IIS Configuration | Improving Web Application Security: Threats and Countermeasures

By reviewing and improving the security of IIS configuration settings, you are in effect reducing the attack surface of your Web server. For more information about the review points covered in this section, see Chapter 16, "Securing Your Web Server."

The review questions in this section have been organized by the following configuration categories.

IISLockdown
URLScan
Sites and virtual directories
ISAPI filters
IIS Metabase
Server certificates

IISLockdown

The IISLockdown tool identifies and turns off features to reduce the IIS attack surface area. To see if it has been run on your server, check for the following report generated by IISLockdown:

 \WINNT\system32\inetsrv\oblt-rep.log

For more information about IISLockdown, see "How To: Use IISLockdown" in the "How To" section of this guide.

URLScan

URLScan is an ISAPI filter that is installed with IISLockdown. It helps prevent potentially harmful requests from reaching the server and causing damage. Check that it is installed and that it is configured appropriately.

Task To see if URLScan is installed

Start Internet Information Services .
Right-click your server (not Web site) and then click Properties .
Click the Edit button next to Master Properties .
Click the ISAPI Filters tab and see if URLScan is listed.

To check the URLScan configuration, use Notepad to edit the following URLScan configuration file.

 %WINDIR%\System32\Inetsrv\URLscan\Urlscan.ini

For more information about URLScan, see "How To: Use URLScan" in the "How To" section of this guide.

Sites and Virtual Directories

The review questions in this section relate to the specific configuration of your Web sites and the virtual directories of your applications. In this section, you review the following categories:

Web site location
Script mappings
Anonymous Internet user accounts
Auditing and logging
Web permissions
IP address and domain name restrictions
Authentication
Parent path setting
Microsoft FrontPage Server extensions

Web Site Location

Check that your Web site root directory is installed on a non-system volume. By relocating your Web site root to a non-system volume, you prevent attackers who use directory traversal attacks from accessing the system tools and executables such as Cmd.exe.

Script Mappings

Check that you have mapped all unnecessary file extensions to the 404.dll, which is installed when you run IISLockdown.

Task To review script mappings

Start Internet Information Manager .
Right-click your Web site and click Properties .
Click the Home Directory tab and then click the Configuration button within the Application Settings group .

Anonymous Internet User Accounts

Verify that your application is configured to use a non-default anonymous Internet user account. If you have multiple Web applications on your server, check that each application is configured to use a separate anonymous account. This allows you to configure permissions and to track activity on a per Web application basis.

Auditing and Logging

Check that you have configured IIS auditing to help detect attacks in progress and to diagnose attack footprints. The following review questions help identify vulnerabilities in IIS auditing:

Are log files located on a separate non-system volume?

Right click your Web site in IIS and click the Web Site tab. Click the Properties button to check the log file location. Check that the log files are located in a non-default location using a non-default name, preferably on a non-system volume.
Do you restrict access to the log files?

Use Windows Explorer to view the ACL on the log files directory. Check that the ACL grants Administrators and System full control but grants access to no other user.

Web Permissions

Review the default Web permissions configured for your Web site and for each virtual directory. Check that the following conditions are met:

Include directories restrict Read permissions.
Virtual directories for which anonymous access is allowed are configured to restrict Write and Execute permissions.
Write permissions and script source access permissions are only granted to content folders that allow content authoring. Also check that folders that allow content authoring require authentication and Secure Sockets Layer (SSL) encryption.

IP Address and Domain Name Restrictions

Do you use IP and domain name restrictions to restrict access to your Web server? If so, have you considered the risks of IP spoofing?

Authentication

Check the authentication settings for your Web sites and virtual directories. Ensure that anonymous access is only supported for publicly accessible areas of your site. If you are selecting multiple authentication options, thoroughly test the effects and authentication-precedence on your application.

If Basic authentication is selected, check that SSL is used across the site to protect credentials.

Parent Path Setting

Check that you have disabled the parent path setting to prevent the use of ".." in script and application calls to functions such as MapPath . This helps prevent directory traversal attacks.

Task To review the parent paths setting

Start Internet Services Manager .
Right-click your Web site, and click Properties .
Click the Home Directory tab.
Click Configuration .
Click the App Options tab.
Check that the Enable parent paths check box is clear.

FrontPage Server Extensions (FPSE)

FrontPage Server Extensions are used for accessing, authoring, and administering the FrontPage-based Web site. Use the latest versions of these extensions to avoid security vulnerabilities. If you do not use FPSE, disable them to reduce the attack surface.

For more information, see" Step 11. Sites and Virtual Directories" in Chapter 16, "Securing Your Web Server."

ISAPI Filters

Make sure that no unused ISAPI filters are installed to prevent any potential vulnerabilities in these filters from being exploited.

Task To review ISAPI filters

Start Internet Information Manager .
Right click your server (not Web site) and then click Properties .
Click the Edit button next to Master Properties .
Click the ISAPI Filters tab to view the installed filters.

IIS Metabase

The IIS Metabase contains IIS configuration settings, many but not all of which are configured through the IIS administration tool. The file itself must be protected and specific settings that cannot be maintained using the IIS configuration tool should be checked. Review the following questions to ensure appropriate metabase configuration:

Have you restricted access to the metabase?

Check that the ACL on the metabase file allows full control access to the system account and administrators. No other account should have access. The metabase file and location is:
```
 %windir%\system32\inetsrv\metabase.bin 
```
Do you reveal internal IP addresses?

By default, IIS returns the internal IP address of your server in the Content-Location section of the HTTP response header. You should prevent this by setting the UseHostName metabase property to true . To check if it has been set, run the following command from the \inetpub\adminscripts directory:
```
 adsutil GET w3svc/UseHostName 
```

Confirm that the property value has been set to true . If the property is not set, this command returns the message "The parameter 'UseHostName' is not set at this node." For more information, see "Step 14. IIS Metabase" in Chapter 16, "Securing Your Web Server."

Server Certificates

If your applications use SSL, make sure that you have a valid certificate installed on your Web server. To view the properties of your server's certificate, click View Certificate on the Directory Security page of the Properties dialog of your Web site in IIS. Review the following questions:

Has your server certificate expired ?
Are all public keys in the certificate chain valid up to the trusted root?
Has your certificate been revoked ?

Check that it is not on a Certificate Revocation List (CRL) from the server that issued the certificate.