Step 11. Sites and Virtual Directories | Improving Web Application Security: Threats and Countermeasures

Relocate Web roots and virtual directories to a non-system partition to protect against directory traversal attacks. These attacks allow an attacker to execute operating system programs and utilities. It is not possible to traverse across drives . For example, this approach ensures that any future canonicalization worm that allows an attacker to access system files will fail. For example, if the attacker formulates a URL that contains the following path , the request fails:

/scripts/..%5c../winnt/system32/cmd.exe

During this step, you:

Move your Web site to a non-system volume .
Disable the parent paths setting .
Remove potentially dangerous virtual directories .
Remove or secure RDS .
Set Web permissions .
Remove or secure FrontPage Server Extensions .

Move Your Web site to a Non-System Volume

Do not use the default \inetpub\ wwwroot directory. For example, if your system is installed on the C: drive, then move your site and content directory to the D: drive. This mitigates the risks associated with unforeseen canonicalization issues and directory traversal attacks.

Disable the Parent Paths Setting

This IIS metabase setting prevents the use of ".." in script and application calls to functions such as MapPath . This helps guard against directory traversal attacks.

Task To disable parent paths

Start IIS.
Right-click the root of your Web site, and click Properties .
Click the Home Directory tab.
Click Configuration .
Click the App Options tab.
Clear Enable parent paths .

Note
If you use the Application Center 2002 Administration Site, see Microsoft Knowledge Base article 288309, "PRB: Disabling Parent Paths Breaks User Interface."

Remove Potentially Dangerous Virtual Directories

Sample applications are not installed by default and should not be installed on production Web servers. Remove all sample applications, including the ones that can be accessed only from the local computer with http://localhost, or http://127.0.0.1.

Remove the following virtual directories from production servers: IISSamples, IISAdmin, IISHelp, and Scripts.

Note	IISLockdown provides an option to remove the Scripts, IISSamples, IISAdmin, and IISHelp virtual directories.

Remove or Secure RDS

Remote Data Services (RDS) is a component that enables controlled Internet access to remote data resources through IIS. The RDS interface is provided by Msadcs.dll, which is located in the following directory: program files\common files\system\Msadc.

Removing RDS

If your applications do not use RDS, remove it.

Task To remove RDS support

Remove the /MSADC virtual directory mapping from IIS.
Remove the RDS files and subdirectories at the following location:

\Program Files\Common Files\System\Msadc
Remove the following registry key:

HKLM\System\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch

Note
IISLockdown provides an option to remove the MSADC virtual directory. Note that IISLockdown only removes the virtual directory, not the files or registry key.

Securing RDS

If your applications require RDS, secure it.

Task To secure RDS

Delete the samples at the following location:

\Progam Files\Common Files\System\Msadc\Samples
Remove the following registry key:

HKLM\System\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\VbBusObj.VbBusObjCls
Disable Anonymous access for the MSADC virtual directory in IIS.
Create a HandlerRequired registry key in the following location:

HKLM\Software\Microsoft\DataFactory\HandlerInfo\
Create a new DWORD value, and set it to 1 (1 indicates safe mode, while 0 indicates unsafe mode.

Note
You can use the registry script file Handsafe.reg to change the registry key. The script file is located in the msadc directory: \Program Files\Common Files\System\msadc

For more information about securing RDS, see the following:

MS99-025 Microsoft Security Program: Unauthorized Access to IIS Servers through ODBC Data Access with RDS at http://www.microsoft.com/technet/security/bulletin/ms99-025.asp.
MS98-004 Microsoft Security Program: Microsoft Security Bulletin: Unauthorized ODBC Data Access with RDS and IIS at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS98-004.asp.
Microsoft Knowledge Base article 184375, "PRB: Security Implications of RDS 1.5, IIS 3.0 or 4.0, and ODBC."

Set Web Permissions

Web permissions are configured through the IIS snap-in and are maintained in the IIS metabase. They are not NTFS permissions.

Use the following Web permissions:

Read Permissions . Restrict Read permissions on include directories.
Write and Execute Permissions . Restrict Write and Execute permissions on virtual directories that allow anonymous access.
Script source access . Configure Script source access permissions only on folders that allow content authoring.
Write . Configure Write permissions only on folders that allow content authoring. Grant write access only to content authors.

Note
Folders that support content authoring should be configured to require authentication and SSL for encryption.

Remove or Secure FrontPage Server Extensions

If you do not use FrontPage Server Extensions (FPSE), disable it. If you use FPSE, take the following steps to improve security:

Upgrade server extensions . See to the security issues covered in MSDN article, "Microsoft FrontPage Server Extensions 2002 for Windows" at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnservext/html/fpse02win.asp .
Restrict access using FrontPage security . FPSE installs groups that are granted permissions to those Web sites for which the server extensions are configured. These groups are used to restrict the access available based on the role of the user. For more information, see the Assistance Center at http://office.microsoft.com/assistance/2002/articles/fp_colmanagesecurity.aspx .