Microsoft's IIS6 lockdown

Microsoft's basic philosophy has always been to expose the scriptability and power of its products. Larry Seltzer tells how Microsoft is bucking that trend with improved security for IIS6.

It must really hurt developers at Microsoft to design IIS6 the way they've been designing it.

It's been basic Microsoft philosophy forever to make products as available, as scriptable, and as powerful as possible. Things have changed. After two years of assaults from security consultants and Internet vandals, Microsoft has decided that discretion--when it comes to an Internet service--is the better part of valor. Now they have to sit and think of ways to prevent users from accessing features.

Since so many companies running Windows 2000 and NT4 had unknowingly installed IIS--until they were victimized--Microsoft has wisely seen fit to alter the default configuration for IIS6. After you install Windows .Net Server, IIS6 may or may not even be installed, depending on your license. Once it's installed, it is not automatically enabled. Once enabled, its default configuration is a locked-down state that can't do anything really useful. You must enable the features. Beyond that, there are new filtering features borrowed from firewalls, such as the ability to filter out potential attacking requests before they are processed. All this--in combination with the new Web Server Edition, and if Microsoft's performance claims for IIS6 are true--could make IIS6 very popular in hosting environments and other pure Web applications.

Ha, you say, everyone knows IIS is a bad security joke. But in fact, I think that in the last year or so the absence of any significant new attacks on IIS is partly a result of new tools and patches available from Microsoft. It's easier now to make IIS systems secure, and IIS6 extends that trend. Even though new vulnerabilities have been reported recently, many of these are already patched, and there has been a healthy dose of exaggeration related to some of the vulnerabilities.

IIS6 now runs a "worker process," or background task, that checks for attempted buffer overflows, the mainstay of Web-based attacks. It's impossible to block all buffer overflow attempts, but you can block the large majority of them. The worker process watches for overflows and kills any program that suffers one.

There is also an important change in IIS6 in anonymous user authentication. The default logon type has changed from INTERACTIVE to NETWORK_CLEARTEXT, so users cannot log on interactively anymore. This means that domain controllers can be Web servers and be less vulnerable.

Not all the Web security enhancements are in IIS6 specifically. Windows .Net Server adds port filtering at the level of the TCP/IP stack (there are actually separate filters for TCP, IP, and UDP). Undoubtedly you have a firewall performing this function, but .Net Server adds a new level of protection, especially inside the firewall, in the event an internal system becomes compromised. It also may add more outbound protection than you are currently getting from your firewall.

The basic decision that services in IIS should be disabled unless you know you need them was made a while ago. IIS in Windows NT4 and Windows 2000 still don't ship that way, but Microsoft has provided the IIS Lockdown tool for IIS versions 4 and 5. This wizard makes it easy to disable a large number of services and questionable capabilities in IIS, bringing it close to the bare-bones state of IIS6's default installation.

More sophisticated IIS users and developers out there may discover the obvious, as was reported a while ago, that incautious use of the Lockdown tool can result in a loss of needed functionality in IIS--although it does allow you to pick and choose specific services to disable if you wish. Such will definitely be the case with IIS6. By default, services that you may have been taking for granted in earlier IIS versions will not be enabled.

Undoubtedly, there will be many applications that will require reprogramming, reconfiguration, and just plain reconsideration in the light of IIS6. In the first few years of the Internet boom Microsoft sold a lot of ideas about how Web servers should be used--ideas that are now generally considered unwise. If you bought into some of the ideas--for example, using Office applications to save directly to a Web server--you can still do that in future versions, but your administrators will have a harder time keeping the site secure. Microsoft is focusing on making it simple to secure the server by disabling such capabilities.

When you install the Lockdown tool you are offered another invaluable tool: URLScan. This add-on to IIS (technically an ISAPI filter) blocks certain types of requests to the Web server, such as attempts to run .EXE files or extremely large URLs, or URLs with non-ASCII characters. There is a bit of a "quick hack" feel to it; a really polished version of URLScan would be implemented as a tab on the Internet Services Manager tool, but in an apparent tribute to Linux and BSD, you control URLScan through a configuration file. URLScan also logs blocked requests, so you can look into their source. For all you know, a request could be from a compromised system elsewhere on the internal network or from a remote access user. The log file could clear that up quickly. IIS6 integrates much of this capability.

It's encouraging to see Microsoft move so decisively away from their established bias towards feature overload and into the conservative mainstream of Web server security. It's always been the case that well-administered servers are far less vulnerable to attack than poorly administered ones, and in that sense IIS is no different from other Web servers. The new security features will make it harder to be really bad at Web security.

Burned by IIS? Will IIS6 ease your pain? TalkBack or send e-mail to Larry.