Tag Archives: Security

IIS Security – Past and Present

This topic has been covered many times both by Microsoft and non-Microsoft employees. However, I’ve recently been asked what the main features of IIS 7 are and have seen a great deal of misinformation about IIS security on twitter, blog posts and forums.

I think, therefore, the issue deserves yet another look. In this post, I’m going to go over security in the past for IIS and then move on to talk about security features in IIS 7. These are not in any particular order. This post is not meant to diminish the many thoughtful works already created by others – both complimentary and critical. This is just meant to bring the subject back up for discussion again in hopes that you can be properly equipped with the decision making information you may need.

Ghosts of IIS Security Past

The reason for so much misinformation about the current state of security in IIS is likely due to the earned reputation the product had in versions previous to IIS 6.0. A quick search on the web for IIS 5 security vulnerabilities may be like a walk down memory lane for some of the more veteran administrators and IT staff across the globe. The search results are littered with critical vulnerabilities related to buffer overflows, ISAPI extensions, exploits on rarely-used features, or features that were available by a default installation. We are haunted by names like “Code Red” and “Nimda”. I don’t know about you, but those very names send shivers down my spine. I was consulting as a developer and web administrator for a very large property management company when these hit. We were lucky enough to avoid these as we had patched our services. That said, many whom I did business with on a regular basis were not very happy. So, to be clear, I feel the misinformation that is spread today is built on an element of experience with previous versions. Secunia reports 16 advisories and 6 vulnerabilities with IIS 5.  And so started the reputation , perhaps deservedly so, that IIS was not secure unless you really knew what you were doing with security.

Bill Gates was apparently visited by the ghosts of security past, present and future when he laid his head on his pillow January 14th, 2002. I say that because on January 15th, 2002 Mr. Gates sent out the now-famous trustworthy computing memo to every employee at Microsoft.  This set off a major revamp of products from the ground up. Standards were set for test planning and testing. Writing Secure Code was mandatory reading for every Microsoft developer and tester. The results have been staggering.

Security drastically improved in Microsoft products over the years, and IIS was definitely no exception to this. IIS 6 saw 5 security advisories and 4 vulnerabilities reported since 2003. Not to get ahead of myself, but IIS 7 has exactly 1 advisor and 1 vulnerability from Secunia. Compare this against Apache 2.0.x which has had 39 advisories and 23 vulnerabilities (4 of which are still unpatched as of this writing) and Apache 2.2.x which has had 10 advisories and 16 vulnerabilities (2 of which are still unpatched as of this writing) in the same period.  Now I have seen attempts ([1], [2]) to quantify or otherwise explain these numbers further. You can read those articles for yourself and determine how much weight you want to give them. However you skew it, the facts should speak for themselves – IIS has dramatically improved and taken a leadership roll in security in IIS 6 and 7. Our ghost of IIS past still haunts the product’s reputation today, despite obvious strides taken. Even if you feel you like Apache better I think it is only fair to give credit where it is due.

Improvements in IIS 6

The IIS team took the four tenants of Microsoft’s Trustworthy Computing initiative to heart: Secure by Design, Secure by Default, Secure in Deployment and Secure Communication. Since we are already on the next version, I won’t spend a great deal of time talking about the security improvements in the last version other than a brief overview so you know how they relate to changes in our current version, IIS 7.

IIS 6 took vast strides to improve security. During upgrade installations, IIS 6 was disabled by default if the previous server had not been secured by the IIS lockdown tool. The architecture was completely revamped to separate kernel-mode HTTP listening from user-mode application execution. Changes were made to application pools, authentication, access control, encryption and certificate handling, auditing, logging and patch management that made the product far superior to its predecessors. You can find a detailed list of these features on TechNet.  SecurityFocus did a comparison of these features in March of 2004.Server Watch wrote an article in December of 2003. By most accounts, everything accomplished in IIS 6 was a huge step in the right direction.

Despite the massive steps already taken in IIS6, IIS 7 took these all a bit further. Let’s go ahead and investigate these now.

Improvements in IIS 7.x

Customizable Installation

Continuing with the tenant of being secure in deployment, IIS 7 has made installation a wonder to behold. In IIS 6, you could reduce your attack surface by disabling features native to web server. However, these features were still loaded into the process. This carried not only a security factor, but also a performance and memory footprint issue.  IIS 7 has a completely modular architecture. That means that features which you do not want are not only NOT loaded into the process, you can leave the bits for those features off of your disk completely.

Limitable Attack Surface

This is a bit dubious and is essentially part of the customizable installation. By reducing the modules that are available on disk or loaded into a process, you significantly reduce the attack surface for your specialized web servers. If all you intend to do is serve static content with caching and no default documents, you can simply install the static file handler and caching module and leave the rest of the IIS modules off of your server. Additional controls and limitations will also reduce your attack surface and I’ll cover those below.

IUSR account

Anyone who has tried to migrate an IIS installation from one machine to another or attempted to recover your installation on a new machine, previous to IIS 7, has likely run into an issue with the local “IUSR_” account.  IIS 7 now uses a built-in IUSR account that allows you to easily copy your security settings from one machine to the next. This is great news for those using distributed configuration in web farms, recovery, restoration, or replication.


IIS 6 introduced the IIS_WPG group. Application pool security identities had to be assigned to this group in order to host the w3wp.exe process. Like the IUSR account, IIS 7 now creates a built-in security group (IIS_IUSRS) and assigns application pool identities to the group automatically. You can find more information about the built-in user and built-in group for IIS 7 on IIS.NET (Understanding the Built-In User and Group Accounts in IIS 7.0).

ASP.NET / IIS Unified Security Architecture

Previous versions of IIS did not provide a unified approach to security with ASP.NET. The IIS 7 unified request pipeline that supports both Windows and non-Windows principals and provides one place to do all authentication and authorization. Apart from simplification and performance improvements, this also reduces the attack surface and allows for greater flexibility in authentication / authorization scenarios with custom modules.

Request Filtering / URL Rewriting

IIS 7.0 includes a request filtering module that is based on the URLScan ISAPI Filter for IIS 6.0. The module helps you tighten security of your Web servers.

The IIS team has also released an add-on URL rewrite module for IIS 7.0, which provides functionality for rule-based URL manipulation. Even though the primary purpose of the URL rewrite module is to rewrite URL paths for requests, the rewrite module can also be used as a security enforcement tool that helps prevent access to Web site content.

Application Pool Identities

On top of Application Pool Isolation, IIS introduces a new security feature in Service Pack 2 of Windows Server 2008 and Windows Vista. It’s called Application Pool Identities. Application Pool Identities allows you to run Application Pools under an unique account without having to create and manage domain or local accounts. The name of the Application Pool account corresponds to the name of the Application Pool.

Kernel mode SSL

The implementation of SSL has changed from IIS 6.0 to IIS 7.0.  On Windows Server 2003, all SSL configuration was stored in the IIS metabase and encryption/decryption happened in user mode (required a lot of kernel/user mode transitions).  On Windows Vista and Windows Server® 2008, HTTP.sys handles SSL encryption/decryption in kernel mode, resulting in up to 20% better performance for secure connections. 

Configuration Improvements

IIS 7.0 allows locking and unlocking configuration settings in various levels and scopes. Locking down configuration means that it cannot be overridden (or set at all) at lower levels in the hierarchy. Unlocking configuration can only be done at the level where it was locked. This is useful, for example, when creating different configuration for different sites or paths, and only some of sites and paths are allowed to override it. Locking can be done at the section level or for specific elements, attributes, collection elements and collection directives within sections.

Dynamic IP Restriction

IIS 7 provides a new module that allows dynamic, temporary IP address restriction. This module prevents brute force attacks and HTTP clients that make unusually high number of concurrent requests or a large number of requests over a short period of time.


A verbose list of security features in IIS 6 and IIS 7 might be nearly impossible. Apart from the obvious features, there were numerous improvements to code made over these two versions that make the product far more secure than IIS 5 and earlier. That said, this should give you a summary start on information. I’ve listed some reference documents that may help you understand these features better.  In general, I would encourage you to ask questions of the product team and or other users on the IIS.NET forums if you hear something that sounds negative regarding IIS. If the feedback is true, the product team has the benefit of improving the next release. If the feedback is unfounded, the product team has the benefit of helping you find the information you need to make an informed decision.

See Also

Security: Incompetence

It’s one type of incompetence to keep the personal identifiers and financial data of customers on your laptop and then lose ittwice;  It’s an entirely different type of incompetence that allows government data to be compromised through a network.  Last year at TechEd, a demo showed how a completely patched network could be compromised using an exploit in a web site.  The best part of the exploit was made possible due to turning on more functionality than was necessary. Namely, one issue in the demo was that the router configuration allowed port 80 and port 443 traffic — despite the fact that SSL was not in use on the web site. 

Regardless of the platform being used, many of these compromises are possible these days not due to the operating system itself, but due to assumptions made about users, lack of planning, or pure laziness of administrators and developers.  This is one major reason why I’m not a big fan of agile. Despite the best arguments I’ve heard for agile software development, I have witnessed too much emphasis on feature completion without regard to overall system security. I would encourage you all to read Michael Howard’s new book on the security development lifecycle (link provided below).

Whatever the case – whatever the cause — I would urge the community to pay attention to the recent news stories, learn to start protecting important data and please stop putting personal and financial information that doesn’t belong to you on your laptop!

For more Microsoft resources on security please check out the following:

General Security Websites:



IIS may be Microsoft’s most important product

I’ve been asked a couple of times why I accepted a position working with IIS 7. Someone even quipped that I took it because it was the only job that Microsoft offered me. Quite honestly, if I had my druthers, I would still love to join this team. Obviously, some people can’t understand the importance of this product. This post will serve as the formal answer to the inquiries about my upcoming role.

I believe in my heart that IIS could possibly be the most important product in Microsoft’s arsenal today. If you blindly accept this hypothesis, you need not read any further. However, if the need to provide some supporting evidence to my assertion haunts your dreams, go ahead and finish reading this post before you lay your head on the pillow tonight.

In the book, Freakonomics by Steven Levitt and Stephen Dubner, the authors overtly opine that information is one of the most powerful tools in today’s age. One example given by the duo is that of the ruin of the Ku Klux Klan after WWII. Once the war was over, the “Klan” had started to regain their footing. Stetson Kennedy infiltrated the group and exposed all of their secrets to a popular radio program at the time — Superman. This turned the upsurge in Klan membership on its ugly hooded ear. The book demonstrates time and time again that sunlight is, indeed, the greatest disinfectant.

The proliferation of data in the “information age” is one of my favorite bi-products, or perhaps, the purpose of my very career field. Software applications seek to provide information in a concise form that makes sense to data consumers. Websites such as realtor.com and edmunds.com provide data that prevents the lay-folk from being ripped off in the same or purchase of a home or car, respectively. Sites such as encarta.com and wikipedia.com provide us with reasonable and free research — and in the case of the later, people actually volunteer their time to build on that knowledge. I have to admit that I am addicted to information. In an instant, I can be searching for stock quotes, searching for health information, getting the latest news headlines, or just reading blogs at any given moment. I can access information on my smart phone, my tablet pc, my notebooks or any number of desktop machines at home. There are even refridgerators with web browsers in them now!

Yes, information is important. But getting information out there in an efficient, reliable, and secure way is the key. I have watched IIS grow from a simple application-level server that leaked memory like crazy and provided a million security vulnerabilities while provided basic database/index server query capabilities (HTX/IDC and IDA/IDQ), to a mixture of kernel-mode listeners and intricate inter-process operations that serve up millions of pages of dynamic information and object requests in a secure environment as though it was bored to tears. The information this product serves up, for the most part, is pure gold and it already does it so well. IIS is, indeed, improving with each and every release.

Some may say the success of IIS is why they question my joining the team. “What else could you possibly do with that product”. While I’m not going to be a developer for IIS 7, I do cherish the opportunity to leave my ideas at the desk of those that can at least consider just what I think can be improved. Depending on what survey you read, Microsoft’s market share of the web server space has plenty of room for improvement. In fact, since the .COM bust, it appears that IIS 7 has been losing its market share. But obviously, market share isn’t everything: “What does it profit a man if he gain the whole world but lose his soul?” So what else is there? How about increased security and anti-fraud mechanisms? Dissemination of information is only as good as the information being purveyed. Sure IE 7 is going to take up some of the slack here. But couldn’t IIS 7 also provide some of this capability as well? Couldn’t it help protect against spoof sites? Perhaps a combination of IE 7 and IIS 7 would help scuttle the whole phishing business all together.

As I stated in my previous post, I have a million ideas, and at times, I’m overwhelmed with what to do with them. I’m hoping to pour some of this emotion into a product, and I cannot see a better product to be a part of — in whatever capacity I can be of use.

I hope this satisfies some of your curiosity. Thanks for listening.

RFID-proof wallet!

When the anthrax scares popped up some time after the attacks on the world trade center, our nation was astonished to find that all of our biological concerns could be solved with plastic sheeting and — duct tape. Duct tape is like a modern day snake oil — its great for everything. So when I read today that you could block RFID intrusion with it, I wasn’t the least bit suprised

I carry a couple of security cards in my wallet that use RFID tags. While these tags make it easy for me to gain access to sites which I’ve been given access to, its an increasing security risk to cary these things in your wallet. Let’s hear it for duct tape bringing us peace of mind once again!

Hackers Attack via Chinese Web Sites

I don’t know if anyone caught the Washington Post story a few days ago titled “Hackers Attack via Chinese Web Sites“. It seems to have slipped past everyone in the news. Of course, The WP has become so disreputable and biased that it shouldn’t surprise me that no one paid attention. However, we were warned well in advance, so it should be no surprise.

This begs the question, however. The government has to be, without a doubt, one of the largest consumers of computer goods and services. While I am not an advocate of increased tax spending, this area could use some. Perhaps its time to take a different approach with that spending, however. We have tried many things over the years: Internet War Games, hiring our own elite forces, and even creating more laws and policies. These are certainly deterrents, but security in depth is the key here.

Any good football team has a good offense, a good defense, and a great different game plan depending on who their enemy is. We have the offense now (as mentioned above), we have ‘some’ defense as well. Laws do us no good when dealing with hackers in foreign countries. So what is the answer? I will not purport to have that ‘nail in the coffin’ answer to cyber terrorism and anyone that claims they do is selling you a bill of goods (And they will typically have the abbreviations “Sen.” or “Rep.” in front of their name). However, there are a few other things we need to explore. One mark of a great football team is that they have the ability to surprise and misdirect their enemy. Making the opponent attack in the wrong direction has often led to victory in some of the best games I have seen played. In IT, the misdirection can be supplied with honey pots and misinformation. We can take a trip from the tabloids and start putting out information that sounds correct and feasible, but is nothing more than fodder for the masses. For instance, sending out communications that will most likely be intercepted to “expose” a weakness that is actually a strength can cause a huge failure on an attacker.

This is also not a new concept in typical warfare. Many of you may remember the move “The Patriot”, which was a loose description of the revolutionary war battle in Cowpens, SC, made use of a “double envelopment” strategy, which essentially used a perceived weakness to entice the enemy into a trap. Obviously, this was not the first use of the strategy either, but is highly notable due to the movie’s popularity. Honey pots and misinformation are highly useful in this same context. We strengthen what we may now understand is a weakness, and then taunt the enemy with the weakness again. While the enemy attacks, we have a better chance of pinpointing their location, and perhaps sending them a nice drone-delivered “ACK” to their received packets.

The football analogy works to some degree when trying to put together a cyber security policy. However, we do not “play” against one enemy at a time. We play every team out there — known and unknown. This is why defense is our most important aspect of policy. Our defense needs to be highly educated, state of the art, and driven. We have no way of knowing who is going to attack and when. There is no way we can be prepared for every attack possible. However, we can at least provide some misdirection while we shore up our defense and plan our counter-attacks.

School Security:Blaim the kids & send them to jail

So now you can now send kids to prison and charge them with felonies when your security is so lax that they can waltz in. Here’s the long story.

Here’s the short story.

A school handed out Apple iBooks to 600 students in a school. These laptops had various “security” features on them to keep them from accessing parts of the internet, or installing anything. They also had monitoring software that allowed a school administrator to see what was being viewed on the student’s laptop. I appologize that I don’t know if the software was custom made or if it was a known package. In any case, the password used to bypass these features was foolishly taped to the back of the laptops.

Using this password, the kids bypassed the software so they could download iChat to talk to each other. They also reportedly turned the tables on their school by monitoring the administrator’s desktops instead of the other way around.

This is typical childhood behavior. Kids are currious and given the opportunity to explore, they are going to do so. Given a challenge that they “cannot do x”, they will do x, y and z to prove you wrong. As the kids pointed out, and I oddly enough agree with the kids for once — the punishment doesn’t fit the crime. I’ll go one step further to say the punishment doesn’t fit the right people. Those involved with the “security” of these systems need to be shot. We’ve had examples of disobience to simple rules that date back to Adam and Eve and a simple piece of fruit. What makes you think that history will somehow change itself and kids will simply obey an order? If they are curious, and you leave the door open enough to fit their fingers through, they will find a way in.

In my mind, the correct response to this would be to give them a slap on the wrist for the disobedience, put the kids in some sort of programming course , nurture their natural abilities, sack the programmers who wrote the systems to begin with, and charge the kids with designing a better system. To me, that’s education!

Looking over the shoulder of an attacker

If you ever thought that it wasn’t important to keep that windows update working on schedule, think again. Security Monkey has posted a small blog entry entitled “Looking over the should of an attacker“. Its definitely interested and should be a warning. However, I would remind you that just about any public internet service , Windows w/IIS or Linux w/Apache, you simply must not be complacent about how you configure your systems or keep them updated.

Security Wiki @ Channel 9

The Patterns And Guidance team has added a new wiki on Channel9 for security topics. Check it out, rinse, repeat.

Michael Howard Points to Excellent Series of Papers

Mike Howard has pointed out on his blog that there is an excellent compilation of security white papers in PDF form (image-based PDFs, not Text-based) available for download. Despite their age, these provide the very foundation for some of the most sophisticated security pillars today. Well worth the read.

Mike Downen has started blogging!!!

YES! Another good resource for security information has just started blogging. Mike Downen is the program manager for security in the CLR. Man, I really wish he had come with the other CLR team members to Atlanta. In any case, point your aggregators to this blog. It has the potential to provide very valuable security information.

Post Navigation