programming4us
programming4us
WEBSITE

Security Changes in IIS 7.0 : Reducing Attack Surface Area (part 2)

6/16/2011 3:02:46 PM

Enabling Only the Required ISAPI Extensions

IIS 6.0 provides support for ISAPI extensions, which allows third parties to extend IIS request processing by returning responses for specific content types. IIS 7.0 replaces ISAPI extensions with IIS 7.0 modules as a preferred mechanism for extending IIS. However, IIS 7.0 continues to support ISAPI extensions for backward compatibility reasons.

Note

To enable ISAPI extensions to work on IIS 7.0, the ISAPI Extensions role service must be installed. This role service installs the IsapiModule module, which provides support for hosting ISAPI extensions. If this module is removed, ISAPI extensions will not be loaded. This role service is not enabled by default, but it is enabled when ASP.NET is installed.


Today, dynamic application framework technologies frequently use ISAPI extensions to interface with IIS. Therefore, it is likely that if you are using dynamic application technologies, you will need to use ISAPI extensions. For example, both ASP.NET (for Classic mode applications) and ASP are implemented as ISAPI extensions.

If your Web server uses ISAPI extensions, to minimize the Web server surface area you should ensure that only the required ISAPI extensions are enabled.

Note

You must be a server administrator to enable ISAPI extensions.


To properly configure ISAPI extensions, you should take the following steps:

1.
If your Web server uses ISAPI extensions, install the ISAPI Extensions role service. Without this role service, the ISAPI extensions will not be loaded, and requests to resources mapped to ISAPI extensions will return errors.

2.
If your Web server does not use ISAPI extensions, do not install the ISAPI Extensions role service. This eliminates the possibility of unwanted ISAPI extensions being configured on your server.

3.
Configure the allowed ISAPI extensions. Each ISAPI extension must be allowed to execute on the server before it can be used. You can use IIS Manager to configure all ISAPI extensions that are allowed to execute on the server. Doing so is explained in more detail later in this section. Exercise extreme caution when allowing third-party ISAPI extensions and be sure you trust their source. Installing untrusted or buggy ISAPI extensions can compromise the security of the Web server or negatively affect its reliability.

4.
Configure the desired handler mappings. To use ISAPI extensions, you need to create handler mappings that map allowed ISAPI extensions to specific content types in your application.

You must explicitly allow any ISAPI extension that has to execute on your server. When you allow a specific ISAPI extension path, any application on the server can load this extension, if the server configures a handler mapping to this extension. Table 1 specifies the common ISAPI extensions and when they are installed.

Table 1. Common ISAPI Extensions
ISAPI ExtensionDefault StateWhen Installed
Active Server PagesAllowedASP role service is installed
ASP.NET v1.1.4322Not Allowed.NET Framework v1.1 SP1 is installed
ASP.NET v2.0.50727AllowedASP.NET role service is installed

On IIS 6.0, you have to explicitly allow the ISAPI extensions corresponding to ASP and ASP.NET 2.0. On IIS 7.0, these ISAPI extensions are automatically allowed when you install the corresponding role services. In addition, only ASP.NET applications running in Classic mode use the ASP.NET 2.0 ISAPI extension. It is a more reliable practice to use the roles or features wizards to control the availability of these features, instead of allowing or not allowing them in the ISAPI and CGI Restrictions. However, you still need to manually enable the ISAPI extension for ASP.NET v1.1.

On IIS 6.0, you can allow an ISAPI extension in the Web Service Extension Restriction List. On IIS 7.0, you can use IIS Manager to do this by clicking the Web server node in the tree view and then double-clicking ISAPI And CGI Restrictions to open the feature shown in Figure 3. To add a new ISAPI extension, click Add in the Actions pane and then enter the exact path of the ISAPI extension. If you would like to allow the ISAPI extension to execute, check the Allow Extension Path To Execute check box. You can also allow or deny existing extensions.

Figure 3. Allowing ISAPI extensions in the ISAPI and CGI Restrictions by using IIS Manager.

In addition to using IIS Manager, you can also edit the system.webServer/security/isapiCgiRestriction configuration section directly by using the Appcmd command line tool or with another configuration API.

Enabling Only the Required CGI Programs

IIS 7.0 continues to support CGI programs as one of the ways to extend the functionality of the Web server.

Note

To enable CGI programs to work on IIS 7.0, the CGI role service must be installed. This role service installs the CgiModule module, which provides support for launching CGI programs. If this module is removed, CGI programs will not be usable. This role service is not enabled by default.


By default, IIS 7.0 does not provide any CGI programs, so they should be used only if your application uses third-party CGI programs. If it does, you should ensure that only the required CGI programs are allowed to minimize the Web server surface area.

Note

You must be a server administrator to allow CGI programs.


To properly configure CGI programs, you should take the following steps:

1.
If your Web server uses CGI programs, install the CGI role service. Without this role service, the CGI programs will not be created, and requests to resources mapped to CGI programs will return errors.

2.
If your Web server does not use CGI programs, do not install the CGI role service. This eliminates the possibility of unwanted CGI programs being configured on your server.

3.
Configure the allowed CGI programs. Each CGI program must be allowed to execute on the server before it can be used. You can use IIS Manager to configure all CGI programs that are allowed to execute on the server. This is explained in more detail later in this section. Exercise extreme caution when allowing third-party CGI programs and be sure you trust their source. Installing untrusted or buggy CGI programs can compromise the security of the Web server or negatively affect its reliability.

4.
Configure the desired handler mappings. To use CGI programs, you need to create handler mappings that map allowed CGI programs to specific content types in your application.

Similar to ISAPI extensions, you must explicitly allow any CGI program that has to execute on your server. When you allow a specific CGI program path, this CGI program can now be launched by any application on the server that configures a handler mapping to this CGI program. To be allowed, each allowed CGI program entry must specify the full path and arguments exactly the same way they are specified in each handler mapping. CGI programs are allowed in the ISAPI and CGI Restrictions feature, similar to the process described in the section titled “Enabling Only the Required ISAPI Extensions” earlier in this chapter.

Enabling Only the Required FastCGI Programs

IIS 7.0 supports hosting FastCGI programs by using the FastCGI feature, which provides a more reliable way to host many application frameworks than CGI does.

Note

To enable FastCGI programs to work on IIS 7.0, the CGI role service must be installed. This role service installs the FastCgiModule module, which provides support for launching FastCGI programs. If this module is removed, FastCGI programs will not be usable. This role service is not enabled by default.


By default, IIS 7.0 does not provide any FastCGI programs, so they should be used only if your application uses third-party FastCGI programs. If so, to minimize the Web server surface area, you should ensure that only the required FastCGI programs are allowed.

Note

You must be a server administrator to allow FastCGI programs.


To properly configure FastCGI programs, you should take the following steps:

1.
If your Web server uses FastCGI programs, install the CGI role service. Without this role service, the FastCGI programs will not be usable, and requests to resources mapped to FastCGI programs will return errors.

2.
If your Web server does not use FastCGI programs, do not install the CGI role service. This eliminates the possibility of unwanted FastCGI programs being configured on your server.

3.
Configure the allowed FastCGI programs. Each FastCGI program must be allowed to execute on the server before it can be used. Though there is no IIS Manager support for configuring FastCGI programs that are allowed to execute on the server, you can do this by editing the system.webServer/fastCgi configuration section. Exercise extreme caution when allowing third-party FastCGI programs and be sure you trust their source. Installing untrusted or buggy FastCGI programs can compromise the security of the Web server or negatively affect its reliability.
4.
Configure the desired handler mappings. To use FastCGI programs, you need to create handler mappings that map allowed FastCGI programs to specific content types in your application.

Unlike ISAPI extensions and CGI programs, FastCGI programs are not allowed through the ISAPI and CGI Restriction feature. Instead, in the system.webServer/fastCgi configuration section, you need to create an entry for each allowed FastCGI program.

Other  
 
PS4 game trailer XBox One game trailer
WiiU game trailer 3ds game trailer
Top 10 Video Game
-   Uncharted 4: A Thief's End | E3 2015 Extended Gameplay Trailer
-   V.Next [PC] Kickstarter Trailer
-   Renowned Explorers [PC] Launch Date Trailer
-   The Void (Game Trailer)
-   World of Warships [PC] Open Beta Trailer
-   F1 2015 | Features Trailer
-   Battle Fantasia Revised Edition | Debut Trailer for Steam
-   Victor Vran [PC] Story Trailer
-   Star Wars Battlefront PC Alpha footage
-   Skyforge [PC] Open Beta Gameplay Trailer
-   Armored Warfare [PC] PvE Trailer
-   F1 2015 [PS4/XOne/PC] Features Trailer
-   Act of Aggression [PC] Pre-Order Trailer
-   Sword Coast Legends [PC] Campaign Creation E3 2015 Trailer
-   Sword Coast Legends [PC] Campaign Creation E3 2015 Dungeon Run Trailer
Game of War | Kate Upton Commercial
programming4us
 
 
programming4us