I'm working on a paper about this and thought, I'd ping those in the know. Other than the standard "don't install a module that you don't need" advice, are there any more in-depth recomendations? I'm looking at 2 scenarios, an Internet facing static Web
server, and a Intranet Web server that serves dynamic content (ASP.NET, ISAPI, CGI, etc) What ACLs do I need to set for each scenario? Group policy recomendations?
There is a not a new version of a hardening paper that I can point you to but there is a new feature in IIS 7 that will interest you, the application pool sandbox. At a high level what this feature
does is effectively isolates app pools from each other. In practice this can prevent an app in one pool from reading information in another app pools configuration. So how does it work:
By default IIS7 creates 1 site per app pool(when added via inetmgr).
At runtime a unique SID (security ID) for the app pool is added to the list of SIDs. (note the app pool still has the same process identity).
internally IIS creates a "temp" configuration file that contains only the configuration settings for the app pool.
This temp file is ACL'd with the unique SID
If in a farm this SID is the same on all servers
Everything I mentioned above is automatic and completely transparent to the user. The degree of isolation is directly proportional to the number of apps in a given app pool. A 1:1 app:app pool
ratio gives you the greatest isolation.Now if you want to achieve even greater isolation there are some additional steps you can take.
Disable the anon user:
appcmd set config - section:anonymousAuthentication -userName:"" -password.
with this alll anon access will use the process identity
Set the ACLs for the App Pool's content to the unique SID (this works for local content only and not unc)
you will need to use icacls as the SID is not available in the UI
Create a secure location for:
ASP template Cache
Compressed Content
Create ASP.Net temp file location for app pool
example: appcmd set config "Default Web Site" -section:compilation - tempDirectory:%systemdrive%\inetpub\aspnettemp\site%1 /commit:webroot
Hopefully this will help you get a better understanding of app pool isolation and how it can help you harden your apps.Will
For your static internet facing server. You could look at server core / web edition that does not serve .NET applications, but support classic ASP and HTML pages. This would be a perfect situation for this version of Windows Server 2008 / IIS7. I'm not
quite sure when this version is available, but it will be in the near future.
There is not much more hardening recommendation for IIS7.
In fact IIS6 WIndows 2003 is pretty solid out the box and more so with best practices. In fact we had the penetration testers in for 3 days last week just to look at my IIS config. And we really tried to break stuff. And the conclusions were that only minor
problem occur. Irrelevant things like showing banners and low chipers that always appear on pen tests and are only in there to bulk it out.
In fact you will have more problems with teh technologies employed on top .net, php, etc.
IIS7 is more robust still and I not expecting any problems there. For crazy security follow the guidelines in this post but sensible app pool identity with the minimum privileges for separate sites is more then enough.
Rovastar is correct, unlike w2k and iis 5, w2k3 was pretty locked down and doesn't need much additional out of the box. Here is a few things I've done to lockdown IIS 7 and w2k8. It some IIS and OS specific items I've done.
1) Run as applicationpoolidentity
2) Uninstall any modules that aren't used, especially authentication modules. Not having modules reduces the surface attack. If you install additional modules, run at website level, don't load at server level, use the web.config to load the modules in
the <system.Webserver> section.
3) Look at using Request Filtering or urlscan to block sql injections
4) You can use host-headers to help reduce automated ip-based bot attacks.
5) Do not enable remote management, it's disabled by default
6) Don't install FTP, SMTP services.
7) Run each website in their own application pool
8) Lockdown any delegated permissions or remove them all together.
OS, App suggestions
9) Run Security Config wizard this does OS level changes. Definitely spin up a test VM or box to test SCW before applying at GPO level
17) Most web applications need to be properly tested for hacking, unhandled exceptions, etc.. IIS 7 itself is solid, the applications need to be both load tested and how they handle such situations.
Dear Steve thanks for your great information but I just want to ask you that, should I do anything or any change in registry part for security or not? have u experienced or not for IIS 7.0
I personally haven't done anything locking down the registry and IIS 7. The security configuration wizard could have some recommendations, but if you use the principal of having the account have little or no permissions except what it needs on the box,
the registry would be offlimits for the most part. Run SCW and see if there is any recommendations is all i can suggest. I like SCW since it'll show you want it wants to lockdown, you can see the results in your environment, investigate any settings you
are not sure about then, test on a non-production box or TEST VM. MS has done a great job since windows 2003 locking things down by default. Hope there is an answer in there. :)
Great thread! About using Antivirus software on the IIS webservers, are there any recommendations on how to configure the AV software, is there specific paths which might be good to exclude - performance wise ? Thx,
I can only speak from my experience. 1) if you install Sharepoint or other software, there are specific recommendations by MS. General rules I've done is be as aggressive as possible, have exclusions for file types, log files, temporary internet files,
paging files, MDF, LDF, NDF. Most software allows for file exclusions by file extension such as aspx, ascx and other normal web type files. I've also not had AV installed on windows servers although for pci compliance, AV is almost required. Hope this
helps.
BCurry
25 Posts
IIS 7.0 Hardening Recomendations
Jun 28, 2007 06:57 PM|LINK
I'm working on a paper about this and thought, I'd ping those in the know. Other than the standard "don't install a module that you don't need" advice, are there any more in-depth recomendations? I'm looking at 2 scenarios, an Internet facing static Web server, and a Intranet Web server that serves dynamic content (ASP.NET, ISAPI, CGI, etc) What ACLs do I need to set for each scenario? Group policy recomendations?
I'm basing this on the recommendations for IIS 6--found at http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/s3sgch09.mspx.
Any pointers to good info is greatly appreciated.
Cheers,
--Benjamin
security
CM Group, Ltd.
willsad
22 Posts
Microsoft
Re: IIS 7.0 Hardening Recomendations
Jul 02, 2007 05:27 PM|LINK
- By default IIS7 creates 1 site per app pool(when added via inetmgr).
- At runtime a unique SID (security ID) for the app pool is added to the list of SIDs. (note the app pool still has the same process identity).
- internally IIS creates a "temp" configuration file that contains only the configuration settings for the app pool.
- This temp file is ACL'd with the unique SID
- If in a farm this SID is the same on all servers
Everything I mentioned above is automatic and completely transparent to the user. The degree of isolation is directly proportional to the number of apps in a given app pool. A 1:1 app:app pool ratio gives you the greatest isolation.Now if you want to achieve even greater isolation there are some additional steps you can take.- Disable the anon user:
- appcmd set config - section:anonymousAuthentication -userName:"" -password.
- with this alll anon access will use the process identity
- Set the ACLs for the App Pool's content to the unique SID (this works for local content only and not unc)
- you will need to use icacls as the SID is not available in the UI
- Create a secure location for:
- ASP template Cache
- Compressed Content
- Create ASP.Net temp file location for app pool
- example: appcmd set config "Default Web Site" -section:compilation - tempDirectory:%systemdrive%\inetpub\aspnettemp\site%1 /commit:webroot
Hopefully this will help you get a better understanding of app pool isolation and how it can help you harden your apps.Willsteve schofi...
5681 Posts
MVP
Moderator
Re: IIS 7.0 Hardening Recomendations
Jul 04, 2007 08:23 AM|LINK
For your static internet facing server. You could look at server core / web edition that does not serve .NET applications, but support classic ASP and HTML pages. This would be a perfect situation for this version of Windows Server 2008 / IIS7. I'm not quite sure when this version is available, but it will be in the near future.
Steve Schofield
Windows Server MVP - IIS
http://iislogs.com/steveschofield
http://www.IISLogs.com
Log archival solution
Install, Configure, Forget
grayboy
2 Posts
Re: IIS 7.0 Hardening Recomendations
Dec 30, 2009 10:30 AM|LINK
as i found this post i realized its for about 2 years ago that IIS 7.0 has released in that time
these days im looking for hardening recomendations and vulnerabilites IIS7.0 in order to document them
please give me some info or resource
thank you very much
Rovastar
3321 Posts
MVP
Moderator
Re: IIS 7.0 Hardening Recomendations
Dec 30, 2009 10:58 AM|LINK
There is not much more hardening recommendation for IIS7.
In fact IIS6 WIndows 2003 is pretty solid out the box and more so with best practices. In fact we had the penetration testers in for 3 days last week just to look at my IIS config. And we really tried to break stuff. And the conclusions were that only minor problem occur. Irrelevant things like showing banners and low chipers that always appear on pen tests and are only in there to bulk it out.
In fact you will have more problems with teh technologies employed on top .net, php, etc.
IIS7 is more robust still and I not expecting any problems there. For crazy security follow the guidelines in this post but sensible app pool identity with the minimum privileges for separate sites is more then enough.
steve schofi...
5681 Posts
MVP
Moderator
Re: IIS 7.0 Hardening Recomendations
Dec 31, 2009 01:24 AM|LINK
Rovastar is correct, unlike w2k and iis 5, w2k3 was pretty locked down and doesn't need much additional out of the box. Here is a few things I've done to lockdown IIS 7 and w2k8. It some IIS and OS specific items I've done.
1) Run as applicationpoolidentity
2) Uninstall any modules that aren't used, especially authentication modules. Not having modules reduces the surface attack. If you install additional modules, run at website level, don't load at server level, use the web.config to load the modules in the <system.Webserver> section.
3) Look at using Request Filtering or urlscan to block sql injections
4) You can use host-headers to help reduce automated ip-based bot attacks.
5) Do not enable remote management, it's disabled by default
6) Don't install FTP, SMTP services.
7) Run each website in their own application pool
8) Lockdown any delegated permissions or remove them all together.
OS, App suggestions
9) Run Security Config wizard this does OS level changes. Definitely spin up a test VM or box to test SCW before applying at GPO level
http://www.iislogs.com/steveschofield/how-to-use-security-configuration-wizard-in-windows-server-2008
10) Run Windows firewall, block all but 3389, 80, 443, echo reply (for monitoring and pings).
11) Place Data on a separate drive, remove default NTFS permissions,
12) Keep up on security patches, service packs.
13) Run asp.net apps in medium or partial trust if possible. Don't install DLL's in the GAC (global assembly cache)
14) Enable auditing in the local security policy (or GPO).
15) Run Anti-virus software.
16) Enable custom errors errors so unhandled errors aren't displayed remotely
17) Most web applications need to be properly tested for hacking, unhandled exceptions, etc.. IIS 7 itself is solid, the applications need to be both load tested and how they handle such situations.
18) Run 64 bit version of w2k8 or R2.
Steve Schofield
Windows Server MVP - IIS
http://iislogs.com/steveschofield
http://www.IISLogs.com
Log archival solution
Install, Configure, Forget
grayboy
2 Posts
Re: IIS 7.0 Hardening Recomendations
Jan 03, 2010 07:56 AM|LINK
steve schofi...
5681 Posts
MVP
Moderator
Re: IIS 7.0 Hardening Recomendations
Jan 03, 2010 04:59 PM|LINK
I personally haven't done anything locking down the registry and IIS 7. The security configuration wizard could have some recommendations, but if you use the principal of having the account have little or no permissions except what it needs on the box, the registry would be offlimits for the most part. Run SCW and see if there is any recommendations is all i can suggest. I like SCW since it'll show you want it wants to lockdown, you can see the results in your environment, investigate any settings you are not sure about then, test on a non-production box or TEST VM. MS has done a great job since windows 2003 locking things down by default. Hope there is an answer in there. :)
Steve Schofield
Windows Server MVP - IIS
http://iislogs.com/steveschofield
http://www.IISLogs.com
Log archival solution
Install, Configure, Forget
petsch
10 Posts
Re: IIS 7.0 Hardening Recomendations
Jan 04, 2010 06:32 AM|LINK
steve schofi...
5681 Posts
MVP
Moderator
Re: IIS 7.0 Hardening Recomendations
Jan 05, 2010 02:43 AM|LINK
I can only speak from my experience. 1) if you install Sharepoint or other software, there are specific recommendations by MS. General rules I've done is be as aggressive as possible, have exclusions for file types, log files, temporary internet files, paging files, MDF, LDF, NDF. Most software allows for file exclusions by file extension such as aspx, ascx and other normal web type files. I've also not had AV installed on windows servers although for pci compliance, AV is almost required. Hope this helps.
Steve Schofield
Windows Server MVP - IIS
http://iislogs.com/steveschofield
http://www.IISLogs.com
Log archival solution
Install, Configure, Forget