RE: IIS Security

["Evans, Arian" <Arian.Evans () fishnetsecurity com>]

<inline>

> From: Schmidt, Albert E [mailto:AES () ola state md us] 
>
> If the default IIS account only has access to the root 
> document, what is the harm of placing the root document on 
> the same disk partition as the operating system?  If the 
> account does not have access to the operating system files.

Do you mean IWAM account? Or IUSR or WWW Pub Service (inetinfo.exe)?

1. IWAM and IUSR both have rx to system files. localsystem
has full control of system files. Which one are referring to,
and are you sure you restricted access to system files?

2. I haven't locked down IIS fully in a year or so, and memory
is fuzzy but I remember system files being impossible to
whitelist or deny_all; could only perform limited blacklisting
of permissions on specific files (e.g. tftp, cmd, etc.). Some
people recommend removing those binaries which isn't a bad idea,
but better tripwire & audit as future service packs (or on reboot
if using fs_protection cache) may replace all the binaries you
deleted, and with default privs.

3. I am a large fan of a read-only drive/partition for IIS,
or any wwwserver. This will stop web-server focused worms
from propagating and befuddle most script kiddies. But not
because the system files are inherently more secure...

4. IWAM is priv limited. Provided your configs are sound and
provided IIS is not flawed, threat should be limited...

5. People use IIS priv-config and overflow flaws to upload local
exploits to elevate privs from IWAM to local_system. In 2004
there was a .NET traversal flaw that I verified (err, stole someone
else's rumor of) that enabled one to snag web.config/global.asax
even though security checks should have implicitly denied me.
This may have allowed malicious upload if I found a writeable
directory. -ro for entire webroot would significantly limit this.

Defense in Depth.

A better more up-to-date site than my brain would be IISAnswers:

http://www.iissecurity.com/

Also visit the MS technet forums for these type of questions.

Other thoughts:

> From: Saqib Ali [mailto:docbook.xml () gmail com] 
> Sent: Monday, November 21, 2005 10:05 AM
>
>
> 1) The traversal attacks used in the past

Can be flipped to %systemroot% and game over.

> 2) Some of the attacks is the past assumed that the wwwroot was

c:\inetpub\wwwroot; remapping could provide some obscurity; you
could copy the whole system drive & provide 'list' privs and *nothing*
else. Would give a hacker fits unless they can flip to path or
environment variables, or catch on to the game.
 
> 3) It is much easier to control the permissions for the anonymous
> account (INETUSER) that IIS uses, if the WWWROOT is located on a
> seperate partition.

Not sure I agree. Whether \inetpub, \partition, or \unique_drive
the degree of restriction is the same.

-ae