IIS 6 Administration

I’ll end this chapter with a potpourri of additional tips and recommendations on securing IIS, including where you can find some additional resources for keeping up to date on IIS security issues.

Worker Process Isolation Mode

I already mentioned this in passing in this chapter, but I’ll repeat and emphasize it again here: wherever possible, make sure you run your IIS machine in worker process isolation mode, not IIS 5 isolation mode. Worker process isolation mode offers greater reliability and security than IIS 5 isolation mode because it causes your application pools to use Network Service as their process identity, a system account with very few privileges. In contrast, when your server is running in IIS 5 isolation mode, all in-process applications run by default using Local System as their process identity, an account with very high privileges. Refer back to Chapter 8 to find out how to switch modes in IIS.

Virtual Directories

Virtual directories, discussed in Chapter 7, enhance IIS security because they help prevent intruders from guessing where your content is physically located on your machine, or on which other remote machine your content resides. The aliases used by virtual directories hide the true location of your content from your users and discourage URL snooping, which is when users take a deep-linked URL and gradually chop portions of it off trying to find directories where content might be hidden. Use virtual directories instead of physical ones wherever possible.

IIS Logging

Logging traffic to your IIS sites and reviewing these logs periodically is another important aspect of web server security, but, because IIS logging is also important as a maintenance and troubleshooting issue, I’ve deferred a discussion of this topic until Chapter 13, “Maintenance and Troubleshooting.”

CGI Parameters

IIS 6 strengthens security for running CGI applications by preventing certain special characters from being used in URLs passed to CGI applications. These forbidden characters are

| ( , ; % < >

Before you port legacy CGI applications to IIS 6, make sure that your input strings do not require any of these characters, or the port won’t work.

General Operating System Security

Last but not least in importance, don’t forget that securing IIS is really just a part of the overall process of securing the Windows Server 2003 operating system itself. Familiarity with securing the underlying platform is essential if you want your web servers to be hardened against attack. Obviously, a full treatment of Windows Server 2003 security is well beyond the scope of this book, but you should be sure that you fully understand these features:

• Active Directory, how it works and how it is secured

• Group Policy, including local and domain security policies and their settings

• Security templates and the Security Configuration and Analysis console

• File system auditing on NTFS volumes

• Which network services are essential and which can be safely disabled

• TCP/IP port filtering, IPSec policies, and Internet Firewall settings

Also, be sure to install the latest hotfixes, security rollups, and services packs as they become available for the Windows Server 2003 platform. Check out Microsoft’s main website at www.microsoft.com, as well as Microsoft Product Support Services (PSS) at support.microsoft.com, for the latest security bulletins, tutorials, and tools for managing hotfixes and rollups to ensure you have the latest information on how to secure both IIS in particular and Windows Server 2003 in general. Because this chapter was written while the product was in RC2 stage, some of the tools and procedures on these sites are still subject to change, but some of those you should keep an eye on include:

• Microsoft Baseline Security Analyzer This tool lets administrators use either a GUI interface or the command line to perform security scans of local or remote systems and determine what needs to be done to make them more secure. This tool is currently only available for Windows 2000 Server but should soon be updated for Windows Server 2003. It includes the Microsoft Network Security Hotfix Checker utility (HFNetChk), a tool that checks for missing security updates and service packs for the operating system; optional components like IIS; and other Microsoft server applications.

• URLScan This is a downloadable add-on first made available for IIS 5. It screens incoming HTTP requests and compares them to a ruleset you can create to block requests that might have malformed URL that intruders can use to try to compromise IIS. While IIS 6 fully supports URLScan, you can now use the WSE node in IIS Manager to block requests to specific code without having to look at a file extension in a URL; in some ways, this is simpler than using URLScan and replaces some of its functionality. The main feature that URLScan has that isn’t explicitly built into IIS is the ability to deny access based on URL character sequences. If you do download and use URLScan, just make sure it is the latest version and is compatible with IIS 6.

• URLAUTH This is a new feature of Windows Server 2003 that works together with the new Authorization Manager component to provide role-based security in addition to traditional ACL-based NTFS security. URLAUTH is implemented as an ISAPI filter and can reduce the attack surface on your web server, but it’s still being developed at this stage and will likely be released as an add-on after Windows Server 2003 is released.

• HisecWeb This is a security template for Windows 2000 Server that can be used with the Security Configuration and Analysis console to lock down underlying operating system security for IIS 5 web servers. It’s likely that Microsoft will update this template for Windows Server 2003 and IIS 6, so keep an eye out for it on Microsoft’s website.

• Windows Update Windows Server 2003 includes an Automatic Updates Setup Wizard that lets you configure your server to download and install new security patches and fixes from Microsoft automatically or according to a schedule you define. For enterprise customers that don’t want their machines to automatically retrieve software updates from the Internet using Windows Update, the Windows Server 2003 platform also includes a new Software Update Service (SUS) that lets administrators securely download updates to a central server on their network and then distribute them to servers across the network automatically.

You plan to use IIS for secure intranet access for your corporate users in an enterprise environment that uses Active Directory. Access for both local and remote clients is needed, and you want the highest level of security for your intranet, which will contain sensitive web applications developed using Active Server Pages technology. Which permissions will you assign to your content resources to ensure high security? Which authentication method(s) will you choose to implement? Will you use IP address and domain name restrictions? Why or why not? How will you configure your ASP applications to run securely on your server? Will you employ SSL to ensure encrypted communications between clients and servers? Why or why not? What other steps would you take to secure your web servers and their underlying operating system?