Microsoft IIS Security

1
Microsoft IIS Security
Greydon Buckley CSC650 Secure Networked
Systems SFSU Computer Science Department
http//userwww.sfsu.edu/greydon/iis.html
2
Internet Information Services

• Internet Services for Windows Platforms
• Competes with Apache
• Popular in corporate world
• HTTP, FTP, SMTP, etc.
• Platform for ASP/ASP.NET
• Tightly integrated with Windows

3
IIS Processes Versions 1.0 3.0

• Single Process INETINFO.EXE
• High-privilege System logon session

Operating System
User
INETINFO.EXE
4
IIS Processes Versions 1.0 3.0

• IIS vulnerability compromised OS security

Operating System
Intruder
INETINFO.EXE
5
IIS Processes Version 4.0
Core Web Server separated out from
lower-privileged Web Application Manager (WAM)
Operating System
INETINFO.EXE
WAM1
Intruder
WAMn
6
IIS Processes Version 5.0

• Group multiple web applications into one process

Operating System
INETINFO.EXE
WAM1
WAMn
7
IIS Processes Version 6.0

• Multiple Application Pools
• Worker Process Isolation Mode
• Meets Lockdown Tool specifications
• Less O/S Integration

INETINFO.EXE
WAM1
WAMn
8
Authentication and Impersonation
Anonymous
IUSR_MACHINE
Certificate
SSL/Account Mapping
Integrated
NTLM/Kerberos (IE)
Digest
Active Directory/Hash
Basic
Native HTTP (SSL)
9
IIS Settings Application Protection
10
IIS Settings Authentication Methods
11
References

• Brown, Keith. Programming Windows Security.
  Addison-Wesley. 2000.
• http//www.develop.com/books/pws/
• Microsoft IIS On-Line Help. (February 2006)
• http//www.microsoft.com/WindowsServer2003/iis/def
  ault.mspx
• Microsoft Developers Network, IIS Development
  Center. (January 2006)
• http//msdn.microsoft.com/library/default.asp?url
  /library/en-us/dnanchor/html/anch_iis.asp
• Technet IIS Architecture. (February 2006)
• http//technet2.microsoft.com/WindowsServer/en/Lib
  rary/db3d8cf4-cedd-49a5-8d43-3631d58ddc141033.mspx