153 lines
10 KiB
HTML
153 lines
10 KiB
HTML
|
<html>
|
||
|
|
<head>
|
||
|
|
<title>Security Lockdown FAQ</title>
|
||
|
|
</head>
|
||
|
|
<body>
|
||
|
|
|
||
|
|
<FONT FACE="Verdana">
|
||
|
|
<H1>IIS Security Lockdown FAQ</H1>
|
||
|
|
|
||
|
|
|
||
|
|
<p FONT Size=2>Using the IIS Security Lockdown Wizard, Web site administrators can enable or disable IIS functionality based on the individual needs of their company. To help administrators understand the changes to IIS behavior and the reasoning behind these changes, the IIS Security Lockdown FAQ was developed to answer some common questions about the new functionality.
|
||
|
|
|
||
|
|
|
||
|
|
<p> <table>
|
||
|
|
<tr>
|
||
|
|
<td valign="top" width="1%"><b>Q:</b></td><td>Why does IIS 6.0 serve only static HTML files by default?</td></tr>
|
||
|
|
<tr>
|
||
|
|
<td valign="top"><b>A:</b></td><td>This change is a direct response to common hacker techniques to compromise a server. Consider for a moment your Web server being like a castle, which you want to defend against attack, while allowing commerce and exchange to occur through well known and regulated paths. Placing your castle in the middle of an open field would allow attack from any angle. But take that same castle and build a moat around it, place a drawbridge across the moat to provide regulated access to the castle, and you dramatically increase the overall security of the castle. Similarly, by reducing the number of features or access points available to a hacker, you can limit the exposure of your Web server to attackers. By default, IIS ships as a fully secured castle, allowing you to determine which drawbridges you open. </td></tr>
|
||
|
|
<tr><td> </td><td> </td></tr></table>
|
||
|
|
|
||
|
|
<table>
|
||
|
|
<td valign="top" width="1%"><b>Q:</b></td><td>What security holes does the Security Lockdown Wizard close? </td></tr>
|
||
|
|
<td valign="top"><b>A:</b></td><td>IIS 6.0 is a very secure Web server. All the known security issues have been dealt with in IIS6. IIS 6 provides a lot of services and these services are turned off by default. This tool enables the user to turn on the services he needs.</td></tr>
|
||
|
|
<tr><td> </td><td> </td></tr></table>
|
||
|
|
|
||
|
|
<table>
|
||
|
|
<td valign="top" width="1%"><b>Q:</b></td><td>Will my Web server be insecure if I enable ASP or any other feature?</td></tr>
|
||
|
|
<td valign="top"><b>A:</b></td><td>No. IIS ships without any known vulnerabilities in any feature. You are safe to enable any feature needed to run your business. However, consider the analogy described above before enabling features you do not need. An on-going security program is required to maintain security of your server. This includes monitoring, auditing, applying security hot fixes and service packs. For more information about security patches, please visit <a href="http://www.microsoft.com/security">http://www.microsoft.com/security</a></td></tr>
|
||
|
|
<tr><td> </td><td> </td></tr></table>
|
||
|
|
|
||
|
|
<table>
|
||
|
|
<td valign="top" width="1%"><b>Q:</b></td><td>How can I enable additional functionality?</td></tr>
|
||
|
|
<td valign="top"><b>A:</b></td><td>The IIS Security Lockdown Wizard is available via the IIS snap-in. To open the IIS snap-in, click <b>Start</b>, click <b>Run</b>, and type <b>inetmgr</b> in the <b>Open</b> text box. From the IIS snap-in, right-click the local computer icon, and then click <b>Security</b>. You can also programmatically control the
|
||
|
|
IIS Security Lockdown Wizard. For more information, see the question below about
|
||
|
|
programmatically enabling ISAPI extensions and CGI executables.</td></tr>
|
||
|
|
<tr><td> </td><td> </td></tr></table>
|
||
|
|
|
||
|
|
<table>
|
||
|
|
<td valign="top" width="1%"><b>Q:</b></td><td>How does the IIS Security Lockdown Wizard work?</td></tr>
|
||
|
|
<td valign="top"><b>A:</b></td><td>IIS 6 maintains a list of modules (ISAPI extensions and CGI executables) that are allowed to load and execute. An ISAPI extension is a Windows DLL that enables dynamic features on your Windows server. For example, ASP.dll is an ISAPI
|
||
|
|
extension that enables ASP scripts to run. CGI executables are usually EXE
|
||
|
|
programs that are written to provide dynamic Web server functionality. By
|
||
|
|
default, IIS does not allow any modules to load or execute; you must configure
|
||
|
|
IIS to allow the modules to load or process.</td></tr>
|
||
|
|
<tr><td> </td><td> </td></tr></table>
|
||
|
|
|
||
|
|
<table>
|
||
|
|
<td valign="top" width="1%"><b>Q:</b></td><td>If IIS 6 loads only registered DLLs and executables by default, can I enable ISAPI extensions that my company developed?</td></tr>
|
||
|
|
<td valign="top"><b>A:</b></td><td>IIS provides two ways for you to enable ISAPI extensions. First you can use the IIS Security Lockdown Wizard to add
|
||
|
|
any ISAPI extensions that you develop to the list of modules that IIS will load.
|
||
|
|
Second you can programmatically enable ISAPI extensions. For more information, see the
|
||
|
|
question below about programmatically enabling ISAPI extensions and CGI
|
||
|
|
executables.</td></tr>
|
||
|
|
<tr><td> </td><td> </td></tr></table>
|
||
|
|
|
||
|
|
<table>
|
||
|
|
<td valign="top" width="1%"><b>Q:</b></td><td>Can you provide a more descriptive error message when I request a Web page that is disabled?</td></tr>
|
||
|
|
<td valign="top"><b>A:</b></td><td>A more descriptive error message may be beneficial for administrators and developers of the server, but it also gives hackers information they
|
||
|
|
could use to compromise your server.</td></tr>
|
||
|
|
<tr><td> </td><td> </td></tr></table>
|
||
|
|
|
||
|
|
<table>
|
||
|
|
<td valign="top" width="1%"><b>Q:</b></td><td>What functionality changes should I expect if I upgraded from an IIS 4 or IIS 5.0 server to an IIS 6 server?</td></tr>
|
||
|
|
<td valign="top"><b>A:</b></td><td>Following an IIS server upgrade, all features
|
||
|
|
that you had enabled are left enabled. The IIS Security Lockdown wizard automatically appears the first time you open
|
||
|
|
the IIS snap-in, and it is highly recommended that you immediately disable any features that are not required to run your business. If you choose to not complete the IIS Security Lockdown Wizard, you can access it from the IIS snap-in by right-clicking the local computer, and then clicking <b>Security</b>.</td></tr>
|
||
|
|
<tr><td> </td><td> </td></tr></table>
|
||
|
|
|
||
|
|
<table>
|
||
|
|
<td valign="top" width="1%"><b>Q:</b></td><td>Are there any other IIS 6 security improvements that might effect my Web applications?</td></tr>
|
||
|
|
<td valign="top"><b>A:</b></td><td>Yes. You should also be aware of the following security improvements:
|
||
|
|
|
||
|
|
<UL>
|
||
|
|
<li>On a clean install, IIS runs as a low privileged account,<I> Network Service</I>. Network Service reduces the access a hacker obtains if he is successful in attacking your server.
|
||
|
|
<li>IIS has removed sample scripts and other well known virtual directories, which are a common target by hackers.
|
||
|
|
<li>IIS automatically checks for buffer overflows.<li>IIS prevents attacks from consuming too many resources by setting aggressive limits and timeouts.</ul></td></tr>
|
||
|
|
<tr><td> </td><td> </td></tr></table>
|
||
|
|
|
||
|
|
|
||
|
|
<table>
|
||
|
|
<td valign="top" width="1%"><b>Q:</b></td><td>Can I enable my ISAPI extension or CGI executable programmatically? How do I do it?</td></tr>
|
||
|
|
<td valign="top"><b>A:</b></td><td>Yes. You can enable an ISAPI extension
|
||
|
|
programmatically using the following ADSI sample:</td></tr>
|
||
|
|
<tr><td> </td>
|
||
|
|
<td class="MsoNormal"><code style="font-family: Courier New">
|
||
|
|
<span style="font-size:10.0pt">if WScript.Arguments.Count < 1 then<br>
|
||
|
|
WScript.Echo "Usage: " & WScript.ScriptFullName & " full_path_of_ISAPI_to_add"<br>
|
||
|
|
WScript.Quit<br>
|
||
|
|
end if<br>
|
||
|
|
set iis = GetObject("IIS://localhost/w3svc")<br>
|
||
|
|
oIRL = iis.ISAPIRestrictionList<br>
|
||
|
|
redim newIRL(UBound(oIRL))<br>
|
||
|
|
if instr(1,oIRL(0),"1") > 0 then<br>
|
||
|
|
'Remove ISAPI extension from the list of restricted ISAPI extensions<br>
|
||
|
|
for i=0 to UBound(oIRL)<br>
|
||
|
|
if instr(1,oIRL(i), WScript.Arguments(0)) > 0 then <br>
|
||
|
|
'If ISAPI extension is found, don't write it to newIRL<br>
|
||
|
|
else<br>
|
||
|
|
newIRL(i) = oIRL(i)<br>
|
||
|
|
end if<br>
|
||
|
|
next<br>
|
||
|
|
WScript.Quit<br>
|
||
|
|
else<br>
|
||
|
|
'Add ISAPI extension to the list of allowed ISAPI extensions<br>
|
||
|
|
redim newIRL(UBound(oIRL)+1)<br>
|
||
|
|
for i=0 to UBound(oIRL)<br>
|
||
|
|
newIRL(i) = oIRL(i)<br>
|
||
|
|
next<br>
|
||
|
|
newIRL(UBound(newIRL)) = WScript.Arguments(0)
|
||
|
|
end if<br>
|
||
|
|
iis.ISAPIRestrictionList = newIRL<br>
|
||
|
|
iis.SetInfo<br>
|
||
|
|
WScript.Echo WScript.Arguments(0) & " is now an allowed ISAPI extension."</span></code></td></tr>
|
||
|
|
|
||
|
|
<tr><td> </td><td> </td></tr>
|
||
|
|
|
||
|
|
<td valign="top"> </td><td>You can enable a CGI executable programmatically using the following ADSI sample:</td></tr>
|
||
|
|
<tr><td> </td>
|
||
|
|
<td class="MsoNormal"><code style="font-family: Courier New">
|
||
|
|
<span style="font-size:10.0pt">if WScript.Arguments.Count < 1 then<br>
|
||
|
|
WScript.Echo "Usage: " & WScript.ScriptFullName & " full_path_of_CGI_to_add"<br>
|
||
|
|
WScript.Quit<br>
|
||
|
|
end if<br>
|
||
|
|
set iis = GetObject("IIS://localhost/w3svc")<br>
|
||
|
|
oIRL = iis.CGIRestrictionList<br>
|
||
|
|
redim newIRL(UBound(oIRL))<br>
|
||
|
|
if instr(1,oIRL(0),"1") > 0 then<br>
|
||
|
|
'Remove CGI executable from the list of restricted CGI executables<br>
|
||
|
|
for i=0 to UBound(oIRL)<br>
|
||
|
|
if instr(1,oIRL(i), WScript.Arguments(0)) > 0 then <br>
|
||
|
|
'If CGI executable is found, don't write it to newIRL<br>
|
||
|
|
else<br>
|
||
|
|
newIRL(i) = oIRL(i)<br>
|
||
|
|
end if<br>
|
||
|
|
next<br>
|
||
|
|
WScript.Quit<br>
|
||
|
|
else<br>
|
||
|
|
'Add CGI executable to the list of allowed CGI executables<br>
|
||
|
|
redim newIRL(UBound(oIRL)+1)<br>
|
||
|
|
for i=0 to UBound(oIRL)<br>
|
||
|
|
newIRL(i) = oIRL(i)<br>
|
||
|
|
next<br>
|
||
|
|
newIRL(UBound(newIRL)) = WScript.Arguments(0)
|
||
|
|
end if<br>
|
||
|
|
iis.CGIRestrictionList = newIRL<br>
|
||
|
|
iis.SetInfo<br>
|
||
|
|
WScript.Echo WScript.Arguments(0) & " is now an allowed CGI executable."
|
||
|
|
</span></code></td></tr></table>
|
||
|
|
|
||
|
|
</font>
|
||
|
|
|
||
|
|
</body>
|
||
|
|
</html>
|