IIS Web Security: Kudos to Microsoft
Defending Web servers and applications against attacks is one of the most difficult tasks that information security professionals and others face. The fact that Web server locations are normally well advertised, that Web servers and application are often very complex, and also that many automated ways of attacking frequently used Web services and protocols exist only exacerbates this already difficult task.
Not too many years ago a particular Web server, the Internet Information Services (IIS) Web server, stood out as a particularly easy target to attack. According to attrition.org seven years ago, 21 percent of the web servers on the Internet were IIS Web servers, yet over 60 percent of all reported web page defacements and break-ins into Web servers involved IIS Web servers. Among the many vulnerabilities in IIS implementations at that time was the fact that IIS ran with SYSTEM privileges, the highest level of privileges in Windows systems. If an attacker or exploit tool exploited a vulnerability, the result was thus often unauthorized SYSTEM privileges, meaning that the attacker or malware now effectively owned the system. Furthermore, by default older versions of IIS were installed on the system drive, something that exposed system directories and files because they were in close proximity to IIS-related directories and files. Perpetrators quickly devised directory traversal tricks that gave them access to critical system configuration files and executables. Older versions of IIS also did not adequately screen input to stop buffer overflow, denial of service, and other types of attacks. To make matters worse, older versions of IIS were riddled with vulnerabilities, vulnerabilities that required one patch after another. The task of making older IIS Web servers adequately secure was, to say the least, gruelling.
Microsoft’s response to the many security concerns associated with older releases of IIS was insufficient—a combination of making a number of add-on IIS Web security tools available and a massive PR campaign designed, among other things, to discredit those who were vocal about the many security-related problems found in IIS at that time. But then Microsoft saw the proverbial light by changing its approach to IIS Web security. As I have said before, Microsoft’s Trusted Computing Initiative (TCI) focused on security engineering during code development, and among the many beneficiaries of this effort was IIS 6. Microsoft not only massively re-coded IIS, thereby ridding this product of many implementation-related security flaws, but also made many other changes that resulted in huge improvement of the IIS Web server’s out-of-the-box security level. IIS no longer ran as SYSTEM, nor did it automatically reside on the system drive after installation. Default permissions on files and folders improved considerably. IIS also filtered input much better, to the point that successful buffer overflow and malformed URL attacks in IIS 6 and 7 are now almost unheard of. And concerning the number of vulnerabilities in recent versions of IIS, the then-versus-now comparison is striking, as shown in secunia.com statistics.
I recently taught a course on IIS 6 and 7 Web security. I used to teach courses on IIS 4 and IIS 5 security. What a difference in the content of the two courses there is! In the older course I presented literally scores of configuration changes and procedures that needed to be carried out to make the IIS Web server at least marginally secure. In the course that I recently taught I spent some time covering baseline security for newer versions of the IIS Web server, but the bulk of my time was spent to raising security well beyond the baseline level. And concerning vulnerabilities that need to be patched in recent versions of this product, I hardly spent any time at all.
Blame needs to be assigned to the blameworthy, and credit needs to go to those who accomplish great things. Microsoft deserves a great amount of credit concerning what this software giant has done with IIS Web security. The difference between IIS Web security then and now is truly striking.