IIS7.5 Security Configuration Research

0x00 test environment

Operating System: Windows Server 2008 R2 Enterprise Service Pack 1x64 IIS Version: IIS7.5 program: asp.net

0x01 IIS7.5 Installation

 

Common http functions: Enable static content, default documents, HTTP errors, directory browsing, and WebDAV Publishing. do not enable HTTP redirection unless otherwise specified.

Application Development: this can be enabled based on the actual situation, such as enabling ASP. NET,. NET, ISAPI, and ISAPI Filtering for asp.net; Enabling files on the server as needed.

Health and diagnosis: We recommend that you enable HTTP logging, logging tools, and request monitoring. You can also enable HTTP logging as needed.

Security: We recommend that you enable URL Authorization, request filtering, IP address, and domain restrictions. enable other options as needed.

Performance, management tools, ftp servers, and Web cores that can be hosted by IIS can be enabled.

0x02 IIS7.5 permission Configuration

IIS7.5 involves two accounts, one being an anonymous account and the other being an application pool account. In the NTFS permission settings on the disk, an anonymous account only needs to have the permission to read the website directory. The application pool account must grant the permission to write files based on the actual situation of the program. For example, if a program (such as cmd.exe) needs to be called) you must grant the execution permission. In short, access to files requires the access permission of an anonymous account first, and then the corresponding permissions of the application pool account are given according to the operation required by the program.

Several Basic problems found in the study:

1. the write permission for the upload directory is determined by the application pool account; 2. the Default Account of the application pool is iis apppool \ {app pool name} and belongs to the IIS_IUSRS group; 3. the default anonymous account is an IUSR account and belongs to the authenticated users Group. 4. all USERS belong to the USERS group, and they still belong to the USERS group after being manually deleted; 5. after the trojan is uploaded, the directory that can be viewed is determined by the application pool account; 6. in this test environment, the USERS Group has the write permission for the website directory by default. 7. the operation of An aspx file has nothing to do with the NTFS running permission; 8. for anonymous website accounts, you only need to have the permission to read the website directory; 9. the application pool account only needs the read permission to run aspx, but if you want to write files, you need the write permission. to execute other programs, you need the execution permission;

0x03 common server intrusion threats and solutions common server intrusion threats:

1. webdav direct upload webshell2. upload webshell3. excessive webshell permissions due to the program file upload vulnerability, resulting in elevation of permission

Solution to common problems: 1. Solve webdav Problems

Do not install the webdav component directly during installation.

2. prevent the execution of uploaded Trojan Files

You can set the directory of the file to be uploaded in IIS, and remove the script in the editing function permission in the handler ing, so that even if the trojan file is uploaded to this directory, it cannot be executed.

 

Upload a directory to cancel the execution permission of the application pool account

3. Prevent trojans from seeing files out of the website directory

You can set the process pool account to have no read permission on other folders.

4. Run cmd to prevent Trojans.

Cancel the NTFS execution permission of the Process pool account.

5. prevent excessive permissions for running cmd after Trojan Horse execution

Select an account with lower permissions for the process pool account, preferably the default account.

0x04 recommended security configuration scheme simple security configuration: 1. Use the default IUSR for anonymous accounts.

2. The application pool uses the default ID. The account name is IIS AppPool \ application pool name.

3. Set the upload directory as a script in IIS to be unexecutable.

Enhanced Security Configuration:

1. Anonymous accounts use the default "Application User", which is the corresponding IUSR. 2. The application pool account uses the default IIS AppPool \ application pool name. 3. Delete the permissions of everyone and users on all disks. 4. Delete All users Permissions On system32 (you need to change the owner to administrator first ). 5. Grant IUSR read permission under the website directory. 6. grant the IIS AppPool \ application pool name read permission under the website directory. If the program has special required permissions, such as writing files, then grant the corresponding permissions under the corresponding directory, for example, write permission. 7. Write the IIS AppPool \ application pool name to the upload directory required by the website, but do not grant the execution permission. 8. Cancel the script execution permission for the upload directory in IIS.

Note: Both configurations use the default application pool account. If you want to customize the account, it is best to add the custom account to the IIS_IUSRS group. If you use the default application pool account when setting up multiple sites in IIS7.5, different application pool names, such as IIS AppPool \, are generated by default. When the Asp.net program accesses the compilation for the first time, the application pool account must have the permission to read and execute the system32 folder. 0x05 questionsDuring the test, we found that accessing the aspx program, if the anonymous account is a user-defined account, you need to give the User-Defined anonymous account in the folder C: \ Windows \ Microsoft. NET \ Framework64 \ v2.0.50727 \ Temporary ASP.. NET Files. However, if you use the default anonymous account, that is, IUSR, you must grant the write permission to the application pool account in this folder. The question is which account is required to write the folder, because when the default anonymous account is selected, IUSR's write permission to this file is immediately prohibited, as long as the application pool account has the write permission in this folder, does it run normally? When an anonymous user defaults to a program, it should be IUSR, but why is the transferred process pool account?