you want to enable all the extensions on which a component depends, you can use this hyperlink to enable them all at once. Here’s how:
Click the Allow All Web Service Extensions For A Specific Application hyperlink.
Select the component you want to allow in the drop-down box, such as Internet Printing.
Note the components that will be allowed as a result of this—ASP in this case.
Click OK. The extensions will now show up as allowed.
Note | If you enable extensions with a component that is dependent on other components, it will not enable the selected component’s extensions, just the components it depends on to run successfully. The best use of this tool is in troubleshooting a component, to make sure that all the extensions it depends on are enabled. |
To turn off all web service extensions quickly, click this hyperlink. This is useful if you want to disable all active content in one fell swoop. When you click the hyperlink, a warning/confirmation message will appear. If you click Yes, all listed extensions will be prohibited.
To modify the properties for a web service extension, highlight the extension in the list and click the Properties button. A box pops up with two tabs: General and Required Files.
The General tab shows you which applications use this extension. This is a good place to check if you are considering disabling this extension, because it will help you evaluate dependencies on the extension so you don’t inadvertently break an application.
The Required Files tab allows you to add, remove, allow, or prohibit the files that are necessary for this component to run. You can add multiple files to your custom web service extension. The default extensions, such as ASP, are locked down, and you cannot add anything to them.
|
|