Securing IIS
Authentication in IIS
Authentication in IIS verifies whether a user attempting to access a particular website, can indeed access it. Authentication is the process that verifies whether the user can access the site which he/she is attempting to access. The authentication methods which can be used to authenticate users in IIS 6 are listed below. Each authentication method can be used to authenticate users attempting to access Web sites. However, only Anonymous access and Basic Authentication can be used as an authentication method for FTP sites.
- Anonymous access: This authentication method is enabled by default for both the Default Web Site and Default FTP Site. Anonymous access allows all anonymous users to access the content of the Web site. Anonymous access is typically utilized for public Web sites which are connected to the Internet.
- Basic Authentication: This is the weakest authentication method available for IIS, and should be utilized when you cannot use any other authentication method. Basic authentication uses a clear-text username and password. Basic Authentication functions over proxy servers, and works with all browser clients. Basic Authentication is enabled for FTP sites, by default.
- Integrated Windows Authentication: This is the most secure option that can be used for authentication in IIS. Kerberos version 5 is utilized if the client browser includes support for the protocol. NTLM authentication is used when the client browser does not support Kerberos.
- Digest Authentication can only be enabled if Active Directory is used. Digest Authentication sends the user credentials over the network by utilizing an encrypted MD5 hash.
- .NET Passport Authentication: In this authentication method, .NET passports are utilized for authentication, and authentication occurs via a single sign on method. The credentials of users have unique Passport accounts which are stored on Passport servers connected to the Internet. The Passport servers are managed by Microsoft. IIS sends the Passport information of the user to the Passport servers for authentication when a user attempts to access an IIS Web site.
To configure an authentication method for a Web site,
- Open the IIS Manager.
- Right-click a Web site in the console tree, and select Properties from the shortcut menu.
- When the Properties dialog box of the Web site opens, click the Directory Security tab.
- In the Authentication and Access Control section of the Directory Security tab, click the Edit button.
- The Authentication Methods dialog box opens. You can configure the authentication methods just discussed on this dialog box.
NTFS Permissions
When securing IIS through permissions, the two types of permissions that are important are NTFS permissions and Web permissions. NTFS permissions form the basis of both Windows Server 2003 and IIS security, and control whether users are permitted to access files and folders, and the level of access users have. There are different levels of NTFS permissions in Windows Server 2003. There are also differences when NTFS permissions are applied on files, and when they are applied on folders.
NTFS permissions control what entity can access certain parts of the disk system. You can configure access to resources by either allowing or denying permissions to uses and groups. Resource access permissions are located as access control entries (ACEs) on an access control list (ACL). This forms a component of the security descriptor of every resource. A user can then only access a resource when the security access token of the user is matched to the security identifiers (SIDs) in the access control entries (ACEs) of the access control list (ACL). The security access token of the user holds the SIDs of the user’s account and group accounts.
The two versions of NTFS are NTFS 4.0 and NTFS 5.0. NTFS 4.0 is commonly used with Windows NT 4.0. Although NTFS 4.0 suppors local and remote access control on files and folders, it does not support the majority of Windows 2000 and Windows Server 2003 file system features. NTFS 5.0 on the other hand supports Active Directory directory service, encryption, compression, and disk quota, among other features.
The standard NTFS permissions which you can configure are listed below:
- Full Control: Allows users to perform all functions on files and folders, including creating new folders, changing and deleting files, attaching data to files, taking ownership of the file, changing the attributes of the files and folders, and changing permissions on the file.
- Modify: Allows users to list the contents of a folder and read the data in the folder’s files, add and delete files, change files and the properties of files, and change the attributes of files and folders.
- Read & Execute: Allows users to view the attributes of a file or folder and to execute files (programs) located in folders. Users can also list the contents of a folder, and read data contained in the folder.
- List Folder Contents: Allows users to list a folder’s contents, and view the attributes of files and folders.
- Write: Allows users to create new files and folders, change the attributes of a file or folder, overwrite a file, and view file ownership and permission.
- Read: The Read permission allows users to view a file and any subfolder names, attributes, properties, ownership, and list the contents of a folder.
The default NTFS permissions assigned on the wwwroot directory (Default Web Site) are listed below. To view these permissions,
- Open IIS Manager
- In the console tree, right-click the Default Web Site and click Permissions from the shortcut menu.
- Administrators: Users that belong to the Administrators security group have full control over the wwwroot directory. Administrators have the following default permissions:
- Full Control, Modify, Read & Execute, List Folder Contents, Write, and Read.
- Users: This group has standard Web users as group members, and group members have the following permissions:
- Read & Execute, List Folder Contents, and Read.
- SYSTEM:This is a built-in group (special identity) created by Windows Server 2003. SYSTEM has the following default permissions:
- Full Control, Modify, Read & Execute, List Folder Contents, Write, and Read.
- IIS_WPG: IIS_WPG is a new group in IIS 6. User accounts in this group are used as process identities for the worker processes associated with application pools. IIS_WPG has the following default permissions:
- Read & Execute, List Folder Contents, and Read.
- Internet Guest Account: This group can be used to enable anonymous users to access the content on websites.
- The Read permission is set to Deny.
- Administrators: Users that belong to the Administrators security group have full control over the wwwroot directory. Administrators have the following default permissions:
When a new Web site is created, the default permissions assigned to security principals are:
- Administrators: Full Control.
- Users: Read & Execute.
- SYSTEM: Full Control.
- Creator Owner: Special permissions.
- Internet Guest Account: No permissions are assigned.
Web Permissions
Web permissions or IIS access permissions control access to Web content on IIS sites. The Web permissions which you can configure are listed below.
To access IIS Web permissions,
- Open the IIS Manager.
- Right-click the appropriate Web site and select Properties from the shortcut menu.
- When the Properties dialog box of the site opens, click the Home Directory tab.
- Script Source Access: When selected, users will be able to access the source code of ASP pages, and change them when the Write permission is also enabled. It is recommended to only enable this permission on servers used for development purposes.
- Read: When selected, users can read or download files which are located in the directory.
- Write: When selected, users can add and change Web content.
- Directory Browsing: When enabled, users are permitted to browse the directory structure.
- Log Visits: You can enable logging for the website by selecting the Log Visits option. You should also select the Enable Logging checkbox on the Web Site tab when you select the Log Visits option.
- Index This Resource: When selected, the Microsoft Windows Content Indexing Service creates an index of the home folder.
You can configure Web permissions at the following levels in IIS:
- For all Websites: You can configure Web permissions for all websites through the Home Directory tab of the Web Sites node’s Properties dialog box. All websites on the IIS server would inherit these permissions.
- For a specific Web site(s): You can configure Web permissions for a specific Web site through the Home Directory tab of that particular Web site Properties dialog box.
- For a specific directory or virtual directory: When you configure Web permissions at the directory level or virtual directory level, the permissions are inherited by all files within the particular directory. You can configure Web permissions for a specific directory through the Directory tab of that particular directory’s Properties dialog box. Web permissions can be configured for a specific virtual directory through the Virtual Directory tab of that particular virtual directory’s Properties dialog box.
- For a specific file located in a virtual directory: You can configure Web permissions for a file in a virtual directory through the File tab of the file’s Properties dialog box.
When a user cannot access a Web site,
- Check which permissions have been configured for the home directory.
- If Anonymous access is enabled, verify that no password has been specified.
- Verify whether any IP Address and Domain Name restrictions have been configured, which may deny access to the user.
IP Address and Domain Name Restrictions
You can restrict Web access at the IP address level by only allowing users to access a site who are using an IP address from a predefined list of approved IP addresses. In this manner, you can control access to websites, directories and files based on IP addresses or domain names.
To do this,
- Open the IIS Manager.
- Right-click the Web site in the console tree, and select Properties from the shortcut menu.
- When the Properties dialog box of the Web site opens, click the Directory Security tab.
- In the IP Address and Domain Name Restrictions section of the Directory Security tab, click the Edit button.
- When the Address and Domain Name Restrictions dialog box opens, you can specify that all computers are granted access, or you can specify those computers which should not be granted access by listing their IP address or domain name.
- Click the Add button to include particular users’ IP addresses in a list.
- Click OK.
Application Security in IIS
Application security in IIS involves the following processes:
- Enabling or disabling Web Service Extensions (WSE): To run dynamic Web applications on IIS, you first have to use the Web Service Extensions node in IIS Manager to allow or prohibit the Web service extensions listed below:
- ASP.
- ASP.NET.
- ISAPI Extensions.
- CGI Extensions.
- Front Page Server Extensions 2000 and 2002.
- Internet Data Connector.
- WebDAV support.
To access the Web Service Extensions (WSE),
- Open the IIS Manager.
- Select the Web Server Extensions node.
- Specifying execute permissions for applications. These permissions enable applications in websites and virtual directories to execute/run.
- Setting up application pool identities: Application pool identities are configured to control the manner in which worker processes serve application pools. A worker process is a process wherein user developed Web application code runs. A worker process is actually a host process, called w3wp.exe. Worker processes process the user requests received from the http.sys queues. The worker processes also returns a static page or dynamic page to the requesting client through http.sys. A worker process can host the following:
- ASP applications.
- ISAPI applications and filters.
- CGI applications.
- Static content.
An application pool consists of the following components:
- A kernel mode http.sys request queue.
- A single instance of or multiple instances of w3wp.exe – worker processes.
The best practices for writing secure code for ASP or ASP.NET applications are:
- ASP pages should not contain any hard-coded administrator account names and administrator account passwords.
- Secure Sockets Layer (SSL) is an encryption technology that can be used to encrypt session cookies.
- Sensitive or confidential information and data should not be stored in hidden input fields on Web pages and in cookies.
- You should at all times verify and validate form input prior to it being processed.
- You should not use information from HTTP request headers to code decision branches for applications.
- Be wary of buffer overflows generated by unsound coding standards.
How to enable or disable Web service extensions using the Web Service Extensions node in IIS Manager:
- Open IIS Manager.
- Select the Web Server Extensions node.
- To enable a Web service extension, right-click the extension, and select Allow.
- To disable a Web service extension, right-click the extension, and select Prohibit.
How to enable or disable ISAPI and CGI Extensions:
- Open IIS Manager.
- Select the Web Server Extensions node.
- If you want to enable all ISAPI and CGI extensions to run, Allow both the Allow Unknown ISAPI Extensions and the Allow Unknown CGI Extensions options on the Standard tab.
- You can alternatively switch to the Extended view. You do this by clicking the Extended tab located at the bottom of the details pane.
- Specify which applications are allowed.
- The method just described is a better option than allowing all ISAPI and CGI extensions to run on the IIS Server.
How to allow all required Web Service Extensions for a specific application:
- Open IIS Manager.
- Select the Web Server Extensions node.
- Switch to the Extended view by clicking the Extended tab located at the bottom of the details pane.
- Click the Allow All Web Service Extensions For a Specific Application.
- Select the application from the available list.
- Click OK.
How to add a new Web Service Extension:
- Open IIS Manager.
- Select the Web Server Extensions node.
- Switch to the Extended view by clicking the Extended tab located at the bottom of the details pane.
- Click the Add A New Web Service Extension option.
- When the New Web Service Extension dialog box opens, enter a name for the new web extension. This is the name that will be displayed in the IIS Manager.
- For ISAPI, choose the DLLs that the new extension requires.
- For CGI, choose the EXEs that the new extension requires.
- Click OK.
How to configure execute permissions for applications to run:
Execute permissions (application permissions) are configured in the Home Directory tab or in the Virtual Directory tab that contains the application root. Application roots can exist in the home directory of a site, or in a virtual directory of a site.
To configure execute permissions,
- Open the IIS Manager
- Navigate to the Home Directory tab or the Virtual Directory tab.
- The Execute Permissions drop down list box contains the following options:
- None, allows only access to static files. Selecting the None option would prevent dynamic applications from running
- Scripts Only, prohibits the running of executables while allowing scripts to run.
- Scripts And Executables, scripts and executables are allowed to run.
How to create application pools:
- Open the IIS Manager.
- Right-click the Application Pools node in the console tree, and select New and then Application Pool from the shortcut menu.
- When the Add New Application Pool dialog box opens, enter a name for the new application pool.
- You can specify whether the default settings should be used for the new pool, or you can specify that the settings of an existing pool be used for the new application pool.
- Click OK
How to assign an application to an application pool
- Open the IIS Manager.
- Right-click the appropriate node in the console tree, and click Properties on the shortcut menu.
- Click the Home Directory tab.
- Select the application pool from the Application Pool list.
- Click OK
Selecting an application pool identity
You can select between the following built-in service accounts of Windows Server 2003:
- Network Service account: The Network Service account is the recommended account to use. In fact, it is the default account utilized by IIS because it has the least privileges, and is more flexible than the Local Service account and the Local System account. The characteristics of the Network Service account are:
- The Network Service account has no password.
- It is a member of the Everyone group and the Authenticated Users group.
- The Network Service account has an internal name of NT AUTHORITYNetworkService.
- Local Service account: The Local Service account has the identical rights and privileges than that of the Network Service account. However, the Local Service account can only access resources on the local computer. The characteristics of the Local Service account are:
- The Local Service account has no password.
- It is a member of the Everyone group and the Authenticated Users group.
- The Network Service account has an internal name of NT AUTHORITYLocalService.
- Local System Account: It is recommended to not select this account because of the privileges associated with it. The characteristics of the Local System account are:
- The Local System account has no password.
- The Local System account has an internal name of LocalSystem
- Processes running under the account have the same privileges as the Service Control Manager. This is entity that controls network services running on the particular computer.
How to configure a custom application pool identity:
To increase security, it is recommended to configure custom process identities for the different application pools you have. This would prevent an application that is compromised from compromising all applications on the IIS server.
To create a custom application pool identity,
- Create either a domain user account or a local user account.
- Add the newly created user account to the IIS_WPG group, a new group in IIS 6. User accounts in IIS_WPG group are used as process identities for the worker processes associated with application pools.
- Open IIS Manager.
- Right-click the appropriate application pool, and select Properties from the shortcut menu.
- Click the Identity tab.
- If you want to select one of the built-in service accounts of Windows Server 2003, choose the account from the Predefined drop down list. The Predefined option is enabled by defult.
- If you want to select either a domain user account or a local user account which you have specifically created, select the Configurable option.
- Click the Browse button to choose the domain user account or a local user account as the application pool identity.
- Click OK.
How to enable parent paths for an application:
While it is not generally recommended to enable parent paths, there may be occasions when you might need to enable them so that your older applications can work. The Parent paths feature is an ASP specific feature. When enabled, you can use path statements (“..”) for upward file access. Because of the security vulnerabilities associated with parent paths, it is disabled in IIS 6.
To enable parent paths,
- Open IIS Manager;
- Locate and right-click the application root node, and select Properties from the shortcut menu.
- Click either the Home Directory tab, or the Virtual Directory tab.
- Click Configuration;
- When the Application Configuration dialog box opens, click the Options tab.
- Check the Enable Parent Paths checkbox.
- Click OK.
Securing IIS through Secure Sockets Layer (SSL)
Secure Sockets Layer (SSL) is an encryption technology that uses public key cryptography to create an encrypted session key to secure communication between a Web server and a Web client. One of the requirements of using the SSL encryption technology is that you need to acquire a digital certificate and install it on the Web server as a server certificate. The digital certificate verifies the identity of the server to the client and also encrypts communications between the server and a client. You can obtain a digital certificate from an external certificate authority, such as VeriSign, GlobalSign or Thawte; or you can configure an internal CA for the organization.
You would need to install and use Certificate Services to configure an internal CA. There are two types of CAs which you can configure, namely an Enterprise CA, or a Stand-alone CA.
- Enterprise CAs: An enterprise CA stores its certificate information in Active Directory. Enterprise CAs are essentially dependent on Active Directory to store and replicate certificate data. What this means is that the enterprise CAs have to be configured as domain controllers.
- Stand-alone CAs: A stand-alone CA stores its certificate data in a shared folder which can be accessed through a Web URL. When users want to request certificates from stand-alone CAs, they have to use Web enrollment.
How to obtain and install a server certificate on an IIS server:
- Open the IIS Manager.
- Right-click the Default Web Site node and click Properties on the shortcut menu.
- When the Default Web Site Properties dialog box opens, click the Directory Security tab.
- Click the Server Certificate button in the Secure Communications section of the tab.
- The Web Server Certificate Wizard starts.
- On the Welcome to the Web Server Certificate Wizard page, click Next.
- Select the Create a New Certificate option, and then click Next
- Select the Send the Request Immediately to an Online Certificate Authority option, and click Next.
- Enter a name for the new server certificate, and select the bit length. The default value is 1024 bits. Click Next.
- Enter an organization name and organization unit, and click Next.
- Enter the name of the site, and click Next.
- Enter a country code, and the state name and city, and click Next.
- Select the TCP port that should be used for SSL connections. The default port used is port 443. Click Next.
- Specify the CA from whom you want to obtain the server certificate. Click Next.
- Verify that you have selected the correct configuration settings on the Summary page.
- Click Next. Click Finish.
- The new server certificate is obtained from the CA and installed on the ISS server.
How to enable SSL on the IIS server:
- Open the IIS Manager.
- Locate and right-click the Default Web Site node, and select Properties from the shortcut menu.
- When the Properties dialog box of the Default Web Site opens, click the Directory Security tab.
- Click the Edit button in the Secure Communications section of the tab.
- When the Secure Communications dialog box opens, click the Require Secure Channel (SSL) checkbox.
- Click OK.
How to manage existing server certificates on the IIS server.
- Open the IIS Manager.
- Right-click the Default Web Site node and click Properties on the shortcut menu.
- When the Default Web Site Properties dialog box opens, click the Directory Security tab.
- Click the Server Certificate button in the Secure Communications section of the tab.
- The Web Server Certificate Wizard restarts, and presents the following options for managing the server certificate.
- Renew the existing server certificate.
- Delete or replace the existing server certificate. This is typically necessary when the server certificate has expired, and when SSL connections are no longer being used.
- Copy or move the existing server certificate to a different server or site.
- Export the existing server certificate.
Enabling and Configuring Web Logging (IIS Logging)
A few benefits of Web logging are summarized below:
- The event logs contain error, warning, and information events which are logged by IIS. The Web logs contain additional information on these events which can be helpful in troubleshooting IIS issues, and recognizing unusual traffic patterns which could be indicative of an attack on the Web server.
- The Web logs provide specific information to the causes of HTTP errors.
You can enable Web logging at one of the following levels:
- Web Sites level: This automatically enables Web logging for all websites hosted in the IIS server.
- Particular Web sites: You can enable Web logging for individual Web sites.
After Web logging is enabled, you can specify those home directories, virtual directories, sub directories, and files which should have access logging enabled.
To enable Web logging:
- Open the IIS Manager.
- Right-click the Default Web Site node, and select Properties from the shortcut menu.
- When the Properties dialog box of the Default Web Site opens, click the Enable Logging checkbox on the Web Site tab.
- In the Active Log Format box, select the log file format that the Web logs should use. The options which you can choose between are:
- W3C Extended Log File format: This is the default log file format used for IIS logging. It allows you to choose which properties should be written to the Web logs. Because you can customize the properties written to the Web logs, the W3C Extended Log File format is considered more flexible than the other formats.
- IIS Log File format: This fixed log file format cannot be customized and is hardly utilized these days.
- NCSA Log File Format: This fixed log file format cannot be customized but can be utilized by most of the existing web server products. The W3C Extended Log File format is though still a better option to use.
- ODBC Logging format: Because ODBC logging generally negatively affects IIS server performance, it is strongly recommended to not enable this logging format. Enabling ODBC logging disables kernel-mode caching in IIS.
- Centralized Binary Logging format: This logging format is typically used when an ISP hosts a vast number of websites on one IIS machine, because it allows all these websites to log to one log file. The Centralized Binary Logging format is a new feature of IIS.
- If you want to log access to all physical directories, virtual directories, subdirectories and files, click the Home Directory tab and select the Log Visits checkbox.
- Click OK.
- If you want to specify that access to files within a virtual directory be logged, navigate to the Properties dialog of the virtual directory, and click the Virtual Directory tab.
- If you want to specify that access to a specific file be logged, navigate to the Properties dialog of the particular file and click the File tab.
To configure which fields or properties should be logged in the W3C Extended Log File Format,
- Open the IIS Manager.
- Right-click the Default Web Site node, and select Properties from the shortcut menu.
- When the Properties dialog box of the Default Web Site opens, click the Enable Logging checkbox on the Web Site tab.
- Click the Properties button on the Web Site tab.
- The Logging Properties dialog box opens.
- Click the Advanced tab.
- The properties or fields which you can select on the Advanced tab are listed below, together with a description for each field:
- Date, the date when the action took place.
- Time, the time when the action took place.
- Client IP Address, the IP address of the client which accessed the IIS server.
- User Name, the name of the user. This is the authentication user name.
- Service Name, the Internet service and the instance number accessed.
- Server Name, the server’s name.
- Server IP Address, the server’s IP address.
- Server Port, the port number which was utilized.
- Method, the HTTP verb utilized in the HTTP client request.
- URI Stem, the file accessed by the client
- URI Query, the query performed by the client.
- Protocol Status, the status of the action based on HTTP terms or FTP terms.
- Win32 Status, the status of the action based on Windows terms.
- Bytes Sent, the number of bytes which the server transmitted to the client.
- Bytes Received, the number of bytes which the server received from the client.
- Time Taken, the duration of the activity.
- Protocol Version, the protocol version which the client utilized.
- Host, the content of the host header.
- User Agent, the browser utilized by the client.
- Cookie, the contents of both sent and received cookies.
- Referrer, the last site which the user accessed.
How to configure the schedule for Web logging
- Open the IIS Manager.
- Right-click the Default Web Site node, and select Properties from the shortcut menu.
- When the Properties dialog box of the Default Web Site opens, click the Enable Logging checkbox on the Web Site tab.
- Click the Properties button on the Web Site tab.
- The Logging Properties dialog box opens.
- The options which you can configure on the General tab are listed below:
- In the New Log Schedule section of the tab, you can select when log files are created:
- Hourly
- Daily
- Weekly
- Monthly
- Unlimited file size
- When the file size reaches:
- Use Local Time for File Naming and Rollover checkbox. Select this option if you want IIS to create new log files at midnight local time when the Daily option is selected. The default is that new log files are created at midnight Greenwich Mean Time (GMT).
- Log File Directory text box: This is the location where the log files are saved. The default log file directory is the WindowsSystem32LogFiles directory. The permissions that should be assigned for a new log file folder are listed below:
- Administrators, Full Control
- SYSTEM, Full Control
- IIS_WPG, Full Control
- Click OK.
- In the New Log Schedule section of the tab, you can select when log files are created:
Comments - No Responses to “Securing IIS”
Sorry but comments are closed at this time.