IIS 6.0 default settings security changes

As Web servers are being targeted by more and more hackers and worm makers, IIS has become a top priority in Microsoft's Trustworthy Computing initiative. As a result, IIS 6.0 was completely redesigned to achieve default security and design security. This article focuses on how IIS 6.0 security changes in default settings and design make it a platform for critical web applications.

Default Security

In the past, companies like Microsoft installed a series of default sample scripts, file handling and minimal file authorization on their web servers to improve administrator management. Flexibility and usability. However, these default settings have increased the attack surface of IIS, or become the basis for attacking IIS. As a result, IIS 6.0 was designed to be a more secure platform than earlier products. The most obvious change is that IIS 6.0 is not installed by default in Windows Server 2003. Instead, the administrator needs to explicitly install this component. Other changes include:

· Install only static HTTP servers by default

The default installation of IIS 6.0 is set to install only static HTML pages to display the required components, while not allowing dynamic content. The following table compares the default installation settings in IIS 5.0 and IIS 6.0:

· not installed by default application examples

IIS 6.0 is no longer included examples and any other similar or codebrws.asp of showcode.asp Script or application. These programs were originally designed to allow programmers to quickly view and debug the connection code for the database, but because showcode.asp and codebrws.asp did not properly perform input checks to determine if the file being accessed is in the root of the site. This allows an attacker to bypass it to read any file in the system (including sensitive information and configuration files that should not be visible). Refer to the following link for more details on the vulnerability: http://www.microsoft .com/technet/treeview/default.asp?

url=/technet/security/bulletin/MS99-013.asp

· Enhanced File Access Control

Anonymous The account no longer has write access to the web server root directory. In addition, FTP users are also isolated from each other in their own root directory. These restrictions effectively prevent users from uploading unwanted programs to other parts of the server's file system. For example, an attacker could upload some harmful executable code to the /scripts directory and execute the code remotely to attack the web site.

· Virtual directories no longer have execute permissions

Executable programs are no longer allowed in virtual directories. This avoids a large number of directory traversal vulnerabilities, upload code vulnerabilities, and MDAC vulnerabilities that existed in earlier IIS systems.

· Removed sub-verification module

IISSUBA.dll was removed from IIS 6.0. Any account that needs this DLL module to verify in earlier versions of IIS now needs to have the "access to this computer" from the network. The removal of this DLL module can force all accesses to go directly to SAM or Active Directory for authentication, thus reducing the possible attack surface of IIS.

· Parent directory is disabled

Access to the parent directory is disabled by default in IIS 6.0. This prevents the attacker from crossing the directory structure of the web site and accessing other sensitive files on the server, such as SAM files. Of course, please note that since the parent directory is disabled by default, this may cause some applications migrated from earlier versions of IIS to fail due to the inability to use the parent directory.
Security Design

Security in IIS 6.0 Design Fundamental changes are manifested in: improved data availability, enhanced logging capabilities, fast failure protection, application isolation, and least-privilege principles.

Improved Data Validity

A major new feature in IIS 6.0 design is the HTTP driver that works in kernel mode -- HTTP.sys. It not only improves the performance and scalability of the web server, but also greatly enhances the security of the server. HTTP.sys acts as a portal to the web server, first parsing the user's request to the web server, and then assigning a suitable user-level worker process to process the request. The worker process is restricted to user mode to avoid access to unauthorized system core resources. This greatly limits the attacker's access to server protection resources.

IIS 6.0 enhances the inherent security of its design by integrating a set of security mechanisms in kernel-mode drivers. These mechanisms include an advanced URL resolution mechanism that avoids potential buffer overflows, improved logging mechanisms to aid in event response processes, and check user validity requests.

In order to avoid the potential use of buffers and memory overflow vulnerabilities in the first place, Microsoft implemented the special URL resolution settings in HTTP.sys to implement the defense-in-depth principle in IIS 6.0 security design. These settings can also be further optimized by modifying specific key values ​​in the registry. The following table provides the location of the main registry key values ​​(both in the following path HKLMSystemCurrentControlSetServicesHTTPParameters):

Enhanced Logging Mechanism

A comprehensive log is a basic requirement for detecting or responding to a security incident. Microsoft is also aware of the importance of a comprehensive, reliable logging mechanism in HTTP.sys. HTTP.sys logs before it is assigned to a specific worker process. This ensures that an error log is retained even if the worker process is interrupted. The log consists of entries such as the timestamp of the error, the destination destination IP and port, the protocol version, the HTTP action, the URL address, the protocol status, the site ID, and the reason for the HTTP.sys. The reason explanation can provide detailed information on the cause of the error, such as an error due to a timeout, or an error caused by the application pool forcibly disconnecting due to abnormal termination of the worker process.

The following connection can see an example of the HTTP.sys log file http://www.microsoft.com/technet/treeview/default.asp

?url=/technet/prodtechnol/iis /iis6/proddocs/resguide/iisrg_log_qlow.asp
Fast Failure Protection

In addition to modifying the registry, IIS 6.0 administrators can also use server settings to shut down processes that fail repeatedly over time. Or re-run. This additional protection is to prevent the application from constantly failing due to an attack. This feature is called fast failure protection.

Fast Failure Protection can be configured in the Internet Information Services Management Tool by following these steps:

1. In the Internet Information Services (IIS) Manager, expand Local Computer.

2. Expand the application pool.

3. Right-click on the application pool where you want to set fast fail protection.

4. Select an attribute.

5. Select the Health tab and check Enable Fast Failure Protection.

6. In the number of failures, fill in the number of failed work processes (before the end of the process). 7. In the time period, fill in the time counted for the cumulative number of work process failures.

Application Isolation

In earlier versions of IIS (5.0 and previous versions), the isolation of web applications in separate units would result in severe performance degradation and therefore was not implemented. Application isolation. Often the failure of one web application affects other applications on the same server. However, IIS 6.0 doubled the performance by processing the request by isolating the application into a design change called an isolated unit called an application pool. Each application pool is usually composed of one or more worker processes. This allows you to determine the location of the error and prevent one worker process from affecting other worker processes. This mechanism also increases the reliability of the server and its applications.

Adhere to the principle of least privilege

IIS 6.0 adheres to a basic security principle - the principle of least privilege. That is to say, all the code in HTTP.sys is executed with Local System permission, and all the working processes are executed with the permission of Network Service. Network Service is a newly-built, strictly restricted account in Windows 2003. In addition, IIS 6.0 only allows administrators to execute command line tools to avoid malicious use of command line tools. These design changes have reduced the likelihood of attacking servers through potential vulnerabilities. Part of the basic design changes, some simple configuration changes (including the removal of anonymous users to write to the root directory of the web server, and the isolation of FTP users' access in their respective home directories) have greatly improved IIS 6.0. safety.

IIS 6.0 is the right step for Microsoft to help customers improve their security. It provides a reliable and secure platform for web applications. These security improvements are due to the default security settings of IIS 6.0, security considerations during the design process, and enhanced monitoring and logging capabilities. But administrators shouldn't think that comprehensive security can be achieved with a simple migration to a new platform. The right thing to do is to have a multi-layered security setup for more comprehensive security. This is also consistent with the deep security defense principles for Code Red and Nimda virus threats.