Scott Forsyth's Blog

Postings on IIS, ASP.NET, SQL Server, Webfarms and general system admin.

.

  • Scott Forsyth

Hosting Needs

Training and Dev Labs

Securing IIS. Thwarting the Hacker-Week 23

This week's video covers the users used by IIS and how to lock down your web server. 

Securing IIS is a necessary step that every web administrator needs to perform to properly prepare their web server with the best configuration. This week’s video covers the users used by IIS and how to lock down your web server. We cover the application pool identity, the anonymous user, the new IIS 7.0/7.5 setting for the anonymous user, and more.

This is week 23 of a 52 week series for the Web Pro. This week’s topic is foundational in properly understanding the security sandbox boundaries in IIS.  Past and future videos can be found here: http://dotnetslackers.com/projects/LearnIIS7/

You can find this week’s video here.

Posted: Jun 06 2011, 04:03 PM by OWScott | with 4 comment(s)
Filed under: , , , ,

Comments

Rovastar said:

Hi again Scott,

Another interesting video article. I still learn stuff from these.

A couple of things.

You might have an complex site with multiple apps of different technologies so you could have multiple app pools associated with a site. In this case you could have different top level site permissions.

Also I know you didn't mention the applications here in this video. However I think biggest aspect to any secuirty in todays mondern asp.net web enviornments is ASp.net trust levels.

Probably one of the most misunderstood aspects of asp.net/IIS, programmers nor web admin seemingly knowing what it is or how it affects security.

(Interview question (one of my more difficult ones ;) ): What are asp.net trust levels and what are the differences between them?)

Basically if you have trust level full for all site it doesn't matter what security you set following teh excellent best practice in this guide. Breaking into one site could lead you to accessing all the others.

My work on the Oracle padding vulerability with the MS security teams (weblogs.asp.net/.../important-asp-net-security-vulnerability.aspx) in asp.net 6 months or so ago I discovered so much more about security. Things like asp.net framework will overwrite all things that IIS can set. Hacking asp.net framework will let you access web.config files, etc. Asp.net settings overrides all security that IIS sets it is import for all admin to understand.

Hope that helps.

# June 7, 2011 6:09 AM

OWScott said:

Hi Rovastar,

Great feedback, thanks!  You're right, I probably over-simplified it by just covering the IIS lockdown.  I did briefly mention that this doesn't cover the application lockdown, but you are right that there is a lot more to consider to keep up on a well tuned and secure web server.  Your interview sounds like a fun one.  :)

# June 7, 2011 9:07 AM

Gregory Suvalian said:

No reason to leave System and Administrator's group at the same time in Permissions tab.

BUILTIN\System account is already part of local Administrator's group on machine.

# June 27, 2011 12:19 PM

OWScott said:

Gregory, you're right that it's technically correct to just leave the Administrators group assigned.  I still set both specifically for consistently throughout the OS.  The Microsoft default is to grant both users.  Then if the Administrators user is ever adjusted, at least the operating system isn't denied access.  

So I always consider these as two separate accounts/roles just to keep to keep to clean and consistent (in my perspective anyway).

# June 27, 2011 12:38 PM
Leave a Comment

(required) 

(required) 

(optional)

(required)