Security Changes in IIS7

  • Article

All of you are a knowledgeable person who understands the security landscape. Today I would be discussing around the Security changes which are implemented new in IIS7.

One of the key changes which I would be talking in this blog post would be Kernel Mode Authentication in IIS7.

1) Componentized Architecture

In IIS7 all of its features are no longer implemented as a part of server code, they are implemented as individual modules. This modular architecture makes it easier to reduce the attack surface of the web server.

Example:-  What if the customer do not want to use BASIC authentication feature on IIS, In IIS6 the only way to turn that feature off was to just *UNCHECK the Checkbox* available under the security configuration of the website.

But in IIS7 since BASIC authentication feature is implemented as a separate module , customer can not only disable the feature but can totally unload the binary used of basic authentication from the process.

Benefits:-

a) Reduced Attack Surface with minimal server footprints.

b) Lower Total Cost of Ownership through reduced patching requirements since you only need to patch the module installed.

 

2) Configuration Encryption

I believe everybody of you by now must be aware of changes made in regards of the Configuration Database for IIS7. In IIS7.0, there is no longer an entity known as the "IIS Metabase". It is conceptually replaced by ApplicationHost.Config.

In IIS6 there were very few properties that were marked as secure properties like AdminACL, AnonymousUserPass, WAMUserPass, UNCPassword.

Since the configuration of IIS6 was stored in the Metabase.xml file, it has no relation with the ASP.NET application configuration which was normally stored either in the Machine.config or Web.config files.

ASP.NET provides a feature where a user can encrypt a particular section of the configuration file using a RSA provider like:-

aspnet_regiis -pe "connectionstrings" -app "/App1" -prov "RsaProtectedConfigurationProvider"

In IIS7 with the existence of delegation feature user can store IIS and application related settings under a one common configuration file that is "web.config" file.

This brings the above encryption feature to the IIS table also, now with the above command IIS related configuration sections can also be encrypted.

Either users can use the default encryption provider that is already defined in the machine.config or can create their own custom encryption key for use in encrypting/decrypting configuration data.

If you are interested in learning in detail regarding this then I would recommend you to go to the link mentioned below.

https://www.iis.net/default.aspx?tabid=2&subtabid=25&i=1066

 

3) Request Filtering

In IIS6 the only way to do the request filtering was either to use "Web Service Extensions" or to install the URL scan on the server.

In IIS7 all the features that was provided by URLScan has been incorporated into a separate module called "Request Filtering Module".

One of the key advantages which we get in IIS7 with the request filtering module is its granular (can be applied differently for each website, Virtual Directory, file) approach where as the setting applied using URLScan were global.

List of some of the features provided by Request Filtering Module.

A) File extension restrictions

B) Hidden segments

C) Deny URL sequences

D) Verbs

E) Request limits restrictions

Maximum allowed content length
Maximum URL length
Maximum query string length
Header limits

4) Kernel Mode Authentication

In IIS7 by default Kerberos authentication happens in Kernel. It might not look to be a very impressive statement but trust me this feature will take care of at least 50% of the issue related to the Kerberos authentication.

Authentication performed in kernel mode allows server applications to run on a different user accounts and most importantly Site Admins don’t have to set the SPN's for each account under the domain. Only HOST SPN's set under the IIS web server machine A/C would be enough.

If you have read my last blog post on Kerberos authentication than you would realize what does kernel Mode Authentication really means when it comes to Kerberos and how much it can help in Kerberos Authentication.

I will talk more about Kernel Mode Authentication in my upcoming blog post.