IIS Security Lockdown FAQ

Using the IIS Security Lockdown Wizard, Web site administrators can enable or disable IIS functionality based on the individual needs of their company. To help administrators understand the changes to IIS behavior and the reasoning behind these changes, the IIS Security Lockdown FAQ was developed to answer some common questions about the new functionality.

 
Q:Why does IIS 6.0 serve only static HTML files by default?
A:This change is a direct response to common hacker techniques to compromise a server. Consider for a moment your Web server being like a castle, which you want to defend against attack, while allowing commerce and exchange to occur through well known and regulated paths. Placing your castle in the middle of an open field would allow attack from any angle. But take that same castle and build a moat around it, place a drawbridge across the moat to provide regulated access to the castle, and you dramatically increase the overall security of the castle. Similarly, by reducing the number of features or access points available to a hacker, you can limit the exposure of your Web server to attackers. By default, IIS ships as a fully secured castle, allowing you to determine which drawbridges you open.
  
Q:What security holes does the Security Lockdown Wizard close?
A:IIS 6.0 is a very secure Web server. All the known security issues have been dealt with in IIS6. IIS 6 provides a lot of services and these services are turned off by default. This tool enables the user to turn on the services he needs.
  
Q:Will my Web server be insecure if I enable ASP or any other feature?
A:No. IIS ships without any known vulnerabilities in any feature. You are safe to enable any feature needed to run your business. However, consider the analogy described above before enabling features you do not need. An on-going security program is required to maintain security of your server. This includes monitoring, auditing, applying security hot fixes and service packs. For more information about security patches, please visit http://www.microsoft.com/security
  
Q:How can I enable additional functionality?
A:The IIS Security Lockdown Wizard is available via the IIS snap-in. To open the IIS snap-in, click Start, click Run, and type inetmgr in the Open text box. From the IIS snap-in, right-click the local computer icon, and then click Security. You can also programmatically control the IIS Security Lockdown Wizard. For more information, see the question below about programmatically enabling ISAPI extensions and CGI executables.
  
Q:How does the IIS Security Lockdown Wizard work?
A:IIS 6 maintains a list of modules (ISAPI extensions and CGI executables) that are allowed to load and execute. An ISAPI extension is a Windows DLL that enables dynamic features on your Windows server. For example, ASP.dll is an ISAPI extension that enables ASP scripts to run. CGI executables are usually EXE programs that are written to provide dynamic Web server functionality. By default, IIS does not allow any modules to load or execute; you must configure IIS to allow the modules to load or process.
  
Q:If IIS 6 loads only registered DLLs and executables by default, can I enable ISAPI extensions that my company developed?
A:IIS provides two ways for you to enable ISAPI extensions. First you can use the IIS Security Lockdown Wizard to add any ISAPI extensions that you develop to the list of modules that IIS will load. Second you can programmatically enable ISAPI extensions. For more information, see the question below about programmatically enabling ISAPI extensions and CGI executables.
  
Q:Can you provide a more descriptive error message when I request a Web page that is disabled?
A:A more descriptive error message may be beneficial for administrators and developers of the server, but it also gives hackers information they could use to compromise your server.
  
Q:What functionality changes should I expect if I upgraded from an IIS 4 or IIS 5.0 server to an IIS 6 server?
A:Following an IIS  server upgrade, all features that you had enabled are left enabled. The IIS Security Lockdown wizard automatically appears the first time you open the IIS snap-in, and it is highly recommended that you immediately disable any features that are not required to run your business. If you choose to not complete the IIS Security Lockdown Wizard, you can access it from the IIS snap-in by right-clicking the local computer, and then clicking Security.
  
Q:Are there any other IIS 6 security improvements that might effect my Web applications?
A:Yes. You should also be aware of the following security improvements:
  • On a clean install, IIS runs as a low privileged account, Network Service. Network Service reduces the access a hacker obtains if he is successful in attacking your server.
  • IIS has removed sample scripts and other well known virtual directories, which are a common target by hackers.
  • IIS automatically checks for buffer overflows.
  • IIS prevents attacks from consuming too many resources by setting aggressive limits and timeouts.
  
Q:Can I enable my ISAPI extension or CGI executable programmatically? How do I do it?
A:Yes. You can enable an ISAPI extension programmatically using the following ADSI sample:
  if WScript.Arguments.Count < 1 then
   WScript.Echo "Usage: " & WScript.ScriptFullName & " full_path_of_ISAPI_to_add"
   WScript.Quit
end if
set iis = GetObject("IIS://localhost/w3svc")
oIRL = iis.ISAPIRestrictionList
redim newIRL(UBound(oIRL))
if instr(1,oIRL(0),"1") > 0 then
   'Remove ISAPI extension from the list of restricted ISAPI extensions
   for i=0 to UBound(oIRL)
      if instr(1,oIRL(i), WScript.Arguments(0)) > 0 then
         'If ISAPI extension is found, don't write it to newIRL
      else
         newIRL(i) = oIRL(i)
      end if
   next
   WScript.Quit
else
   'Add ISAPI extension to the list of allowed ISAPI extensions
   redim newIRL(UBound(oIRL)+1)
   for i=0 to UBound(oIRL)
      newIRL(i) = oIRL(i)
   next
   newIRL(UBound(newIRL)) = WScript.Arguments(0) end if
iis.ISAPIRestrictionList = newIRL
iis.SetInfo
WScript.Echo WScript.Arguments(0) & " is now an allowed ISAPI extension."
  
 You can enable a CGI executable programmatically using the following ADSI sample:
  if WScript.Arguments.Count < 1 then
   WScript.Echo "Usage: " & WScript.ScriptFullName & " full_path_of_CGI_to_add"
   WScript.Quit
end if
set iis = GetObject("IIS://localhost/w3svc")
oIRL = iis.CGIRestrictionList
redim newIRL(UBound(oIRL))
if instr(1,oIRL(0),"1") > 0 then
   'Remove CGI executable from the list of restricted CGI executables
   for i=0 to UBound(oIRL)
      if instr(1,oIRL(i), WScript.Arguments(0)) > 0 then
         'If CGI executable is found, don't write it to newIRL
      else
         newIRL(i) = oIRL(i)
      end if
   next
   WScript.Quit
else
   'Add CGI executable to the list of allowed CGI executables
   redim newIRL(UBound(oIRL)+1)
   for i=0 to UBound(oIRL)
      newIRL(i) = oIRL(i)
   next
   newIRL(UBound(newIRL)) = WScript.Arguments(0) end if
iis.CGIRestrictionList = newIRL
iis.SetInfo
WScript.Echo WScript.Arguments(0) & " is now an allowed CGI executable."