Site Logo
The Microsoft Most Valuable Professional (MVP) Program was started in the mid 1990s as a way to recognise those members of the general public who devoted their time and considerable computing skills, on a voluntary basis, to helping users 'in distress' in the various newsgroups hosted by Microsoft. There are now around 1800 MVPs worldwide who actively participate in the Microsoft Technical Newsgroups. Many are IT consultants, some are published authors or technical instructors, and there are those who have no formal training but have an in-depth level of practical experience.
2002-
blcurve
Home > Internet Information Services > Locking Down your Server Part 4
November 21, 2014

curve
Back
curve
     
  curve   curve  
 

Locking down your Windows XP IIS Server (v5.1)

(Please note if your using IIS 6.0 on Windows Server 2003, Windows XP 64 Bit version 2003 or IIS 6.5/7.0 on Windows Codename "Longhorn" you may find you actually need to enable what you want rather than disabling features as I'm suggesting here. This is because IIS 6.0 and above come with most additional features beyond serving html pages disabled. If you're using Windows NT4 you should make sure you have IIS 4.0 and immediately skip to the IIS Lockdown Tool and Microsoft Baseline Security Analyzer

IIS Parent Paths

If ASPEnableParentPaths has been enabled on a particular website in IIS in addition to the parent directories have execute access rights, a script could be executed causing an unauthorized program to run in a parent directory. If you require this functionality in your application or use Microsoft Project Central and Project Server 2002 do not disable parent paths.

The ASPEnableParentPaths metabase property allows or disallows an ASP page to refer to items which are related to the current directory path (e.g. ..\). Disabling ASPEnableParentPaths will only affect content dynamically created using ASP. So if you disabled ASPEnableParentPaths the following code would no longer work (and show a 0131 error)

<img src="../example_directory/mydynamiclylinkedpicture.jpg">
But you would still be able to link to static .html .php .aspx .asp and use
<img src="/example_directory/mystaticlylinkedpicture.jpg">


To disable parent paths in Windows XP Professional/SP1 go to start > run and enter
%SystemRoot%\System32\inetsrv\iis.msc

This command will load the Internet Information Services Management console.

Expand <Machine Name> Local Computer > Websites. Then right click and view the properties of the ‘Default Web Site'. Click the home directory tab and then the configuration button. A new window called ‘Application Configuration' will appear, select the options tab. Now uncheck ‘Enable Parent Paths' and click OK.

IIS Sample Applications

Although this samples are a good source of information when learning about IIS they do contain well know scripts which could potentially be exploited by a malicious attacker

To remove this threat you can remove the virtual directories which these samples use (seem part 3 for information on Virtual Directories). To do this simply select the following virtual directories under the default website and hit the delete key.

IISsamples - \Inetpub\iissamples
IISHelp - %windir%\help\iishelp
MSADC - \Program Files\common files\system\msadc

You should also remove the scripts virtual directory unless you are using them.

IIS Lockdown Tool (and other security related tools)

• Microsoft Security Baseline Analyzer

The Microsoft Security Baseline Analyzer (MSBA for short) is a tool which will look at your system or scan a network for possible risks in various Microsoft products. MSBA will run on Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003 and run scans against Internet Information Server (IIS) 4.0 and 5.0, SQL Server 7.0 and 2000, Internet Explorer (IE) 5.01 and later, and Office 2000 and 2002. MBSA will also scan for missing security updates for the following products: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, IIS 4.0 and 5.0, SQL Server 7.0 and 2000, IE 5.01 and later, Exchange 5.5 and 2000, and Windows Media Player 6.4 and later.

MSBA downloads an XML configuration file from Microsoft when it is run to stay up to date with current issues; so it may raise issues with your particular IIS version that I've not listed here (if your using Windows 2000 there will be).
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/mbsahome.asp

• IIS Lockdown Tool (v2.1)

The lockdown tool works by effectively ‘switching off' parts of IIS which you specify as not being required. This means the overall number of IIS features available to the internet is greatly reduced, and thus reduces the ‘surface area' of your server. This then means if there is an exploit or worm making used of ‘fancy feature #5' and you've shut it off the attack will not work against your server.
http://www.microsoft.com/downloads/details.aspx?FamilyID=dde9efc0-bb30-47eb-9a61-fd755d23cdec&DisplayLang=en

The IIS lockdown tool also incorporates URLScan which acts as a buffer restricting possible dangerous types of HTTP requests that will actually get to the server. However since the lockdown tool was released a newer version of URLScan has been released
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/urlscan.asp

Patch, Patch, Patch!
IIS is potentially one of the most important services on your machine which you should apply patches for (as it could be accepting connections through a firewall from any machine on the internet). Just because you've not had a chance to install the latest hot fix or service pack, doesn't mean someone hasn't come up with a tool to exploit it. I say this not implying that there are hundreds of patches for IIS but you should check the Windows Update regularly for new critical updates.

Windows Update Site

 
  curve  
curve
 
     
curve
curve

Copyright © 2002-2003, Mark Salloway, All Rights Reserved. All images and product names used within this site are the property of their respective copyright owners and are used as an example. Reproduction of information on this site, in any form, is prohibited without express written permission.

Microsoft is in no way affiliated with, nor offers endorsement of, this site. Members of the MVP program are not employees of the Microsoft Corporation. This site's owner assumes no liability for use of any information provided. Usage of this site's content, links and any downloadable items provided is at your own risk