Home > Articles

Security

This chapter is from the book

This chapter is from the book

Locking/Unlocking a Server

The easiest way to keep something secure it is to never grant people access to it unless they absolutely need it. You don't go around giving your front door key to everybody; the same basic rules apply to Windows Server 2003 and its approach to IIS.

There are three main steps between the unavailability of IIS when Windows Server 2003 is first installed to a running, functional, but still secure state:

  1. Installing IIS (including upgrading from IIS 4/5)

  2. Unlocking Static Content

  3. Unlocking Web Services Extensions

We're going to have a look at these steps, with a minor detour as we look at the issues when upgrading from a previous version of IIS, and how they both affect and protect the way in which you share and serve your Web sites.

Installing IIS

This has already been covered in Chapter 1, "Introducing IIS 6," but at the risk of repeating myself, it's worth mentioning that this is absolutely the best and most fundamental way of securing your servers from an attack through the IIS service.

To add IIS to an existing system, you need to use the Configure Your Server Wizard, available through the Administrative Tools folder in your Start menu.

Installing Extensions

Remember that when you install IIS, you need to confirm whether you want to include FrontPage Extensions or ASP.NET functionality.

If you've already installed IIS (or any of the other roles) and you want to remove the role from your server, using the same wizard, select the role you want to remove (IIS is part of the Application server role), and click Next.

You will be prompted to confirm the removal of IIS and the disabling of the ASP.NET service if you installed it. Note that it won't remove any of your Web sites or documents—just the application and services used to support the service.

The removal of the application is complete and absolute—if you later choose to add IIS to your server again, you will need the CD to install it. The removal really does purge the necessary components from the installation.

Upgrading from IIS 4/5

When you upgrade from Windows 2000 and IIS 5, or from Windows NT and IIS 4, Windows Server 2003 should automatically pick up any of the sites you've configured on these machines and server just as if you'd set them up on a new machine.

However, if you upgrade a machine from either of these two platforms and you have not modified the basic setup of IIS, Windows Server 2003 disables the service. This affords the same level of protection as installing Windows Server 2003—IIS is not installed unless you ask it to be.

Unlocking Static Content

Once IIS has been installed and enabled through the Server Roles Wizard, it's still more secure than a base IIS 4 or 5 installation. In its default state, IIS is only capable of serving static Web pages. All dynamic content, including CGI and ASP based content, is not enabled.

FrontPage Extensions

If you elected to install FrontPage extensions when you were running the Configure Your Server Wizard, the FrontPage ISAPI filter is already installed and configured on your IIS sites.

Static content is therefore unlocked as soon as you install IIS, but IIS still has some additional tricks to prevent users from downloading files they shouldn't have access to.

Web Resource

For a tutorial on setting basic directory based authentication, go to the Delta Guide series Web site at http://www.deltaguideseries.com and enter article ID# A020302.

Unlock at Your Own Risk

Don't unlock any IIS functionality that you don't absolutely need. Every piece of functionality—FrontPage Server Extensions, ASP.NET, or whatever—is another "moving part" that hackers can attempt to exploit. Leaving IIS locked down will help make it as secure and safe as possible.

Recognized File Extensions

In addition to only serving static Web content, IIS also extends its restrictions on what it serves from a site. One problem with previous versions is that IIS would blindly supply any file that happened to be in a directory shared through IIS, whether or not the file is officially listed. This made it possible to download applications, scripts, components, password files—you name it—from a directory if a user accidentally or deliberately entered the correct URL.

IIS 6 will only accept requests for files with extensions that it recognizes. The accepted file types that IIS will provide as static content are controlled through the MIME types settings. Note that it doesn't affect dynamic content, which is controlled through two separate mechanisms in the form of the Web service extensions manager and the file verification system.

You can manage the accepted MIME types that IIS will serve in two different places—at a server level and a Web site/directory level. You can see an example of the default settings, configured at the server level, shown in Figure 3.1.

MIME Types

The MIME type is sent back to the client when it requests a file, and it's used by the client to determine how the file should be handled. Remember that when adding a MIME type (and therefore an extension) setting, you should configure the right MIME type. Although most browsers have built-in mappings, most use the server derived information if it's supplied.

Figure 3.1Figure 3.1 Default MIME types configured in IIS.

The Web site/directory level settings augment the settings at the server level; they are not mutually exclusive. For example, if you have enabled Word documents (.doc) at a server level, all Web sites on that server will enable Word documents to be downloaded.

Unfortunately, this means that you have to control the system very carefully. If you have a need to supply specific document types—for example, Word, Excel, Acrobat, and so on—I recommend removing any setting from a server level and instead enabling the settings at the Web site, or better still, directory level.

For the Absolute Best in Protection

I prefer to disable all the file types from the MIME list and then only specifically enable the types that I know I've added to the site or server.

This can also work in your favor if you use the IIS folders to hold additional material about a project or item. For example, you might keep a Word document of a report in the same directory as the HTML version that you are serving. With the default settings, the Word document would be downloadable; with only the HTML files enabled, you can keep the files in the same folder.

Protected Web Content

Most malicious attempts to access and use your IIS server rely on the ability to write files and to update and overwrite configuration files and others through the IIS service.

Within IIS 6, anonymous Web users are blocked from writing to the server, preventing them from making any changes, no matter what tricks they try.

Unlocking Web Services Extensions

Dynamic Web content is supported through the Web services extensions—a new, separate component of the IIS configuration process. Web services extensions include the ISAPI filters and other dynamic content solutions, including ASP, CGI wrappers, and Server Side Includes.

IIS can allow or deny ISAPI filters to execute, improving your security by reducing the risk from the supported—but otherwise uncontrollable—extensions supported under previous versions. They are managed through the Web Services Extensions Manager portion of the IIS Manager, as seen in Figure 3.2.

Figure 3.2Figure 3.2 The Web Services Extensions Manager.

The two settings for each of the extensions that IIS knows about are as follows:

  • Prohibit—Prevents the ISAPI DLL from loading (and therefore executing).

  • Allow—Allows all documents destined for use with the ISAPI filter to be processed.

In either case, the enablement or disablement covers the entire server, so it should be used with caution on multi-host servers.

Prohibiting Extensions

You should be careful when prohibiting an extension that is actually in use by a current Web site. Usually IIS can identify the sites that use the extension by looking at the application configurations for different Web sites and directories, but it doesn't always work. Make sure that you know which of your applications (and Web sites) need which extensions.

In general, you should leave all the extensions in their default prohibited state unless you need them. Remember that you still have to enable applications (and if necessary, a corresponding application pool) to actually allow these extensions to be used, but that doesn't mean you can be careless. A list of the default Web Service Extensions and their security settings are given in Table 3.1.

Table 3.1 Default Web Service Extension Security Settings

Web Service Extension

Notes

All Unknown ISAPI Extensions

You should leave this set to prohibited. Allowing unknown ISAPI extensions will make your system more susceptible to worm and virus attacks, such as the NIMDA/Code Red.

All Unknown CGI Extensions

You should leave this to prohibited and then only allow CGI extensions that you have specifically allowed.

Active Server Pages

Used to support the old ASP standard.

ASP.NET

Used to support the new ASP.NET standard and pages developed within the .NET Framework.

FrontPage Server Extensions

Used to support FrontPage extensions. You must enable this if you want users to administer and publish Web sites from a client computer, especially through tools such as FrontPage.

Internet Data Connector

Used to support simpler dynamic Web pages that display data from a database. If you are using ASP for your dynamic sites, you can usually leave this as prohibited.

Server Side Includes (SSI)

Used to support the SSI system and best left prohibited unless you specifically need the SSI system. If you are using ASP and SSI together, consider moving your templates entirely to ASP and disabling SSI support.

WebDAV

Used for the Web Distributed Authoring and Versioning System, which can be used to allow authenticated users to publish, lock, and manage files and resources on a Web site. WebDAV is generally more practical than FrontPage, but it's also a more open security risk if not properly managed, so make sure that it's prohibited unless required.


Adding a New Web Service Extension

The Web Service Extension Manager only allows or prohibits the use of the extensions it knows about. If you've got an ISAPI filter that you've added to the system and are merely using it directly from within the application configuration, the extension manager can't control it.

This means that if you want to be able to arbitrarily deny access to a given filter, you should add it to the Web Service Extension Manager.

To do this, right-click on the Web Service Extensions folder and choose Add New Web Service Extension. You will see the window as shown in Figure 3.3. You will need to give the extension a name and then list the DLLs that make up the filter.

Figure 3.3Figure 3.3 Adding a new Web service extension.

Prohibiting All Access

You can switch off all the Web service extensions by right-clicking the Web Service Extensions object within IIS manager and selecting Prohibit All Web Service Extensions.

The obvious time you might find this useful is if you suspect that an attack is currently taking place and you want to disable dynamic content while leaving static content in place. It can also be useful if you are upgrading or updating a site and need to provide a placeholder page to indicate the status while the site is upgraded.

File Verification

Before IIS 6 processes a request for some dynamic content that has to be processed by an ISAPI filter, it checks that the requested content actually exists. This prevents users from using exploits that execute or trigger a response in an ISAPID filter, regardless of the actual document they are asking for.

With this system in place, it should be impossible to make use of an exploit in an ISAPI—even one that has somehow been installed maliciously—unless the filter itself is compatible with, and able to access, a file in the first place.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020