Reducing the attack surface area of the Web server is
a key strategy in reducing the risk of a security vulnerability being
successfully exploited by an attacker. The principle of attack surface
area reduction is not exclusive to Web servers—it is generally accepted
as one of the most direct ways to improve the security of any software
system. When applied to IIS 7.0, it provides the following benefits:
It directly
reduces the number of features and services exposed by the Web server to
outside clients, minimizing the amount of code available for an
attacker to exploit.
It reduces complexity, which makes it easier to configure the Web server in a secure manner.
If
a vulnerability is exposed, the uptime of the Web server is not
affected as much, because if the component affected by the vulnerability
is not installed, it is not necessary to take the Web server offline or
patch it immediately.
IIS 7.0 gives you an
unparalleled ability to reduce the attack surface area of the Web server
through its modular architecture by enabling you to remove all
functionality other than what is absolutely necessary to host your
application. By leveraging this ability, you can deploy low-footprint
Web servers with minimal possible surface area.
After installing the
minimal set of features, you can further reduce the surface area of the
Web server by configuring your application to operate with the minimal
functionality, for example, configuring which application resources
should be served.
In
the rest of this section, we will review the cumulative process for
reducing the surface area of the Web server and your application. This
process includes the following steps:
1. | Reduce the surface area of the Web server.
- a. Install the minimal required set of Web server features.
- b. Enable only the required Internet Server Application Programming Interface (ISAPI) filters.
- c. Enable only the required ISAPI extensions.
- d. Enable only the required Common Gateway Interface (CGI) applications.
- e. Enable only the required FastCGI applications.
|
2. | Reduce the surface area of the application.
- a. Enable only the required modules.
- b. Configure the minimal set of application handler mappings.
- c. Set Web site permissions.
- d. Configure a minimal set of MIME types.
|
The modular architecture of
IIS 7.0 gives you the ability to install only the Web server features
required for the correct operation of your Web server. This forms the
foundation of the surface area reduction strategy.
In addition, you can
continue to control what extensions that do not use the IIS 7.0 modular
extensibility model can execute on the server. This includes ISAPI
extensions and filters and CGI and FastCGI programs.
Installing the Minimal Required Set of Web Server Features
The IIS 7.0
modular feature set comprises more than 40 individual Web server modules
that provide various request processing and application services. The
Web server core engine retains only the minimal set of functionality
needed to receive the request and dispatch its processing to modules.
You can leverage this architecture to deploy minimal surface area Web
servers by installing only the modules that are required for the Web
server’s operation.
The modular feature set
provided in IIS 7.0 is fully integrated with Windows Setup. This means
that you can install or uninstall most of the IIS 7.0 modules by
installing IIS 7.0 features directly from the Turn Windows Features On
Or Off page in Windows Vista, or the Web Server (IIS) role in Server
Manager on Windows Server 2008 as shown in Figure 1.
Each feature typically corresponds to one module (or in some cases
several modules) and installs any corresponding configuration
information as well as feature dependencies.
The default
installation of IIS 7.0 includes only the features necessary for IIS 7.0
to function as a static file Web server. In many cases, this may not be
sufficient to properly host your application,
so you will need to install additional features, including support for
hosting dynamic application technologies. When you do this, you will be
prompted to install any dependencies of the feature you are installing
and configure the proper default configuration for that feature.
Caution
Do
not install all the IIS 7.0 features if you are unsure of what you
need. Doing so can unnecessarily increase the surface area of the Web
server. |
By ensuring that only
the required modules are installed, you can significantly reduce the
surface area of the Web server. This provides the following benefits:
- Removes the potential for an attacker to exploit known or future threats in features that are not installed.
- Reduces management complexity, making it easier to configure the server in a secure manner.
- Reduces
the downtime and costs associated with reacting to a vulnerability or
applying patches. If the patched component is not installed, you do not
need to take the server offline to perform the patch. You can also
perform patching on your own schedule instead of being forced to perform
it immediately if a vulnerability is found.
Note
When
you apply a patch to a component of a Web server feature that is not
installed, it is stored in the operating system installation cache. This
way, when you install the feature in the future, it will use the
patched version automatically. Therefore, be sure to continue installing
all operating system updates, even if the corresponding features are
not currently being used on the server. |
To reduce the surface area of the Web server, you should take the following steps:
1. | Determine the set of features your applications need.
In the majority of cases, you should be able to tell what features are
required by your application by reviewing the list of setup components
and comparing it with your application’s requirements. As a guide, you
can often use the recommended set of modules for specific application
workloads. You can find more information on recommended installation
workloads at http://www.iis.net/articles/view.aspx/IIS7/Deploy-an-IIS7-Server/Installing-IIS7/Install-Typical-IIS-Workloads?Page=2.
You should exercise caution when removing Web server features that are
security sensitive, because doing so may have a negative impact on your
server’s security.
|
2. | Install only the required features.
After you have determined the required features, you should install
them using the roles or features wizards. When in doubt, do not install all features,
because doing so will result in an unnecessary surface area increase.
|
3. | Install only the required third-party modules.
IIS 7.0 applications may require third-party modules to be installed to
add additional functionality or replace a built-in IIS 7.0 feature. You
should exercise caution when installing any module on the Web server
and make sure that you trust its source. Installing untrusted or buggy
modules can compromise the security of the Web server or negatively
affect its reliability and performance.
|
4. | Test your application.
You should always test your application to ensure that it operates
correctly given the installed feature set. Your application may
experience errors if a required module is not installed. The symptoms of
this error will depend on the service provided by the missing module.
If your testing shows an error and you believe that it is due to a
missing feature, make sure that the error is removed or changed by
installing that specific feature. If the error remains, uninstall the
feature and try again. Never blindly install multiple or all features to
get the application to work.
|
When
you run multiple applications on the same Web server, you will need to
install the superset of the modules required by each application. You
can then further reduce the surface area of each application by
controlling which modules are enabled at the application level.
Enabling Only the Required ISAPI Filters
IIS 6.0 provides
support for ISAPI filters, to allow third parties to extend IIS request
processing. IIS 7.0 replaces ISAPI filters with IIS 7.0 modules as the
preferred mechanism for extending the Web server. However, IIS 7.0
continues to support ISAPI filters for backward compatibility reasons.
Note
To
enable ISAPI filters to work on IIS 7.0, the ISAPI Filters role service
must be installed. This role service installs the IsapiFilterModule
module, which provides support for hosting ISAPI filters. If this module
is removed, ISAPI filters will not be loaded. This role service is not
enabled by default; it is however enabled when the ASP.NET role service
is installed. |
If your Web server uses
ISAPI filters, to minimize the Web server surface area you should ensure
that only the required ISAPI filters are enabled.
Note
You must be a server administrator to enable ISAPI filters. |
To properly configure ISAPI filters, you should take the following steps:
1. | If your Web server uses ISAPI filters, install the ISAPI Filters role service.
Without this role service, the ISAPI filters will not be loaded and
therefore may create a security risk if they are responsible for
security-sensitive functionality.
|
2. | If your Web server does not use ISAPI filters, do not install the ISAPI Filters role service. This eliminates the possibility of unwanted ISAPI filters being configured on your server.
|
3. | Determine the ISAPI filters that your application requires.
In the majority of cases, your Web server should not require any ISAPI
filters (with the exception of the ASP.NET ISAPI filter; see the note
later in this section). Therefore, you will typically need to configure
ISAPI filters only if you are migrating an existing application from
previous versions of IIS that require specific ISAPI filters, or if you
are installing a new third-party ISAPI filter.
|
4. | Enable the required ISAPI filters. You can control which ISAPI filters are enabled on your server, and for a specific Web site, by using IIS Manager.
|
To use IIS Manager
to configure the ISAPI filters, click the Web server node or Web site
node in the tree view and then double-click ISAPI Filters, as shown in Figure 2.
Exercise extreme caution when installing third-party ISAPI filters and
be sure you trust their source. Installing untrusted or buggy ISAPI
filters can compromise the security of the Web server or negatively
affect its reliability.
Note
IIS
7.0 does not install any ISAPI filters by default. However, ASP.NET 1.1
and ASP.NET 2.0 will install an ISAPI filter named ASP.NET_2.0.50727.0.
This filter is required for cookie-less ASP.NET features to work
properly. You should not remove this filter. |
You can also control which filters are enabled for the Web server or for a specific Web site by editing the system.webServer/isapiFilters configuration section directly, with the Appcmd command line tool, or with another configuration API.
