Microsoft Internet Information Server (IIS) 7 is still widely used in the enterprise, despite a less-than-stellar track record for security. In fact, for many “IIS security” is a contradiction of terms—though in all fairness, Microsoft's web server solution has improved significantly over the years.
By following these 10 steps for improving IIS 7 security, you can achieve and maintain an even stronger level of security for your web apps.
1. Analyze dependencies and uninstall unneeded IIS 7 modules after upgrading.
If you plan on upgrading from a previous version of IIS, be forewarned that your previous installation’s state information and metabase will be carried over to the new install. Be sure to disable and/or uninstall any unused IIS components and features to minimize the web server’s attack surface.
2. Properly configure web server user/group accounts
IIS 7 features new built-in user and group accounts dedicated to the Web server. So for example, separate system and application administrator accounts can be created for more granular-level access. System administrators can therefore give application administrators the rights to make application-level configuration changes without the need to grant them administrative access to the server. These accounts should be audited on a ongoing basis to ensure they are configured securely.
3. Use IIS 7’s CGI/ISAPI Restrictions
CGI and ISAPI are two common ways to build upon IIS—either for generating dynamic content or for extending IIS’ native capabilities. Unfortunately, CGI files (.exe) and ISAPI extensions (.dll) are also commonly exploited in web attacks and should be restricted if not in used. For example, if you’re using PHP or ColdFusion to create dynamic content with IIS, use of CGI and other ISAPI extensions may not be needed
4. Install The UrlScan Extension
UrlScan is an extension that functions as a security tool for restricting HTTP requests. Potentially harmful HTTP requests are prevented from reaching the server through rule-based filtering. This extension is critical for mitigating threats like SQL injections, among others, and should be used in conjunction with your IIS-based web application.
5. Use Dynamic IP Restrictions
Dynamic IP address restrictions use a requestor’s IP addresses and domain name to determine whether or not to restrict access. This is essentially a whitelist—"allowUnlisted"—that IIS 7 uses to prevent unauthorized access. So in the event of Denial of Service (DoS) and brute force attacks, IIS 7’s Dynamic IP Restrictions (DIPR) module can temporarily block IP addresses making unusual requests.
6. Incorporate URL Authorization In Your Application
URL authorization grants access to URLs within an IIS 7 application based on user names and roles, as opposed to server or system accounts. This makes it easier to restrict content based on group membership. URL authorization rules can be associated with a server, site, or application.
7. Use Encrypted Forms-Based Authentication
Forms-based authentication allows for the management of client registration and authentication at the application level, as opposed to on the Windows account level. Because this authentication mechanism passes form values as clear text, SSL must be installed to encrypt sensitive data.
8. Use Application Pool Identities
This feature of IIS 7 enables more granular security by running application pools under unique accounts, bypassing domain or local account creation/management. By using a low-privileged account—namely, ApplicationPoolIdentity—multiple distinct sets of anonymous website content can be isolated without having to create a unique account for each website.
9. Isolate/Segregate Web Applications
By using a combination of the above IIS 7 features, you can achieve more secure isolation and segregation for your web applications. In general, the following security recommendations should be taken into consideration:
- Each application pool should be assigned to a single website.
- The application pool should be assigned to a dedicated user.
- Anonymous user identities should be set up to use the application pool.
10. Fix Critical IIS 7 Vulnerabilities
Last but not least, critical IIS 7 vulnerabilities should be patched or remediated. To date, 6 IIS 7 vulnerabilities have been documented per the CVE database. New vulnerabilities are constantly being discovered—for example, critical vulnerabilities discovered in April 2015 allow attackers to easily carry out DoS and/or Remote Code Execution (RCE) attacks on unpatched servers.
In short, the modular nature of IIS 7 allows for more granular control over web server resources and security. However, this can either make your web applications more or less secure—depending on the person or group responsible for security. Deeper, fine-grained security mechanisms require more careful management of said resources; fortunately, these arduous processes can be managed automatically with ScriptRock’s platform for vulnerability detected and monitoring. Our Windows and IIS security policies can automatically scan your environment for critical vulnerabilities and security gaps.