More Attack Surface Reduction in IIS7

As y'all know, the attack surface of IIS6 is low because:

• It's not installed by default
• When you do install it, it serves up static files only
• All user interaction is handled by a low-privilege process

But there is still quite a bit of code installed, for example authentication code, which could have vulnerabilities.

So the IIS 7 folks have taken it one step further - you can install an utterly stripped down server that has virtually no code, other than good ol' HTTP processing, installed. For example, to do *just* static file processing, you need the following code modules loaded:

<globalModules>

            <add name="StaticFileModule" image="D:\Windows\system32\inetsrv\static.dll" />

            <add name="AnonymousAuthenticationModule" image="D:\Windows\system32\inetsrv\authanon.dll" />

</globalModules>

Of course, you'd have a pretty boring Web server, but if that's what you need, then you get!

Here's a more complete list of all the loadable modules, this should give you a good idea of the flexibility of the new IIS7 model.

<globalModules>

            <add name="IsapiModule" image="D:\Windows\system32\inetsrv\isapi.dll" />

            <add name="DavFSIsapiMappingModule" image="D:\Windows\system32\inetsrv\davfs.dll" />

            <add name="UriCacheModule" image="D:\Windows\system32\inetsrv\cachuri.dll" />

            <add name="FileCacheModule" image="D:\Windows\system32\inetsrv\cachfile.dll" />

            <add name="TokenCacheModule" image="D:\Windows\system32\inetsrv\cachtokn.dll" />

            <add name="HttpCacheModule" image="D:\Windows\system32\inetsrv\cachhttp.dll" />

            <add name="DynamicCompressionModule" image="D:\Windows\system32\inetsrv\compdyn.dll" />

            <add name="StaticCompressionModule" image="D:\Windows\system32\inetsrv\compstat.dll" />

            <add name="DefaultDocumentModule" image="D:\Windows\system32\inetsrv\defdoc.dll" />

            <add name="DirectoryListingModule" image="D:\Windows\system32\inetsrv\dirlist.dll" />

            <add name="ProtocolSupportModule" image="D:\Windows\system32\inetsrv\protsup.dll" />

            <add name="HttpRedirectionModule" image="D:\Windows\system32\inetsrv\redirect.dll" />

            <add name="ServerSideIncludeModule" image="D:\Windows\system32\inetsrv\iis_ssi.dll" />

            <add name="StaticFileModule" image="D:\Windows\system32\inetsrv\static.dll" />

            <add name="TraceVerbModule" image="D:\Windows\system32\inetsrv\trace.dll" />

            <add name="OptionsVerbModule" image="D:\Windows\system32\inetsrv\options.dll" />

            <add name="AnonymousAuthenticationModule" image="D:\Windows\system32\inetsrv\authanon.dll" />

            <add name="CertificateMappingAuthenticationModule" image="D:\Windows\system32\inetsrv\authcert.dll" />

            <add name="UrlAuthorizationModule" image="D:\Windows\system32\inetsrv\urlauthz.dll" />

            <add name="BasicAuthenticationModule" image="D:\Windows\system32\inetsrv\authbas.dll" />

            <add name="WindowsAuthenticationModule" image="D:\Windows\system32\inetsrv\authsspi.dll" />

            <add name="DigestAuthenticationModule" image="D:\Windows\system32\inetsrv\authmd5.dll" />

            <add name="IISCertificateMappingAuthenticationModule" image="D:\Windows\system32\inetsrv\authmap.dll" />

            <add name="AccessCheckModule" image="D:\Windows\system32\inetsrv\checkacc.dll" />

            <add name="RequestFilteringModule" image="D:\Windows\system32\inetsrv\modrqflt.dll" />

            <add name="CustomLoggingModule" image="D:\Windows\system32\inetsrv\logcust.dll" />

            <add name="CustomErrorModule" image="D:\Windows\system32\inetsrv\custerr.dll" />

            <add name="HttpLoggingModule" image="D:\Windows\system32\inetsrv\loghttp.dll" />

            <add name="TracingModule" image="D:\Windows\system32\inetsrv\iisetw.dll" />

            <add name="FailedRequestsTracingModule" image="D:\Windows\system32\inetsrv\iisfreb.dll" />

            <add name="RequestMonitorModule" image="D:\Windows\system32\inetsrv\iisreqs.dll" />

            <add name="IsapiFilterModule" image="D:\Windows\system32\inetsrv\filter.dll" />

            <add name="CgiModule" image="D:\Windows\system32\inetsrv\cgi.dll" />

            <add name="TokenInformation" image="D:\schrott\timod\timod.dll" />

            <add name="ManagedEngine" image="D:\Windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll"

                preCondition="integratedMode,runtimeVersionv2.0,bitness32" />

</globalModules>

Big thanks to Thomas Deml and Vikas Malhotra of the IIS security team for passing this info to me.

Comments

• Anonymous
  November 06, 2005
  Interresting, I wonder if by manipulating the ASP.NET HTTPmodules and HtppHandles one cannot achieve the same (or similar) attack surface reduction in IIS 6.0?
  
  Dinis
• Anonymous
  November 12, 2005
  This is cool - i can imagine a set of patterns or quickstart solutions being created that allows us to switch on varying combinations depending on the requirements (rather than having to know what every module does!).
  
  Would be good if it could be controlled at a Virtual directory level - especially for those using shared servers (one person using Perl shouldn't mean we all need to use cgi.dll and any associated security risks ...).
• Anonymous
  November 12, 2005
  Good Job
  http://livesexpics.mega-cool-warez.com/
• Anonymous
  June 17, 2009
  PingBack from http://thebasketballhoop.info/story.php?id=2672