1. 7/2/ :24 PM
IIS7 Security
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. IIS 7 Security

3. IIS 6 Today: A Proven Platform
Proven Scalability
Proven Security
Proven Trust
A solid foundation to build on.
When the web is created, it was never conceived as a means to transact billions of dollars of business, provide a fabric for social networking, or delivery of rich media. Web servers have come a long way from simply delivering static content and IIS has been there every step of the way. From IIS 4 to IIS 5, we added a shared process space that did not run with administrative privileges and the ability to have multiple isolated processes. Of course, IIS 5 also brought us a suite of now famous security vulnerabilities that changed the very foundation of Microsoft and other companies as well. These lessons were integrated into IIS 6 which was designed with a focus on security and an improved process model that significantly improved uptime. In addition performance enhancements in IIS 6 and ASP.net 2.0 have provided a highly scalable platform. The result been widespread adoption and a solid foundation on which to build IIS 7.

4. Security Progress for IIS
Two security patches for IIS 6 since RTM (>3 yrs)
2005
2002
2004
2006
2003
4/15 Server2003 RTM
(WebDAV DoS)
(ASP)
10/12
04-021
06/11
06-034
IIS 6 4/ 6/
10/30
02-062 5/
IIS 5 8 4 4
Key point:
DO NOT MINIMIZE THE IMPACT OF IIS 5 SECURITY VULNERABILITES that were experienced by customers. Acknowledge the seriousness of these problems.
When talking about IIS security, talk about our record and improvements. Do not get dragged into a comparative discussion where you diminish the security of any else’s product.
Let the strength of our record do the talking.
The key point is this:
There are plenty of reasons why you might choose another web server besides IIS such as in house expertise, investments in existing an existing platform and others – but based on IIS 6 history, security is not one of those reasons.
“This and other security improvements have paid off, as IIS is nowhere near the major security problem it once was. “
People are often surprised to hear this.
The facts are that if you compare security on IIS+ASP.net+version of OS to any other web server+language+version of OS, the windows platform compares very well and often better.
7/13
04-021
IIS 4 8 4 4
< Critical
Notes
MS & 012 not included: updates SMTP service only
ASP.NET adds: 1 – v v v 1.0
= Critical
= Rollup with X updates X

5. IIS 6: No Critical fixes since RTM
The can be kind of hard to find so try it first or browse directly Secunia.com at

6. Building on a Solid Foundation: IIS 7 Security Features
Modular Design:
Reduced exposure at installation and runtime
.Net Integration:
Forms Auth for any content
Use of .NET Role and Membership Providers
Built in anonymous account
Easier to administer, restore, and configure
Application Pool Isolation
Improved Sandboxing between applications
URLAuthorization and Request Filtering
New choices for improving security
Kernel mode SSL and authentication
Faster negotiation of security exchanges, fewer problems
Self explanatory

7. Reduced Footprint and Specialized Servers
Features implemented as discrete modules
Modularity improves security
Reduced module set by default at install
Remove modules that you do not need
Extensibility allows security customization
Add authentication, logging, or blocking mechanisms
Self explanatory

8. IIS 7 Security Features provided by .NET
Integrated pipeline enables Forms authentication with any content
Leverage existing user database with .NET Role/Membership providers
Examples: Store user names in:
Active directory or local SAM
SQL 2005 Express for static site users
ADAM for users and groups in a PHP application
DB2 mainframe users and groups in ASP.net
The integrated pipeline allows IIS7 to implement features that previously were only available in the ASP.net pipeline.
This includes Forms authentication which can be now be used for any content in addition to ASP.net applications.
Users and groups can be in the local SAM , AD, or stored in a any database for which you have a .NET membership and/or role provider.
This allows you to use a wide variety of data stores for your users and groups including MySQL, Oracle, and mainframe databases like DB2.
In addition, if you don’t have a membership or role provider for your system, you can write one in .NET.
The bigger point here is that the modular, integrated pipeline allows you to use not only .NET security features, but any .NET technology that could be useful to your applications.

9. Forms Authentication with Static Content
7/2/ :24 PM
demo
Forms Authentication with Static Content
The Gallery website is setup to demo this.
This uses an XML provider for demonstration purposes only.
You can see the users in the APP_DATA folder (a hidden namespace).
Not the web.config is an example of delegation that enables loading specialized modules to display images in a special way. In addition, you can see that that forms authentication is enabled in the web.config and URL Authorization rules limit access.
Key point is that this could be any content: PHP, classic ASP and any membership provider – SQL, MySQL, DB2, etc.
#1 of 6
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10. URLAuthorization
Control access to sites, folders, or files without using NTFS
Inspired by ASP.net URL authorization, but designed for administrators
Rules are stored in .config files
Delegate control to store in web.config
Authorization rules are then portable
Xcopy and maintain security
Use Windows principles or .NET provider
Native to IIS 7
This is a very big improvement in IIS security that is not widely known.
Placing access rules in .config files can make securing an IIS 7 server much easier than before.
By using text based rules instead of local ACLS on files, you can secure access without having rely so heavily on file permissions. The .config file rules can be controlled via the administration interfaces and are portable.

11. demo URL Authorization #2 of 6 7/2/2019 12:24 PM
Note: this demo is based on
Authorization/Understanding-IIS7-URL-Authorization?tabid=1
At a command prompt:
type: Net Users and show users Alice, Bob and Fred
type: Net Localgroup bobandfriends this shows that Alice and Bob are members of bob and friends.
Show the Security website that has two pages and no web.config
Browse the default page. Note that you’re the anon user
Browse to Bobssecret.aspx. Note the secret and that you’re the anon user.
With the Security website selected, open Authentication and disable Anon auth. Enable Basic Auth. All requests will be challenged now.
Click on Authorization Rules and Remove allow all users.
Add Allow Rule, and Specify the Group, bobandfriends
Browse the security site and authenticate as bob, pass – view the page
Close the browse and repeat – authenticate as fred,pass – access denied.
In the content view, select bobssecret.aspx. On the right, click Return to Features view.
In the authorization window, enter Bob as the only user who can access the secrets page.
Access the page as Alice – fails.
Access the page as Bob – succeeds.
At the end of this demo, turn off Basic and turn on Anon in order to setup the next demo.
#2 of 6
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12. Request Filtering IIS 7 integrates URLScan style rules
Very strong security feature
Prevent URLs that contain “any string”
Block URLs over “X” in length
Prevent delivery of “.config” or “/bin”
Easy to read rules stored in .config
Delegate control to store in web.config
Filtering rules are then portable
Cannot be edited in UI
New error codes track rejections
Request filtering provides an easy to use, rule based defense that prevents malicious URLS from ever reaching your applications. Many customers implemented URLScan in IIS 5 and IIS 6 so this capability is now built into IIS7.
Features include rules to deny specific extensions, character sequence n a URL, reject based on length of URL, content size, or query length.
Also, you can specify “hidden” namespaces that cannot be requested in a URL even if present on the server. For example, Web.config and the folders \App_Data and \Bin are defined as hidden namespace by default and will not be served by IIS7.
Very important to point out that filtering URL length is one of the best security measures. You can use logparser to parse your application logs and determine the longest request. Anything over that is either due to new content or is illegal. Most buffer overflows are long URLs sent to an application.
There is no UI for configuring request filtering, but rules can be easily added to the .config files manually or using one of the command line tools.
Nice article here

13. Request Filtering Error Codes

14. demo Request Filtering #3 of 6 7/2/2019 12:24 PM
Review the request filtering rules in applicationhost.config
Add the following line in the requestfiltering section.
<requestLimits maxAllowedContentLength=“1000" maxUrl=“100" maxQueryString="25" /> Browse to any site. It should work.
Browse to same site but hold down any key till the URL is over 100 characters.
Observe the error.
If time permits, also create a hidden namespace for a folder.
#3 of 6
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15. Changes in Anonymous User will Improve IT Pro experience
IUSR instead of IUSR_<servermame>
IUSR is “built in”, not a local account
Cannot logon to system with this account
No password to worry about
Same SID on all Vista/LH servers
File ACLS are valid between servers
Allow anonymous access & turn off IUSR:
Use process identity for anon access when enabled
Disabled by default
Note: Details about the anonymous user are important. Take time to answer questions and make this clear if necessary.
Explain the difference in a built in account and a local account.
The new IUSR account replaces IUSR_<servername> that was created when IIS 4,5, or 6 was installed.
The built in IUSR account does not have a password so cannot be used to login, and not will it expire or get locked out.
If you set ACLS on a file to Deny IUSR and copy that file with ACLS to another Vista or LH system, the ACLS will be valid on the target system. This helps replication, recovery, and to simplify administration.
Note that the IUSR account does not have network rights. If you need to get off the box as the IUSR, you will need to specify a local or domain account.
appcmd set config -section:anonymousAuthentication -userName:"" --password

16. IIS_WPG replaced with IIS_IUSR
IIS_WPG local group in IIS 6
All app pool identities must be in IIS_WPG
Creates administrative overhead
Adds complexity to hardening/pool isolation
IIS_IUSR replaces IIS_WPG
Built in group, not local
Well known SID means ACLS respected
Pool identities are automatically added
In IIS 6, if you used a custom application pool identity, it was necessary to manually add that identity to the local group IIS_WPG.
In IIS 7, the local IIS_WPG has been replaced by IIS_IUSR, a built in group.
Like other built in groups, the SID is well known between Vista and Longhorn servers so ACLS are respected after Xcopy. But most importantly, custom pool identities are added automatically to this group, eliminating the need to manually maintain membership.
This feature can be disabled:
<applicationPools>     <add name="DefaultAppPool">         <processModel manualGroupMembership="true" />     </add> </applicationPools >

17. demo Disabling Anon User #4 of 6 7/2/2019 12:24 PM
This is an important demo that does more than what the title says.
This demo also walks the user through what is necessary to enable an executable to run on the server.
Setup:
Enable anonymous and disable basic authentication if necessary. Be sure anon user is enabled for IUSR and not pool identity
Insure the CGI handler is disabled and that ISAPI restrictions do not allow w3who.dll
Permissions on w3who.dll should be set so that there are no inheriting permissions.
Note the \who folder in the Security website
Explain that the W3who.dll is from the Windows 2000 Resource Kit and shows the users and groups of the user that invokes the executable.
Open the folder and browse to w3who.dll. The file should offer to be downloaded.
Cancel. Click on the server node and select CGI and ISAPI extensions.
Enable w3who.dll in the list.
At the server node, go to handlers and note ISAPI is disabled. Click Edit Handler Permissions and set execute.
Try w3who.dll. It should execute.
Note that the request was run as the IUSR identity.
At the server node, open Authentication and select Anonymous Authentication.
On the right, select Edit then set the anonymous identity to the Application pool.
Rerun w3who.dll – note the new identity!
Optionally, review the ACLS on the w3who.dll and discuss would be needed needed to allow this to run?
Change permissions on w3who.dll to allow Sytem,Admin full control and Network Service Execute. Works!
The point is that management of permission gets much easier.
Another discussion point is what happens if you use a unique application pool identity?
Another discussion point is to note the Application Pool Sid in the list of identities. This will come up later in sandboxing.
Note: DO NOT RESET settings, you are setup for the next demo.
#4 of 6
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18. Application Pool Sandbox
New IIS 7 feature significantly improves application pools isolation
Prevents attacker from reading secrets in another pools config
Works automatically, and is transparent to configuration and operation
Process identity is unchanged
Network Service by default
Note that application pools cannot ready Applicationhost.config by default.
Important: Please be sure message this correctly.
- Centralized configuration is not intended to provide a web farm management solution. Centralized configuration lays the foundation on which a management solution can be built. Microsoft will be providing out of band a tool (or tools) to facilitate replication that includes content, .NET assemblies, and other local objects that need to be synchronized in a server farm. This features is still in beta and there will be updates, however the basic implementation design will likely be the same.
In some environments, you want to insure that an application cannot read anything at all related to another applications content or configuration. The difficulty is that an application can read content as the logged on user, or as the process identity, which may have more privileges than the anonymous user. The owner of website can easily launch an application that will use the process identities credentials to read files on server. If multiple pools share the same identity, applications form one pool can read content in another pool presuming ACLs allow it which they often do.
IIS 7 introduces application pool sandboxing features that are transparent to the user. In addition, this combines with disabling the anon user for anon access to make sandboxing much easier than most people realize. Finally, the new sanboxing allows for simplifying ACLS on content to make it more secure and easier to manage.

19. Application Sandbox: How it works
Each site is assigned to a unique pool
Occurs automatically with new site in UI
At runtime:
Unique SID for pool is “injected” into the process’ list of SIDs
Does not change process identity
A “temp” config file is created that contains only config settings for the pool
The temp config file is ACLd with unique SID
SID will be the same on other servers
Each site is assigned to a unique pool when it’s created in the UI. (Applications that share the same memory space cannot be effectively be sandboxed).
When the pools starts, a configuration file is created in \inetpub\temp\apppools\<poolname>.config. This config file contains only the settings required for this pool.
File permissions are set so that only this pool can read it (aside from system and administrators).

20. Application Pool Sandbox
7/2/ :24 PM
demo
Application Pool Sandbox
Return to the anonymous configuration and set it back to use the application pool identity.
Launch w3who.dll and note the entry for IIS AppPool\Security.
Note that the process identity is still Network Service. Sandboxing does not change the default.
Browse to \inetpub\temp\appools\security to see the config file.
Show permissions of the SecurityAppPool.config file. Note the SecurityAppPool sid. Only the SecurityAppPool can read this the configuration.
Change the anonymous user access back to IUSR before ending
#5 of 6
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21. Hardening the Sandbox Additional steps for increasing security
Disable anon user
appcmd set config -section:anonymousAuthentication -userName:"" --password
All anon access will occur as process identity
Set content for access by App Pool unique SID (with icacls)
Local content only, won’t work for UNC content
Create secure location for
ASP template cache
Compressed content
Create ASP.net temp file location for pool
appcmd set config "Default Web Site" -section:compilation -tempDirectory:%systemdrive%\inetpub\temp\aspnettemp\site%1 /commit:webroot
See Hosters/Shared-Hosting-on-IIS7?Page=1 for the recent walkthru on configuring for shared hosting

22. Advanced Hardening #6 of 6
7/2/ :24 PM
demo
Hardening the Sandbox
This demo illustrates how you can use the unique application pool sid to further harden you sandbox.
View the file permissions on w3who.dll. Not that it has several entries that might allow another process to access it. Network Service and users for example. Wouldn’t it be great if we could assign file permissions to our site content so that no other application pool can touch this content? The Application pools sandbox feature secures the pool configuration, but not the pools content. If we can assign to our content the same SID that it used by the application pools configuration, out content would be protected from access by any other pool.
With the file permissions UI for w3who.dll try to locate the SecurityAppPool Sid that we saw on the application pool configuration file. It is not present. The SID is not available in the UI. In order to change the permissions on w3who.dll to the unique application pool SID, it is necessary to use icacls.
From a command prompt, browse to c:\inetpub\webcontent\security\who and type “secureit” and enter. You should see 1 file successfully processed.
Review the file permissions again. Note the new permissions.
Browse to w3who.dll – access denied. 10 points for knowing why! Permissions do not allow IUSR access.
Change anon authentication to use the app pool identity and browse again. Success!
Return anon identity to IUSR
Run the default.cmd from the command prompt to reset w3who.dll permissions
Advanced Hardening
#6 of 6
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23. Security Features moved to Kernel
Kernel Mode SSL
Improves performance
Reduces context switch to user mode
Kernel Mode Authentication
Kerberos functions when using custom application pool identity!
No need to use SETSPN as access to DC occurs as machine account
Authentication that is not application based is now performed by http.sys in kernel mode. This results in performance gains, but most importantly, if you have custom application pool identities, there is no need to use SETSPN to enable Kerberos authentication.
RC1: Disable kernel mode auth in UI

24. IIS 7 Security Summary
IIS 7 provides improvements and new capabilities that increase security and simplify administration
Feature
Beneft
Modular Design
Reduce Footprint, less exposure
Built in anonymous user
Can’t expire or lockout, no password to manage
Disable anon user
Simplify ACLs on content
Integrated pipeline
User Forms authentication and .NET role/membership providers
Request Filtering
Prevent malicious content from reaching applications
URLAuthorization
Use file based rules instead of ACLs to control access
Kernel Mode Authentication and SSL
No SETSPN with custom pool identities. Faster SSL and auth.
Application Pool Sandbox
Improved isolation between pools

26. 7/2/ :24 PM
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27. UNC Password Rules with Virtual Directories and Sites
IIS 6 used different rules for local vs unc
IIS 7 rules are simplified to be consistent
Rule: If username and password is supplied for a site or directory, they are used to all content regardless of location.

28. Read/Write: If set, delegation is enabled
Enable for Delegation
Read/Write: If set, delegation is enabled

29. Q&A about Security
Q: Where do I configure Read/Write properties that were in IIS 6?
A: Handler properties
Q: How do I install a Certificate
A: Install a Self Signed Cert in the UI or use wizard
A: What happened to Web Service Extensions?
Q: Implemented as ISAPI and CGI restrctions In the UI
Q: Do I need URLScan
A: No.

30. IIS7 vs ASP.net URLAuth Difference ASP.NET Url Authorization Behavior
      
IIS7 vs ASP.net URLAuth
Difference
ASP.NET Url Authorization Behavior
IIS7 Url Authorization Behavior
Rule evaluation
Order:
a)      Lower level first going up to the parent
b)      Order of appearance in rule collection
a)      Deny rules get evaluated first starting at the parent
b)      Allow rules starting at the parent.
c)       Order of appearance in rule collection
IIS7 User Interface
No IIS7 User Interface
"Authorization Rules" User Interface
Configuration section
system.web/authorization
system.webServer/security/authorization
Module
System.Web.Security.UrlAuthorization
%windir%\system32\inetsrv\urlauthz.dll
Content
Applies only to content that is mapped to a managed handler (can be turned off via managedHandler precondition)
Applies to all content