Attack Surface
Microsoft designed IIS 7.0 with a modular architecture and a minimum of module and feature dependencies. You can choose from 40 modules to customize your installation for the needs of your particular Web server.
The default installation of IIS 7.0 only supports serving static content such as HTML and image files. This exposes the minimum attack surface while still providing Web server functionality.
Microsoft organized the IIS 7.0 installation into seven feature areas. These include the Common HTTP Features feature area, the Application Development feature area, the Health and Diagnostics feature area, the Security feature area, the Performance feature area, the Management Tools feature area, and the FTP Publishing Service feature area. How you want to manage your IIS 7.0 Web server and the feature requirements of the sites and applications that you plan to host on your IIS 7.0 Web server determines which modules and features to install. However, the more modules and features that you install, the larger the attack surface on the Web server.
The IIS 7.0 setup program installs a different set of files, services, and firewall rules based on the features and modules that you choose. To determine the attack surface of this role service, you need to identify the following:
Installed files. The files that are installed as part of the Web Server role.
Installed services. The services that are installed as part of the Web Server role.
Note You can use the RootkitRevealer and Sigcheck utilities that are part of Windows Sysinternals to verify the integrity of the installed files and the files that the services run.
Firewall rules. The firewall rules that are installed (or enabled) for the Web Server role.
The details of the attack surface for the Web Server role are included in the Windows Server 2008 Attack Surface Reference workbook that accompanies this Solution Accelerator. To view the attack surface for this role service, on the Web tab of the workbook, view the sections that correspond to each of the items in the previous list.
Security Measures
This section describes security measures that you can incorporate into your Web server (IIS) configuration to protect the server against malicious attacks. The recommendations that follow assume that you have only selected the Web Server role on the Select Role Services page of the Add Roles Wizard, accepted all of the defaults, and included the ASP.NET option. Further recommendations for the Common HTTP Features, Application Development, Health and Diagnostics, Security, Performance, Management Tools, and FTP Publishing services are not included. For more information about how to configure these services, see IIS 7.0: Configure Web Server Security.
There are many ways to set up a Web server that uses IIS, but this guidance focuses on a common scenario that uses an ASP.NET application that connects to a database. For example, an internal ordering system or a Human Resource application could provide such a database.
A Web site of this type typically consists of the following:
Static pages (HTML pages).
Images that use .jpg and .gif file formats.
Dynamic ASP.NET pages.
As part of planning the installation for the Web server, ensure that the application developers in your organization follow security best practices. For more information about best practices in this area, see Improving Web Application Security: Threats and Countermeasures.
It is important to understand that if your organization does not follow security best practices, you will be making it easy for your Web server to fall victim to malicious attacks. Even after using security best practices to set up a Web application, there are several steps that you need to take to secure the Web server.
Configuration Checklist
The following table summarizes the recommended security configuration tasks for hardening servers that perform the Web Server role service. If you need help to complete any of the checklist items, see the following sections in this chapter for additional details and recommendations.
Table 6.1 Configuration Checklist
|
Configuration tasks
|
|
Consider deploying a Server Core Installation of Windows Server 2008.
|
|
Install the application development environment.
|
|
Set the authentication mechanism.
|
|
Remove unused IIS components.
|
|
Configure a unique binding.
|
|
Move root directories to a separate data partition.
|
|
Configuring user account permissions.
|
|
Enable Secure Sockets Layer (SSL).
|
|
Consider additional specialized security configuration measures.
|
Consider Deploying a Server Core Installation of Windows Server 2008
Consider deploying Windows Server 2008 using the Server Core installation option to further reduce the attack surface of the operating system by reducing the number of installed files and running services. The advantage of the Server Core installation option is that a graphical user interface (GUI) is not installed, so the files and services required by the normal GUI are not installed.
There are two issues you need to be aware of when using a Windows Server 2008 Server Core installation for the Web Server (IIS) role. First, you cannot directly manage the installation using a GUI. Instead you must use the Microsoft Management Console (MMC) management tools remotely from a computer that has them installed or use command-line management tools to directly manage the server installation. Second, Server Core does not support ASP.NET and .NET Framework associated features. If your applications require .NET functionality, you cannot use the Windows Server 2008 Server Core installation.
Because the scenario used in this chapter requires ASP.NET, you cannot attempt these procedures using a Server Core installation. However, apply the general principles outlined to any Web Server (IIS) role using a Server Core installation.
You can use the following command-line management tools to install the Web Server role on computer running Windows Server 2008:
To install the default Web Server (IIS) role and the services associated with it, complete the following command:
start /w pkgmgr /iu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel
To install all available services and features for the Web Server (IIS) role, complete the following command:
start /w pkgmgr /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementScriptingTools;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;IIS-FTPPublishingService;IIS-FTPServer;WAS-WindowsActivationService;WAS-ProcessModel
For more information about how to install the Web Server (IIS) role with a Windows Server 2008 Server Core installation, see Server Core Installation Option of Windows Server 2008 Step-By-Step Guide.
In addition, you can use the appcmd command-line tool to manage the Web Server role. For instructions on how to use the appcmd command-line tool, see the Administrative Tools section of the IIS 7.0: Operations Guide in the Windows Server 2008 TechNet Library.
You can also use WMI to locally or remotely manage the Web Server (IIS) role running on Windows Server 2008 Server Core installations.
For more information about WMI, see Windows Management Instrumentation and the WMI Section of the IIS 7.0 Operations Guide in the Windows Server 2008 TechNet Library.
Install the Application Development Environment
The scenario tested in this chapter uses ASP.NET because it is the most popular application development infrastructure that IIS provides. ASP.NET uses .NET Framework 2.0, which is available in Windows Server 2008.
In the Select Role Services section of the installation process for the Web server, when you select ASP.NET, the following IIS 7.0 components are required:
ASP.NET: Includes files and configuration settings to enable ASP.NET on IIS.
ISAPI Filters: ASP.NET requires an ISAPI Filter with the name "ASPNET_FILTER.DLL".
ISAPI Extensions: The core functionality of ASP.NET is in the ASPNET_ISAPI.DLL file. This DLL file is built on top of the ISAPI Extension interface. IIS does not install the ISAPI Extension interface by default.
.NET Extensibility: .NET extensibility allows your server to support managed modules that run using the ASP.NET programming model. Your developers can use .NET Framework APIs to create new Web server features.
WAS .NET Environment: This supports managed code activation in the IIS 7.0 process model.
If your ASP.NET applications are designed to use the out-of-process ASP.NET Session state service, you must enable this feature. If you have enabled this feature and your ASP.NET applications do not use it, disable it.
After installing the development environment, the next step to securing your Web server is to install the authentication mechanism that you want to use to determine the identity of users who connect to the applications on the Web server.
|