More Attack Surface Reduction in IIS7

As y'all know, the attack surface of IIS6 is low because:

  • It's not installed by default
  • When you do install it, it serves up static files only
  • All user interaction is handled by a low-privilege process

But there is still quite a bit of code installed, for example authentication code, which could have vulnerabilities.

So the IIS 7 folks have taken it one step further - you can install an utterly stripped down server that has virtually no code, other than good ol' HTTP processing, installed. For example, to do *just* static file processing, you need the following code modules loaded:

<globalModules>

            <add name="StaticFileModule" image="D:\Windows\system32\inetsrv\static.dll" />

            <add name="AnonymousAuthenticationModule" image="D:\Windows\system32\inetsrv\authanon.dll" />

</globalModules>

Of course, you'd have a pretty boring Web server, but if that's what you need, then you get!

Here's a more complete list of all the loadable modules, this should give you a good idea of the flexibility of the new IIS7 model.

<globalModules>

            <add name="IsapiModule" image="D:\Windows\system32\inetsrv\isapi.dll" />

            <add name="DavFSIsapiMappingModule" image="D:\Windows\system32\inetsrv\davfs.dll" />

            <add name="UriCacheModule" image="D:\Windows\system32\inetsrv\cachuri.dll" />

            <add name="FileCacheModule" image="D:\Windows\system32\inetsrv\cachfile.dll" />

            <add name="TokenCacheModule" image="D:\Windows\system32\inetsrv\cachtokn.dll" />

            <add name="HttpCacheModule" image="D:\Windows\system32\inetsrv\cachhttp.dll" />

            <add name="DynamicCompressionModule" image="D:\Windows\system32\inetsrv\compdyn.dll" />

            <add name="StaticCompressionModule" image="D:\Windows\system32\inetsrv\compstat.dll" />

            <add name="DefaultDocumentModule" image="D:\Windows\system32\inetsrv\defdoc.dll" />

            <add name="DirectoryListingModule" image="D:\Windows\system32\inetsrv\dirlist.dll" />

            <add name="ProtocolSupportModule" image="D:\Windows\system32\inetsrv\protsup.dll" />

            <add name="HttpRedirectionModule" image="D:\Windows\system32\inetsrv\redirect.dll" />

            <add name="ServerSideIncludeModule" image="D:\Windows\system32\inetsrv\iis_ssi.dll" />

            <add name="StaticFileModule" image="D:\Windows\system32\inetsrv\static.dll" />

            <add name="TraceVerbModule" image="D:\Windows\system32\inetsrv\trace.dll" />

            <add name="OptionsVerbModule" image="D:\Windows\system32\inetsrv\options.dll" />

            <add name="AnonymousAuthenticationModule" image="D:\Windows\system32\inetsrv\authanon.dll" />

            <add name="CertificateMappingAuthenticationModule" image="D:\Windows\system32\inetsrv\authcert.dll" />

            <add name="UrlAuthorizationModule" image="D:\Windows\system32\inetsrv\urlauthz.dll" />

            <add name="BasicAuthenticationModule" image="D:\Windows\system32\inetsrv\authbas.dll" />

            <add name="WindowsAuthenticationModule" image="D:\Windows\system32\inetsrv\authsspi.dll" />

            <add name="DigestAuthenticationModule" image="D:\Windows\system32\inetsrv\authmd5.dll" />

            <add name="IISCertificateMappingAuthenticationModule" image="D:\Windows\system32\inetsrv\authmap.dll" />

            <add name="AccessCheckModule" image="D:\Windows\system32\inetsrv\checkacc.dll" />

            <add name="RequestFilteringModule" image="D:\Windows\system32\inetsrv\modrqflt.dll" />

            <add name="CustomLoggingModule" image="D:\Windows\system32\inetsrv\logcust.dll" />

            <add name="CustomErrorModule" image="D:\Windows\system32\inetsrv\custerr.dll" />

            <add name="HttpLoggingModule" image="D:\Windows\system32\inetsrv\loghttp.dll" />

            <add name="TracingModule" image="D:\Windows\system32\inetsrv\iisetw.dll" />

            <add name="FailedRequestsTracingModule" image="D:\Windows\system32\inetsrv\iisfreb.dll" />

            <add name="RequestMonitorModule" image="D:\Windows\system32\inetsrv\iisreqs.dll" />

            <add name="IsapiFilterModule" image="D:\Windows\system32\inetsrv\filter.dll" />

            <add name="CgiModule" image="D:\Windows\system32\inetsrv\cgi.dll" />

            <add name="TokenInformation" image="D:\schrott\timod\timod.dll" />

            <add name="ManagedEngine" image="D:\Windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll"

                preCondition="integratedMode,runtimeVersionv2.0,bitness32" />

</globalModules>

Big thanks to Thomas Deml and Vikas Malhotra of the IIS security team for passing this info to me.