The Microsoft Internet Information Server has been plagued with security holes. At least one to two security bulletins are issued for IIS every month.
The following Security Bulletins represent the most recent security patches that Microsoft has released to harden the IIS product.
• Microsoft Security Bulletin (MS00-018) Chunked encoding transfers
• Microsoft Security Bulletin (MS00-019)
Patch Available for “Virtualized UNC Share” Vulnerability
• Microsoft Security Bulletin (MS00-023)
Patch Available for “Myriad Escaped Characters” Vulnerability
• Microsoft Security Bulletin (MS00-030)
Patch Available for “Malformed Extension Data in URL” Vulnerability
• Microsoft Security Bulletin (MS00-031)
Patch Available for “Undelimited .HTR Request” and “File Fragment Reading via .HTR”
Vulnerabilities
Table 4-18 Auditing Scheme
Description Log Success Log Failure
Audit Account logon events Yes Yes
Audit account management Yes Yes
Audit directory service access Yes Yes
Audit logon events Yes Yes
Audit object access No Yes
Audit Policy Change Yes Yes
Audit privilege use Yes Yes
Audit process tracking No Yes
Audit system events Yes Yes
The frequency and quantity of the security patches illustrate the importance of applying security patches on a regular basis.
Securing Microsoft IIS
The reference material on IIS recommends the following actions to maximize the security of the IIS Application:
Note You can add any recommended registry changes to the SecEdit script so that a single script can tighten the security on the server.
Step 1 Disable unnecessary services.
Required services:
May Be Required:
• Event Log • MSDTC
• License Logging Service • World Wide Web Publishing Service
• Windows NTLM Security Support Provider • Protected Storage
• Remote Procedure Call (RPC) Service • Server
• Windows NT Server or Windows NT Workstation
• Workstation
• IIS Admin Service
• FTP Publishing Service (required for FTP Service)
• RPC Locator (required if performing remote administration)
• NNTP Service (required for NNTP News service)
• Server Service (can be stopped, but will have re-start if you need User Manager)
• SMTP Service (required for SMTP service) • Telephony Service (required if access is via dialup)
• Content Index (required if using Index Server)
• Remote Access Service (required if dialup access is used)
Not Required by Most Installations:
Step 2 Disable RDS support.
The RDS Datafactory (a single component of RDS) allows implicit remoting of data access requests by default. Therefore, it can be exploited to allow unauthorized Internet clients to access OLE DB data sources available to the server. To accomplish this, remove the following registry keys and any subkeys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\RDSServer.
DataFactory
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\AdvancedDa taFactory
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\VbBusObj.V bBusObjCls
Step 3 Enable W3C Extended Logging Format.
The default logging mechanism does not record enough information to help determine whether a server is under attack.
Step 4 Clear Indexing.
By indexing source code, it is possible for an attacker to view the content of the web pages. To clear indexing, follow these steps:
a. Start the IIS Microsoft Management Console (MMC) and go to the Web Site Properties by right-clicking on the web site entry and selecting Properties.
b. Select the Home Directory tab.
c. Clear the Index this Directory and the Directory browsing allowed options.
• Certificate Authority (required if you plan on issuing certificates)
• Workstation (optional; important if UNC virtual roots are used)
• Plug & Play (recommended but not required) • UPS (optional; it is recommended to us a UPS)
• Alerter • Simple TCP/IP Services
• Clipbook Server • Spooler
• Computer Browser • Netbios Interface
• DHCP Client • TCP/IP NetBIOS Helper
• Messenger • WINS Client (TCP/IP)
• Net Logon • NWLink Netbios
• Network DDE & Network DDE DSDM • NWLink IIPX/SPX Compatible transport (Not required if you have TCP/IP)
• Network Monitor Agent
Step 5 Disable Parent Paths.
This prevents the use of the “.” in calls to MapPath. This option is enabled by default, but you should disable it. Follow these steps:
a. Start the IIS MMC and go to the Web Site Properties by right-clicking on the Web Site entry and selecting Properties.
b. Select the Home Directory tab.
c. Select the Configuration tab.
d. Select App Options.
e. Clear the Enable Parent Paths option.
Step 6 Remove unused script mappings.
IIS is pre-configured to support various common filename extensions such as .ASP, .SHTML, and .HTR.
Processing of these requests are handled by various DLLs located on the system. By removing the mappings to extensions that are not used, you minimize the potential attack points. Follow these steps:
a. Start the IIS MMC and go to the Web Site Properties by right-clicking on the Web Site entry and selecting Properties.
b. Select the Home Directory tab.
c. Select the Configuration tab.
d. Select the App Mappings tab.
e. Remove the necessary mappings.
Step 7 Remove IIS virtual directories.
IIS contains several virtual directories that need to be removed. They are:
• IISAMPWD
• IISSAMPLES
• IISADMIN
• IISHELP
Step 8 Remove all sample application directories.
The following directories contain sample files that you should remove from the system. This will prevent an attacker from exploiting a vulnerability in one of the sample files to gain access to the system:
• \Inetpub\iisamples
• \Inetpub\scripts\samples
• \Inetpub\wwroot\samples
• \Program Files\Common Files\System\msadc\Samples
• \WINNT\system32\inetsrv\adminsamples
• \WINNT\system32\inetsrv\iisadmin
• \WINNT\system32\inetsrv\iisadminpwd
Step 9 Set appropriate virtual directory permissions/web application space.
It is important to ensure you apply the correct permissions to the files available on the web server. These permissions vary depending on the type of files being accessed. The following table provides a rough guideline to follow:
Step 10 Set appropriate IIS Log file ACLs.
To prevent malicious users from deleting log files to cover their activities, the file permissions on the IIS generated log files (%systemroot%\system32\LogFiles) should be as follows:
Step 11 Install Microsoft MDAC 2.1.2.4202.3.
On web sites that have both IIS and certain versions of MDAC, a visitor could perform privileged actions on the system. You can remove this vulnerability by installing MDAC 2.1 and configuring it to operate in Safe Mode. Change the following registry key:
• Hive: HKEY_LOACL_MACHINE\SOFTWARE
• Key: \Microsoft\DataFactory\HandlerInfo
• Name: HandlerRequired
• Type: REG_DWORD
A value of 0 = unsafe mode and 1 = safe mode.