Security Changes in IIS 7.0 : Reducing Attack Surface Area (part 1)

6/16/2011 3:00:34 PM
Reducing the attack surface area of the Web server is a key strategy in reducing the risk of a security vulnerability being successfully exploited by an attacker. The principle of attack surface area reduction is not exclusive to Web servers—it is generally accepted as one of the most direct ways to improve the security of any software system. When applied to IIS 7.0, it provides the following benefits:
  • It directly reduces the number of features and services exposed by the Web server to outside clients, minimizing the amount of code available for an attacker to exploit.

  • It reduces complexity, which makes it easier to configure the Web server in a secure manner.

  • If a vulnerability is exposed, the uptime of the Web server is not affected as much, because if the component affected by the vulnerability is not installed, it is not necessary to take the Web server offline or patch it immediately.

IIS 7.0 gives you an unparalleled ability to reduce the attack surface area of the Web server through its modular architecture by enabling you to remove all functionality other than what is absolutely necessary to host your application. By leveraging this ability, you can deploy low-footprint Web servers with minimal possible surface area.

After installing the minimal set of features, you can further reduce the surface area of the Web server by configuring your application to operate with the minimal functionality, for example, configuring which application resources should be served.

In the rest of this section, we will review the cumulative process for reducing the surface area of the Web server and your application. This process includes the following steps:

Reduce the surface area of the Web server.

a. Install the minimal required set of Web server features.

b. Enable only the required Internet Server Application Programming Interface (ISAPI) filters.

c. Enable only the required ISAPI extensions.

d. Enable only the required Common Gateway Interface (CGI) applications.

e. Enable only the required FastCGI applications.

Reduce the surface area of the application.

a. Enable only the required modules.

b. Configure the minimal set of application handler mappings.

c. Set Web site permissions.

d. Configure a minimal set of MIME types.

The modular architecture of IIS 7.0 gives you the ability to install only the Web server features required for the correct operation of your Web server. This forms the foundation of the surface area reduction strategy.

In addition, you can continue to control what extensions that do not use the IIS 7.0 modular extensibility model can execute on the server. This includes ISAPI extensions and filters and CGI and FastCGI programs.

Installing the Minimal Required Set of Web Server Features

The IIS 7.0 modular feature set comprises more than 40 individual Web server modules that provide various request processing and application services. The Web server core engine retains only the minimal set of functionality needed to receive the request and dispatch its processing to modules. You can leverage this architecture to deploy minimal surface area Web servers by installing only the modules that are required for the Web server’s operation.

The modular feature set provided in IIS 7.0 is fully integrated with Windows Setup. This means that you can install or uninstall most of the IIS 7.0 modules by installing IIS 7.0 features directly from the Turn Windows Features On Or Off page in Windows Vista, or the Web Server (IIS) role in Server Manager on Windows Server 2008 as shown in Figure 1. Each feature typically corresponds to one module (or in some cases several modules) and installs any corresponding configuration information as well as feature dependencies.

Figure 1. Installing IIS 7.0 using the Add Roles Wizard.

The default installation of IIS 7.0 includes only the features necessary for IIS 7.0 to function as a static file Web server. In many cases, this may not be sufficient to properly host your application, so you will need to install additional features, including support for hosting dynamic application technologies. When you do this, you will be prompted to install any dependencies of the feature you are installing and configure the proper default configuration for that feature.


Do not install all the IIS 7.0 features if you are unsure of what you need. Doing so can unnecessarily increase the surface area of the Web server.

By ensuring that only the required modules are installed, you can significantly reduce the surface area of the Web server. This provides the following benefits:

  • Removes the potential for an attacker to exploit known or future threats in features that are not installed.

  • Reduces management complexity, making it easier to configure the server in a secure manner.

  • Reduces the downtime and costs associated with reacting to a vulnerability or applying patches. If the patched component is not installed, you do not need to take the server offline to perform the patch. You can also perform patching on your own schedule instead of being forced to perform it immediately if a vulnerability is found.


When you apply a patch to a component of a Web server feature that is not installed, it is stored in the operating system installation cache. This way, when you install the feature in the future, it will use the patched version automatically. Therefore, be sure to continue installing all operating system updates, even if the corresponding features are not currently being used on the server.

To reduce the surface area of the Web server, you should take the following steps:

Determine the set of features your applications need. In the majority of cases, you should be able to tell what features are required by your application by reviewing the list of setup components and comparing it with your application’s requirements. As a guide, you can often use the recommended set of modules for specific application workloads. You can find more information on recommended installation workloads at You should exercise caution when removing Web server features that are security sensitive, because doing so may have a negative impact on your server’s security.

Install only the required features. After you have determined the required features, you should install them using the roles or features wizards. When in doubt, do not install all features, because doing so will result in an unnecessary surface area increase.

Install only the required third-party modules. IIS 7.0 applications may require third-party modules to be installed to add additional functionality or replace a built-in IIS 7.0 feature. You should exercise caution when installing any module on the Web server and make sure that you trust its source. Installing untrusted or buggy modules can compromise the security of the Web server or negatively affect its reliability and performance.

Test your application. You should always test your application to ensure that it operates correctly given the installed feature set. Your application may experience errors if a required module is not installed. The symptoms of this error will depend on the service provided by the missing module. If your testing shows an error and you believe that it is due to a missing feature, make sure that the error is removed or changed by installing that specific feature. If the error remains, uninstall the feature and try again. Never blindly install multiple or all features to get the application to work.

When you run multiple applications on the same Web server, you will need to install the superset of the modules required by each application. You can then further reduce the surface area of each application by controlling which modules are enabled at the application level.

Enabling Only the Required ISAPI Filters

IIS 6.0 provides support for ISAPI filters, to allow third parties to extend IIS request processing. IIS 7.0 replaces ISAPI filters with IIS 7.0 modules as the preferred mechanism for extending the Web server. However, IIS 7.0 continues to support ISAPI filters for backward compatibility reasons.


To enable ISAPI filters to work on IIS 7.0, the ISAPI Filters role service must be installed. This role service installs the IsapiFilterModule module, which provides support for hosting ISAPI filters. If this module is removed, ISAPI filters will not be loaded. This role service is not enabled by default; it is however enabled when the ASP.NET role service is installed.

If your Web server uses ISAPI filters, to minimize the Web server surface area you should ensure that only the required ISAPI filters are enabled.


You must be a server administrator to enable ISAPI filters.

To properly configure ISAPI filters, you should take the following steps:

If your Web server uses ISAPI filters, install the ISAPI Filters role service. Without this role service, the ISAPI filters will not be loaded and therefore may create a security risk if they are responsible for security-sensitive functionality.

If your Web server does not use ISAPI filters, do not install the ISAPI Filters role service. This eliminates the possibility of unwanted ISAPI filters being configured on your server.

Determine the ISAPI filters that your application requires. In the majority of cases, your Web server should not require any ISAPI filters (with the exception of the ASP.NET ISAPI filter; see the note later in this section). Therefore, you will typically need to configure ISAPI filters only if you are migrating an existing application from previous versions of IIS that require specific ISAPI filters, or if you are installing a new third-party ISAPI filter.

Enable the required ISAPI filters. You can control which ISAPI filters are enabled on your server, and for a specific Web site, by using IIS Manager.

To use IIS Manager to configure the ISAPI filters, click the Web server node or Web site node in the tree view and then double-click ISAPI Filters, as shown in Figure 2. Exercise extreme caution when installing third-party ISAPI filters and be sure you trust their source. Installing untrusted or buggy ISAPI filters can compromise the security of the Web server or negatively affect its reliability.

Figure 2. Using IIS Manager to configure ISAPI filters.


IIS 7.0 does not install any ISAPI filters by default. However, ASP.NET 1.1 and ASP.NET 2.0 will install an ISAPI filter named ASP.NET_2.0.50727.0. This filter is required for cookie-less ASP.NET features to work properly. You should not remove this filter.

You can also control which filters are enabled for the Web server or for a specific Web site by editing the system.webServer/isapiFilters configuration section directly, with the Appcmd command line tool, or with another configuration API.

PS4 game trailer XBox One game trailer
WiiU game trailer 3ds game trailer
Top 10 Video Game
-   F1 2015 | Features Trailer
-   Battle Fantasia Revised Edition | Debut Trailer for Steam
-   Victor Vran [PC] Story Trailer
-   Star Wars Battlefront PC Alpha footage
-   Skyforge [PC] Open Beta Gameplay Trailer
-   Armored Warfare [PC] PvE Trailer
-   F1 2015 [PS4/XOne/PC] Features Trailer
-   Act of Aggression [PC] Pre-Order Trailer
-   Sword Coast Legends [PC] Campaign Creation E3 2015 Trailer
-   Sword Coast Legends [PC] Campaign Creation E3 2015 Dungeon Run Trailer
-   Naruto Shippuden: Ultimate Ninja Storm 4 Trailer
-   Danganronpa Another Episode: Ultra Despair Girls Trailer 2
-   Project X Zone 2 Trailer
-   Poly Bridge Early Access Trailer
-   Rodea The Sky Soldier Trailer
Game of War | Kate Upton Commercial