Restricting IIS from serving static content -- iis security

Psst! Did you know DevelopmentNow is a mobile web site design agency?

Contact us for help mobilizing your site, or to sign up for our beta Mobile Web SDK!

iis security : Restricting IIS from serving static content

Nico
3/30/2006 1:57:05 PM

I'm trying to determine the best way to restrict access to static files in
IIS6.0. From my understanding the recommended solution is to remove the
extension from the MIME types in the IIS6.0 console. However testing has
shown that you also need to remove these from HKEY_CLASSES_ROOT as well.

To be as secure as possible I want to limit ALL static content so this would
mean removing all extensions from HKEY_CLASSES_ROOT, and I'm not sure what
determental effect this would have on the server.

The other solution is using the [AllowExtensions] functionality of URLScan,
but Microsoft apparently does not recommend installing URLSCan on IIS6.0 as a

Ken Schaefer
3/31/2006 12:00:00 AM

What do you mean by "restrict access"

Do you want to prevent all requests for these files?
Or do you want to restrict access to certain users/clients only?

The former can be done using URLScan etc. Version 2.5 of URLScan is
supported on IIS6.0
The later can be done via NTFS ACLs and IIS authentication mechanisms.

Cheers
Ken

[quoted text, click to view]
: I'm trying to determine the best way to restrict access to static files in
: IIS6.0. From my understanding the recommended solution is to remove the
: extension from the MIME types in the IIS6.0 console. However testing has
: shown that you also need to remove these from HKEY_CLASSES_ROOT as well.
:
: To be as secure as possible I want to limit ALL static content so this
would
: mean removing all extensions from HKEY_CLASSES_ROOT, and I'm not sure what
: determental effect this would have on the server.
:
: The other solution is using the [AllowExtensions] functionality of
URLScan,
: but Microsoft apparently does not recommend installing URLSCan on IIS6.0
as a
: means of increasing security.

David Wang [Msft]
3/31/2006 4:58:07 AM

Please define:
1. what actions you want to control through authorization
2. how users are authenticated such that you can apply authorization rules

"Restricting access to static files" is pretty ambiguous.

If you want to prevent the files from being served by the static file
handler, then why put it in the URL namespace?

If you only want certain users to download the files but not others, then
you must authenticate users to obtain identity such that you can place
authorization rules like NTFS ACLs.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

[quoted text, click to view]

Nico
3/31/2006 1:04:02 PM

Hi,

What I would like to do is stop IIS6.0 from serving these static files
altogether. I'd like to create a whitelist of known file-types e.g. .aspx,
..asp, .html, .jpg and only have those files served and none other.

The reason for this is that while there may be no .txt or .zip files in the
web root at present, I want to avoid the possibility of of someone
accidentally allowing access to backup files or other such content on the web
server.

The URLScan documentation says that "UrlScan 2.5 is not included with IIS
6.0 because IIS 6.0 has built-in features that provide security functionality
that is equal to or better than most of the features of UrlScan 2.5."

Therfore, i am wondering if there is a way to restrict IIS6.0 to serving
only a known whitelist of authorised file-types without the use of URLScan.

Thank you for your responses.

[quoted text, click to view]

Nico
3/31/2006 5:43:01 PM

Thanks again for the response.

My testing has shown that removing MIME types from within the IIS
configuration is not enough, you also have to remove them from the registry
under HKEY_CLASSES_ROOT\extensions.

To be as secure as possible and disallow all static files, would you have to
remove everything in that tree? and since that tree is server-wide, not just
related to IIS, what would be the impact of removing all MIME types from that
registry tree?

[quoted text, click to view]

Ken Schaefer
4/1/2006 12:00:00 AM

[quoted text, click to view]
: Hi,
:
: Therfore, i am wondering if there is a way to restrict IIS6.0 to serving
: only a known whitelist of authorised file-types without the use of
URLScan.

You would need to restrict this by using MIME types (i.e. removing those
that you don't want to allow).

Alternatively, if you want, you can use URLScan.

Cheers
Ken

: Thank you for your responses.
:
[quoted text, click to view]
:
: > Please define:
: > 1. what actions you want to control through authorization
: > 2. how users are authenticated such that you can apply authorization
rules
: >
: > "Restricting access to static files" is pretty ambiguous.
: >
: > If you want to prevent the files from being served by the static file
: > handler, then why put it in the URL namespace?
: >
: > If you only want certain users to download the files but not others,
then
: > you must authenticate users to obtain identity such that you can place
: > authorization rules like NTFS ACLs.
: >
: > --
: > //David
: > IIS
: > http://blogs.msdn.com/David.Wang
: > This posting is provided "AS IS" with no warranties, and confers no
rights.
: > //
: >
[quoted text, click to view]
: > > I'm trying to determine the best way to restrict access to static
files in
: > > IIS6.0. From my understanding the recommended solution is to remove
the
: > > extension from the MIME types in the IIS6.0 console. However testing
has
: > > shown that you also need to remove these from HKEY_CLASSES_ROOT as
well.
: > >
: > > To be as secure as possible I want to limit ALL static content so this
: > > would
: > > mean removing all extensions from HKEY_CLASSES_ROOT, and I'm not sure
what
: > > determental effect this would have on the server.
: > >
: > > The other solution is using the [AllowExtensions] functionality of
: > > URLScan,
: > > but Microsoft apparently does not recommend installing URLSCan on
IIS6.0
: > > as a
: > > means of increasing security.
: >
: >
: >

David Wang [Msft]
4/1/2006 5:12:31 AM

IIS Static File Handler MIME Types come from a merge of three locations:
1. Registry - HKCR\Extensions
2. IIS Global MIME Type - LM/MimeMap/MimeMap
3. Per-URL MIME Type - W3SVC/#/ROOT/?/MimeMap

If you do #1, on the server itself, Explorer won't be able to browse/open
files with those extensions because you would have removed their associated
extensions.

But, that is probably a valid tradeoff because if you are so security
conscious to control what is downloadable from IIS, you probably also do not
want to allow random users to login and run/copy arbitrary
programs/documents on that server.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

[quoted text, click to view]

Got something to say? Click here to post a reply to this thread.

Don't see what you're looking for? Try a search.

View other messages about iis security

View Other Months
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008

iis security : Restricting IIS from serving static content

About

Services

Portfolio

Blog

Products

Discuss

Contact