locked
IIS 7.0 Hardening Recomendations RRS feed

  • Question

  • User1712439051 posted

    I'm working on a paper about this and thought, I'd ping those in the know. Other than the standard "don't install a module that you don't need" advice, are there any more in-depth recomendations? I'm looking at 2 scenarios, an Internet facing static Web server, and a Intranet Web server that serves dynamic content (ASP.NET, ISAPI, CGI, etc) What ACLs do I need to set for each scenario? Group policy recomendations?

     I'm basing this on the recommendations for IIS 6--found at http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/s3sgch09.mspx.

     Any pointers to good info is greatly appreciated.

     Cheers,

    --Benjamin

    Thursday, June 28, 2007 2:57 PM

Answers

  • User1261541258 posted
     There is a not a new version of a hardening paper that I can point you to but there is a new feature in IIS 7 that will interest you, the application pool sandbox.  At a high level what this feature does is effectively isolates app pools from each other.  In practice this can prevent an app in one pool from reading information in another app pools configuration.  So how does it work:<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>
    • By default IIS7 creates 1 site per app pool(when added via inetmgr).  <o:p></o:p>
    • At runtime a unique SID (security ID) for the app pool is added to the list of SIDs.  (note the app pool still has the same process identity).<o:p></o:p>
    • internally IIS creates a "temp" configuration file that contains only the configuration settings for the app pool.<o:p></o:p>
    • This temp file is ACL'd with the unique SID <o:p></o:p>
    • If in a farm this SID is the same on all servers<o:p></o:p>
    Everything I mentioned above is automatic and completely transparent to the user.  The degree of isolation is directly proportional to the number of apps in a given app pool.  A 1:1 app:app pool ratio gives you the greatest isolation.<o:p></o:p>Now if you want to achieve even greater isolation there are some additional steps you can take.<o:p></o:p>
    1. Disable the anon user: <o:p></o:p>
      1. appcmd set config - section:anonymousAuthentication -userName:"" -password. <o:p></o:p>
      2. with this alll anon access will use the process identity<o:p></o:p>
    2. Set the ACLs for the App Pool's content to the unique SID (this works for local content only and not unc)<o:p></o:p>
      1. you will need to use icacls as the SID is not available in the UI<o:p></o:p>
    3. Create a secure location for:<o:p></o:p>
      1. ASP template Cache<o:p></o:p>
      2. Compressed Content<o:p></o:p>
      3. Create ASP.Net temp file location for app pool<o:p></o:p>
        1. example: appcmd set config "Default Web Site" -section:compilation - tempDirectory:%systemdrive%\inetpub\aspnettemp\site%1 /commit:webroot<o:p></o:p>
    Hopefully this will help you get a better understanding of app pool isolation and how it can help you harden your apps.<o:p></o:p>Will<o:p></o:p>

     

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Monday, July 2, 2007 1:27 PM
  • User1073881637 posted

    For your static internet facing server.  You could look at server core / web edition that does not serve .NET applications, but support classic ASP and HTML pages.  This would be a perfect situation for this version of Windows Server 2008 / IIS7.  I'm not quite sure when this version is available, but it will be in the near future.

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Wednesday, July 4, 2007 4:23 AM

All replies

  • User1261541258 posted
     There is a not a new version of a hardening paper that I can point you to but there is a new feature in IIS 7 that will interest you, the application pool sandbox.  At a high level what this feature does is effectively isolates app pools from each other.  In practice this can prevent an app in one pool from reading information in another app pools configuration.  So how does it work:<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>
    • By default IIS7 creates 1 site per app pool(when added via inetmgr).  <o:p></o:p>
    • At runtime a unique SID (security ID) for the app pool is added to the list of SIDs.  (note the app pool still has the same process identity).<o:p></o:p>
    • internally IIS creates a "temp" configuration file that contains only the configuration settings for the app pool.<o:p></o:p>
    • This temp file is ACL'd with the unique SID <o:p></o:p>
    • If in a farm this SID is the same on all servers<o:p></o:p>
    Everything I mentioned above is automatic and completely transparent to the user.  The degree of isolation is directly proportional to the number of apps in a given app pool.  A 1:1 app:app pool ratio gives you the greatest isolation.<o:p></o:p>Now if you want to achieve even greater isolation there are some additional steps you can take.<o:p></o:p>
    1. Disable the anon user: <o:p></o:p>
      1. appcmd set config - section:anonymousAuthentication -userName:"" -password. <o:p></o:p>
      2. with this alll anon access will use the process identity<o:p></o:p>
    2. Set the ACLs for the App Pool's content to the unique SID (this works for local content only and not unc)<o:p></o:p>
      1. you will need to use icacls as the SID is not available in the UI<o:p></o:p>
    3. Create a secure location for:<o:p></o:p>
      1. ASP template Cache<o:p></o:p>
      2. Compressed Content<o:p></o:p>
      3. Create ASP.Net temp file location for app pool<o:p></o:p>
        1. example: appcmd set config "Default Web Site" -section:compilation - tempDirectory:%systemdrive%\inetpub\aspnettemp\site%1 /commit:webroot<o:p></o:p>
    Hopefully this will help you get a better understanding of app pool isolation and how it can help you harden your apps.<o:p></o:p>Will<o:p></o:p>

     

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Monday, July 2, 2007 1:27 PM
  • User1073881637 posted

    For your static internet facing server.  You could look at server core / web edition that does not serve .NET applications, but support classic ASP and HTML pages.  This would be a perfect situation for this version of Windows Server 2008 / IIS7.  I'm not quite sure when this version is available, but it will be in the near future.

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Wednesday, July 4, 2007 4:23 AM
  • User1583127615 posted

    as i found this post i realized its for about 2 years ago that IIS 7.0 has released in that time

    these days im looking for hardening recomendations and vulnerabilites IIS7.0 in order to document them

    please give me some info or resource

    thank you very much

    Wednesday, December 30, 2009 6:30 AM
  • User-2064283741 posted

    There is not much more hardening recommendation for IIS7.

    In fact IIS6 WIndows 2003 is pretty solid out the box and more so with best practices. In fact we had the penetration testers in for 3 days last week just to look at my IIS config. And we really tried to break stuff.  And the conclusions were that only minor problem occur. Irrelevant things like showing banners and low chipers that always appear on pen tests and are only in there to bulk it out.

    In fact you will have more problems with teh technologies employed on top .net, php, etc.

    IIS7 is more robust still and I not expecting any problems there. For crazy security follow the guidelines in this post but sensible app pool identity with the minimum privileges for separate sites is more then enough.

    Wednesday, December 30, 2009 6:58 AM
  • User1073881637 posted

    Rovastar is correct, unlike w2k and iis 5, w2k3 was pretty locked down and doesn't need much additional out of the box.  Here is a few things I've done to lockdown IIS 7 and w2k8.  It some IIS and OS specific items I've done. 

    1) Run as applicationpoolidentity

    2) Uninstall any modules that aren't used, especially authentication modules.  Not having modules reduces the surface attack.  If you install additional modules, run at website level, don't load at server level, use the web.config to load the modules in the <system.Webserver> section.

    3) Look at using Request Filtering or urlscan to block sql injections

    4) You can use host-headers to help reduce automated ip-based bot attacks.

    5) Do not enable remote management, it's disabled by default

    6) Don't install FTP, SMTP services.

    7) Run each website in their own application pool

    8) Lockdown any delegated permissions or remove them all together.

    OS, App suggestions

    9) Run Security Config wizard this does OS level changes.   Definitely spin up a test VM or box to test SCW before applying at GPO level

    http://www.iislogs.com/steveschofield/how-to-use-security-configuration-wizard-in-windows-server-2008

    10) Run Windows firewall, block all but 3389, 80, 443, echo reply (for monitoring and pings). 

    11) Place Data on a separate drive, remove default NTFS permissions,

    12) Keep up on security patches, service packs.

    13) Run asp.net apps in medium or partial trust if possible.  Don't install DLL's in the GAC (global assembly cache)

    14) Enable auditing in the local security policy (or GPO).

    15) Run Anti-virus software.

    16) Enable custom errors errors so unhandled errors aren't displayed remotely

    17) Most web applications need to be properly tested for hacking, unhandled exceptions, etc..  IIS 7 itself is solid, the applications need to be both load tested and how they handle such situations.

    18) Run 64 bit version of w2k8 or R2.

    Wednesday, December 30, 2009 9:24 PM
  • User1583127615 posted
    Dear Steve thanks for your great information but I just want to ask you that, should I do anything or any change in registry part for security or not? have u experienced or not for IIS 7.0
    Sunday, January 3, 2010 3:56 AM
  • User1073881637 posted

    I personally haven't done anything locking down the registry and IIS 7.   The security configuration wizard could have some recommendations, but if you use the principal of having the account have little or no permissions except what it needs on the box, the registry would be offlimits for the most part.  Run SCW and see if there is any recommendations is all i can suggest.  I like SCW since it'll show you want it wants to lockdown, you can see the results in your environment, investigate any settings you are not sure about then, test on a non-production box or TEST VM.  MS has done a great job since windows 2003 locking things down by default.   Hope there is an answer in there. :)

    Sunday, January 3, 2010 12:59 PM
  • User547237895 posted
    Great thread! About using Antivirus software on the IIS webservers, are there any recommendations on how to configure the AV software, is there specific paths which might be good to exclude - performance wise ? Thx,
    Monday, January 4, 2010 2:32 AM
  • User1073881637 posted

    I can only speak from my experience.  1) if you install Sharepoint or other software, there are specific recommendations by MS.  General rules I've done is be as aggressive as possible, have exclusions for file types, log files, temporary internet files, paging files, MDF, LDF, NDF.  Most software allows for file exclusions by file extension such as aspx, ascx and other normal web type files.   I've also not had AV installed on windows servers although for pci compliance, AV is almost required.  Hope this helps.

    Monday, January 4, 2010 10:43 PM
  • User-1341446551 posted

    Peter,

      Just to add to what Steve has mentioned... Some AV have policy of scanning files "on Access" ... that's not such a useful thing and sometimes even troublesome... Rather change the AV Policy to scan "on Modify"... this will give you great performance benefits...

    Tuesday, January 5, 2010 1:50 PM
  • User-1864040280 posted

    Check out the step-by-step guide bellow:

    http://eyalestrin.blogspot.com/2010/05/hardening-guide-for-iis-75-on-windows.html

    Wednesday, June 2, 2010 4:32 PM
  • User256478042 posted

    The above link is broken. Try the link below:

    http://security-24-7.com/hardening-guide-for-iis-7-5-on-windows-2008-r2-server-core-platform/

    Monday, July 2, 2012 4:01 AM