More Attack Surface Reduction in IIS7


As y’all know, the attack surface of IIS6 is low because:



  • It’s not installed by default
  • When you do install it, it serves up static files only
  • All user interaction is handled by a low-privilege process

But there is still quite a bit of code installed, for example authentication code, which could have vulnerabilities.


So the IIS 7 folks have taken it one step further – you can install an utterly stripped down server that has virtually no code, other than good ol’ HTTP processing, installed. For example, to do *just* static file processing, you need the following code modules loaded:


<globalModules>


            <add name=”StaticFileModule” image=”D:\Windows\system32\inetsrv\static.dll” />


            <add name=”AnonymousAuthenticationModule” image=”D:\Windows\system32\inetsrv\authanon.dll” />


</globalModules>


Of course, you’d have a pretty boring Web server, but if that’s what you need, then you get!


Here’s a more complete list of all the loadable modules, this should give you a good idea of the flexibility of the new IIS7 model.


<globalModules>


            <add name=”IsapiModule” image=”D:\Windows\system32\inetsrv\isapi.dll” />


            <add name=”DavFSIsapiMappingModule” image=”D:\Windows\system32\inetsrv\davfs.dll” />


            <add name=”UriCacheModule” image=”D:\Windows\system32\inetsrv\cachuri.dll” />


            <add name=”FileCacheModule” image=”D:\Windows\system32\inetsrv\cachfile.dll” />


            <add name=”TokenCacheModule” image=”D:\Windows\system32\inetsrv\cachtokn.dll” />


            <add name=”HttpCacheModule” image=”D:\Windows\system32\inetsrv\cachhttp.dll” />


            <add name=”DynamicCompressionModule” image=”D:\Windows\system32\inetsrv\compdyn.dll” />


            <add name=”StaticCompressionModule” image=”D:\Windows\system32\inetsrv\compstat.dll” />


            <add name=”DefaultDocumentModule” image=”D:\Windows\system32\inetsrv\defdoc.dll” />


            <add name=”DirectoryListingModule” image=”D:\Windows\system32\inetsrv\dirlist.dll” />


            <add name=”ProtocolSupportModule” image=”D:\Windows\system32\inetsrv\protsup.dll” />


            <add name=”HttpRedirectionModule” image=”D:\Windows\system32\inetsrv\redirect.dll” />


            <add name=”ServerSideIncludeModule” image=”D:\Windows\system32\inetsrv\iis_ssi.dll” />


            <add name=”StaticFileModule” image=”D:\Windows\system32\inetsrv\static.dll” />


            <add name=”TraceVerbModule” image=”D:\Windows\system32\inetsrv\trace.dll” />


            <add name=”OptionsVerbModule” image=”D:\Windows\system32\inetsrv\options.dll” />


            <add name=”AnonymousAuthenticationModule” image=”D:\Windows\system32\inetsrv\authanon.dll” />


            <add name=”CertificateMappingAuthenticationModule” image=”D:\Windows\system32\inetsrv\authcert.dll” />


            <add name=”UrlAuthorizationModule” image=”D:\Windows\system32\inetsrv\urlauthz.dll” />


            <add name=”BasicAuthenticationModule” image=”D:\Windows\system32\inetsrv\authbas.dll” />


            <add name=”WindowsAuthenticationModule” image=”D:\Windows\system32\inetsrv\authsspi.dll” />


            <add name=”DigestAuthenticationModule” image=”D:\Windows\system32\inetsrv\authmd5.dll” />


            <add name=”IISCertificateMappingAuthenticationModule” image=”D:\Windows\system32\inetsrv\authmap.dll” />


            <add name=”AccessCheckModule” image=”D:\Windows\system32\inetsrv\checkacc.dll” />


            <add name=”RequestFilteringModule” image=”D:\Windows\system32\inetsrv\modrqflt.dll” />


            <add name=”CustomLoggingModule” image=”D:\Windows\system32\inetsrv\logcust.dll” />


            <add name=”CustomErrorModule” image=”D:\Windows\system32\inetsrv\custerr.dll” />


            <add name=”HttpLoggingModule” image=”D:\Windows\system32\inetsrv\loghttp.dll” />


            <add name=”TracingModule” image=”D:\Windows\system32\inetsrv\iisetw.dll” />


            <add name=”FailedRequestsTracingModule” image=”D:\Windows\system32\inetsrv\iisfreb.dll” />


            <add name=”RequestMonitorModule” image=”D:\Windows\system32\inetsrv\iisreqs.dll” />


            <add name=”IsapiFilterModule” image=”D:\Windows\system32\inetsrv\filter.dll” />


            <add name=”CgiModule” image=”D:\Windows\system32\inetsrv\cgi.dll” />


            <add name=”TokenInformation” image=”D:\schrott\timod\timod.dll” />


            <add name=”ManagedEngine” image=”D:\Windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll”


                preCondition=”integratedMode,runtimeVersionv2.0,bitness32″ />


</globalModules>


Big thanks to Thomas Deml and Vikas Malhotra of the IIS security team for passing this info to me.

Comments (4)

  1. Dinis Cruz says:

    Interresting, I wonder if by manipulating the ASP.NET HTTPmodules and HtppHandles one cannot achieve the same (or similar) attack surface reduction in IIS 6.0?

    Dinis

  2. This is cool – i can imagine a set of patterns or quickstart solutions being created that allows us to switch on varying combinations depending on the requirements (rather than having to know what every module does!).

    Would be good if it could be controlled at a Virtual directory level – especially for those using shared servers (one person using Perl shouldn’t mean we all need to use cgi.dll and any associated security risks …).

Skip to main content