IIS7 - Security

Re: How to override parent level setting in IIS7

anilr — Wed, 10 Dec 2008 00:58:10 GMT

Did you run command prompt with "run as administrator"? For more info, search for UAC.

Re: How to override parent level setting in IIS7

OzzieP — Tue, 09 Dec 2008 23:07:48 GMT

Anil - When I run the command on a 64 bit Vista system I get an error message that "Cannot read the configuration file due to insufficient permission". I am already an administrator. Do I need something special? I assume we run the command from the command prompt.

Re: How to override parent level setting in IIS6

ElhamHafezi — Wed, 26 Nov 2008 06:26:59 GMT

Hi Anil

When I run the first command I will get following message:

"Can not read configuration file due to insufficient permissions." How can I solve the issue?

Thanks

Re: How to override parent level setting in IIS7

anilr — Fri, 30 Nov 2007 00:27:51 GMT

There are many different canonicalization that file-systems in windows (and specifically NTFS) can do to the file-name being opened - so both "c:\foo.asp::$DATA" and "c:\foo.asp." ends up going to c:\foo.asp - so, if you have serving of any extension allowed, your asp script could get served as a static file to the client (including any database names in it etc) - of course, IIS blocks the examples I listed even if you have serving of any extension allowed - but, there is possiblity of other canonicalization traps and it is always nice to have defense in depth.

Re: How to override parent level setting in IIS7

Switche — Thu, 29 Nov 2007 22:32:52 GMT

In response to anilr's last comment here; can someone provide a simple example of how a canonicalization bug can be exploited due to a Mime Map allowing access to .* file types?

I can understand the inherent file serving vulnerability of serving all unknown file extensions as application/octet-stream, but I don't see the connection of canonicalization bugs to this Mime Map.

Thank you

Re: How to override parent level setting in IIS7

anilr — Wed, 18 Oct 2006 16:36:13 GMT

You probably never want to do what aarnott suggested (except for troubleshooting maybe) - you would be bypassing one of the security features of IIS to protect against canonicalization bugs - it would make more sense to add particular extensions you want to serve as static files to the list.

Re: How to override parent level setting in IIS7

aarnott — Tue, 17 Oct 2006 17:51:58 GMT

However, my site still doesn't recognise unknown file format. This time, the error message becomes 404.3, which means either I'm missing a handler map or a MIME map for that directory.

Use this command to open up all MIME types (and you can easily modify the command to suit your needs):

%windir%\system32\inetsrv\appcmd.exe set config /section:staticContent /+[fileExtension='.*',mimeType='application/octet-stream']

Re: How to override parent level setting in IIS7

leonzhou — Sat, 09 Sep 2006 12:24:08 GMT

Thanks for the links Anilr.

However, my site still doesn't recognise unknown file format. This time, the error message becomes 404.3, which means either I'm missing a handler map or a MIME map for that directory.

Now I'm pretty sure that I have the StaticFile handler with the request path * enabled for the directory, but I do not see the MIME Types feature in the admin interface (I've installed all components of IIS7).

Do you know where I should configure the MIME Types?

Thanks

Re: How to override parent level setting in IIS7

anilr — Thu, 07 Sep 2006 08:15:04 GMT

You can find more information about IIS7 admin interfaces at

http://www.iis.net/default.aspx?tabid=7&subtabid=73

and about appcmd specifically at

http://www.iis.net/default.aspx?tabid=2&subtabid=25&i=954&p=1

Re: How to override parent level setting in IIS7

leonzhou — Wed, 06 Sep 2006 01:51:31 GMT

Heaps of thanks Anil. BTW, do you know anywhere that I can find more info about this kind of advanced operation?

Regards,
Leon

Re: How to override parent level setting in IIS7

anilr — Tue, 05 Sep 2006 20:00:36 GMT

The following command will unlock this section globally.

%windir%\system32\inetsrv\appcmd.exe unlock config -section:system.webServer/security/requestFiltering

If you only want unlock it for a particular site/app, you can do

%windir%\system32\inetsrv\appcmd.exe unlock config "SiteName/app/url" -section:system.webServer/security/requestFiltering

- Anil

How to override parent level setting in IIS7

leonzhou — Sun, 03 Sep 2006 03:19:05 GMT

Hi,

I am apparently traped by the new request filtering feature in IIS7. I red about the tech doc about request filtering and tried to turn off the file extension filtering in my public listed folder by adding:

But my IIS returned me HTTP Error 500.19 on the <requestFiltering> line: "This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault='Deny'), or set explicitly by a location tag with overrideMode='Deny' or the legacy allowOverride='false'."

The public folder is a virtual directory located under Default Web Site. But I have lost in how to override this parrent setting.

Could anyone point me to the right direction? Thanks