IIS7 Security
Proven Scalability
Proven Security
Proven Trust
A solid foundation to build on.
Two security patches for IIS 6 since RTM (>3 yrs)
2002
2003
4/15
Server2003
RTM
2004
2005
2006
(WebDAV DoS)
(ASP)
06/11
06-034
10/12
04-021
IIS 6
6/11
4/10
02-018 02-028
IIS 5
8
10/30
02-062
5/28
03-018
4
4
7/13
04-021
8
IIS 4
4
< Critical
= Critical
X
= Rollup with
X updates
4
Notes
•MS02-011 & 012 not included: updates SMTP service only
•ASP.NET adds:
1 – v 2.0 2 - v 1.1
3 - v 1.0
• Modular Design:
– Reduced exposure at installation and runtime
• .Net Integration:
– Forms Auth for any content
– Use of .NET Role and Membership Providers
• Built in anonymous account
– Easier to administer, restore, and configure
• Application Pool Isolation
– Improved Sandboxing between applications
• URLAuthorization and Request Filtering
– New choices for improving security
• Kernel mode SSL and authentication
– Faster negotiation of security exchanges, fewer
problems
Features implemented as discrete
modules
Modularity improves security
Reduced module set by default at install
Remove modules that you do not need
Extensibility allows security customization
Add authentication, logging, or blocking
mechanisms
Integrated pipeline enables Forms
authentication with any content
Leverage existing user database with
.NET Role/Membership providers
Examples: Store user names in:
Active directory or local SAM
SQL 2005 Express for static site users
ADAM for users and groups in a PHP application
DB2 mainframe users and groups in ASP.net
#1 of 6
Control access to sites, folders, or files
without using NTFS
Inspired by ASP.net URL authorization, but
designed for administrators
Rules are stored in .config files
Delegate control to store in web.config
Authorization rules are then portable
Xcopy and maintain security
Use Windows principles or .NET provider
Native to IIS 7
#2 of 6
IIS 7 integrates URLScan style rules
Very strong security feature
Prevent URLs that contain “any string”
Block URLs over “X” in length
Prevent delivery of “.config” or “/bin”
Easy to read rules stored in .config
Delegate control to store in web.config
Filtering rules are then portable
Cannot be edited in UI
New error codes track rejections
#3 of 6
• IUSR instead of IUSR_<servermame>
• IUSR is “built in”, not a local account
– Cannot logon to system with this account
– No password to worry about
– Same SID on all Vista/LH servers
– File ACLS are valid between servers
• Allow anonymous access & turn off IUSR:
– Use process identity for anon access when
enabled
– Disabled by default
IIS_WPG local group in IIS 6
All app pool identities must be in IIS_WPG
Creates administrative overhead
Adds complexity to hardening/pool isolation
IIS_IUSR replaces IIS_WPG
Built in group, not local
Well known SID means ACLS respected
Pool identities are automatically added
#4 of 6
New IIS 7 feature significantly improves
application pools isolation
Prevents attacker from reading secrets in
another pools config
Works automatically, and is transparent to
configuration and operation
Process identity is unchanged
Network Service by default
Note that application pools cannot ready
Applicationhost.config by default.
Each site is assigned to a unique pool
Occurs automatically with new site in UI
At runtime:
Unique SID for pool is “injected” into the
process’ list of SIDs
Does not change process identity
A “temp” config file is created that contains
only config settings for the pool
The temp config file is ACLd with unique SID
SID will be the same on other servers
#5 of 6
Additional steps for increasing security
Disable anon user
appcmd set config -section:anonymousAuthentication -userName:"" --password
All anon access will occur as process identity
Set content for access by App Pool unique
SID (with icacls)
Local content only, won’t work for UNC content
Create secure location for
ASP template cache
Compressed content
Create ASP.net temp file location for pool
appcmd set config "Default Web Site" -section:compilation tempDirectory:%systemdrive%\inetpub\temp\aspnettemp\site%1 /commit:webroot
Advanced Hardening
#6 of 6
Kernel Mode SSL
Improves performance
Reduces context switch to user mode
Kernel Mode Authentication
Improves performance
Kerberos functions when using custom
application pool identity!
No need to use SETSPN as access to DC
occurs as machine account
IIS 7 provides improvements and new
capabilities that increase security and
simplify administration
Feature
Beneft
Modular Design
Reduce Footprint, less exposure
Built in anonymous user
Can’t expire or lockout, no password to
manage
Disable anon user
Simplify ACLs on content
Integrated pipeline
User Forms authentication and .NET
role/membership providers
Request Filtering
Prevent malicious content from reaching
applications
URLAuthorization
Use file based rules instead of ACLs to
control access
Kernel Mode Authentication and SSL
No SETSPN with custom pool identities.
Faster SSL and auth.
Application Pool Sandbox
Improved isolation between pools
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it
should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
IIS 6 used different rules for local vs unc
IIS 7 rules are simplified to be consistent
Rule: If username and password is supplied
for a site or directory, they are used to all
content regardless of location.
Enable for
Delegation
Read/Write: If set, delegation is enabled
• Q: Where do I configure Read/Write
•
•
•
•
•
•
properties that were in IIS 6?
A: Handler properties
Q: How do I install a Certificate
A: Install a Self Signed Cert in the UI or use
wizard
A: What happened to Web Service
Extensions?
Q: Implemented as ISAPI and CGI restrctions
In the UI
Q: Do I need URLScan
A: No.
Difference
Rule evaluation
IIS7 User Interface
Configuration section
Module
Content
ASP.NET Url Authorization
Behavior
IIS7 Url Authorization
Behavior
Order:
a) Deny rules get
Order:
evaluated first starting at
a) Lower level first
the parent
going up to the parent
b) Allow rules starting
b) Order of appearance
at the parent.
in rule collection
c) Order of
appearance in rule
collection
"Authorization Rules" User
No IIS7 User Interface
Interface
system.webServer/security/a
system.web/authorization
uthorization
System.Web.Security.UrlAut %windir%\system32\inetsrv\
horization
urlauthz.dll
Applies only to content that
is mapped to a managed
handler (can be turned off
Applies to all content
via managedHandler
precondition)