Fog Creek Software
g
Discussion Board

Lazy way to secure IIS?

I'd like to run IIS at home to host some stuff, like pictures of my goofy friends, my portfolio, and maybe some random ASP apps for my own personal use.  My problem is that I have absolutely zero interest in keeping IIS up to date with security patches.  Does anyone have any suggestions for running IIS with minimal patches/updates without endangering the data on the machine?

My only thought so far is to use VMWare to run a second instance of windows and run IIS from there.. but that seems like overkill.  Anyone have any suggestions? 

Steve H
Friday, January 16, 2004

Run Apache instead?

www.MarkTAW.com
Friday, January 16, 2004

There's a Microsoft tool called "IIS Lockdown" that lets you choose a profile and it performs tasks to vastly improve the security of IIS -- for instance about 90% of IIS problems have been in seldom used ISAPI handlers that someone at Microsoft was sure was SO COOL that they had to install everywhere. IIS Lockdown removes all unnecessary handlers.

It also installs a, humorously, ISAPI handler called "URLScan" that gets first dibs at all incoming requests and applies a configurable set of rules to is (such as disallowing special characters, too long of URLs, etc).

Dennis Forbes
Friday, January 16, 2004

Nothing is 100% sure, but I'm working something that should be a big step in solving this problem.  If your are interested in the details, email me.  I am looking for beta testers starting at the end of the month. 

christopher baus (www.baus.net)
Friday, January 16, 2004

I second the recommendation to use the IIS Lockdown tool - more information is available here:
http://microsoft.com/technet/security/tools/tools/locktool.asp
Note that if you accept all the defaults in the IIS Lockdown tool, one of the IIS options that it disables is "parent paths". While that is generally good, it also means that you can't use relative paths in any of the links to other pages in the same web or for include files (that is, you can't have a link/include to "..\dir-2\file.asp", for example, it needs to be to "top-level\dir-2\file.asp" or the complete URL path to the file).

You can also enable automatic updates in Windows which minimizes the work in "keeping up to date with security patches". Obviously, you should also be using a firewall.

Philip Dickerson
Friday, January 16, 2004

There have been other good suggestions on this thread and I agree with them.  Two additional points:

1. There is absolutely no net-connected piece of software, espcially one as widely-used as IIS, that's gonna be safe wihtout lockdown and updating.

2. Not that you seemed to be seriously considering it, but I don't think your VMWare suggestion would even work.  Wouldn't the instance of Windows running under VMWare be able to see the rest of your network?  Even if it's only a *virtual* version of Windows and/or IIS getting compromised, it can still see your *real* network. 

John Rose
Friday, January 16, 2004

Why not shell out a couple of bucks per month for a hosting company?

m
Friday, January 16, 2004

If you have no interest in administrating a server, then don't.  It doesn't matter if you run IIS, Apache, or whatever --  eventually security holes will be found and if you leave systems up without patching, you'll get hacked.  You can get a decent web hosting package for $5/month. 

That said, IIS administration is fairly minimal, despite what some people would like you to think.  You've received good advice so far.  Keep a firewall on the machine that only allows connections to port 80.  Run the IIS Lockdown Tool.  Set Windows to automatically update, or at least to automatically notify you of updates.  Run the Baseline Security Analyzer:

http://www.microsoft.com/technet/security/tools/mbsahome.asp

SomeBody
Friday, January 16, 2004

Perhaps your solution should be to use an alternative server.

Let me recommend Xitami (www.xitami.com). Incredibly small, but fast, powerful,  and actively supported.

I've used it for more than six years as a personal and production web server, and no-one to whom I've recommended it has ever come back to me with a complaint.

HeWhoMustBeConfused
Friday, January 16, 2004

Xitami is beautiful.  I haven't used it in a while, since I realized I had IIS on Win2000 and learned how to run Apache, but it was beautiful.  CGI-BIN, server-side includes, virtual directories, and I want to say it may have even supported ASP (don't quote me).

Andrew Burton
Friday, January 16, 2004

Also...  I haven't tried this, but you might also be able to run Apache under Cygwin.  You'd have the power, reliability, and (relative to having it run on a Windows box) security of a Unix-based server on your Windows machine for free.  I use Cygwin to ssh into my Windows boxes, so I know it will support daemons like sshd and httpd.

Andrew Burton
Friday, January 16, 2004

What is it about techies that makes us ignore the question.


Use Apache or Xitami is NOT an answer to the question.
Dennis was right though, use IIS Lockdown and URLScan and keep ontop of patches and you will be OK.

Damian
Friday, January 16, 2004

It's really not as scary as it sounds.  One mitigating factor is that since it's just kind of an "ad-hoc" server, you really only need to protect against common exploits.  Nobody is likely to case your server and look for unchecked inputs in your code, etc.  If you were running a bank it would be different.  But probably all you'll ever see are common trojan attacks and probes of known holes.  Normally, if you patch as soon as Microsoft releases it, you'll be covered.  Crackers make their scores on unpatched systems.

A short checklist that'll get you 95% there:

- remove script mappings, only leave what you need; I usually use just .asa and .asp.

- set NTFS ACL's on your web root.  For simple apps, all you really need is read-execute for the IUSR_XXX, and read-write for admins and/or developers.  Uncheck the "inherit" box, and explicitly assign those permissions.

- delete all of the default virtual directories, uninstall help and samples; uninstall web admin unless you really really need it.

- Use a firewall of some sort, even the 2000/XP packet filter is effective.

- update religiously.  Check Slashdot daily, they headline every report of IIS vulnerabilities, often more than once.

BobK
Friday, January 16, 2004

I've got to back up Somebody's recommendation - if you don't want to administer the server, keep port 80 closed, and be happy with using it only inside your house.  If you *do* want to install it, a few recommendations:

1) Use the IIS Lockdown tool, along with URLScan.  However, don't be under the impression that they'll make life easier for you down the road... I've dealt with more people banging their head against the wall trying to get something to work, when URLScan or the Lockdown tool had disabled that functionality months ago.

2) Bookmark http://www.microsoft.com/technet/security/current.asp .  This website will allow you to search for patches released for any product, starting with whatever service pack level you choose.  If you want to run a server, you're going to have to learn the *minimum* of security, and that means keeping up with patches.

3) Reread #2, and actually do it this time.

4) Use the Microsoft Baseline Security Analyzer.  It'll find things that you missed, no matter how many times you've checked.


All told, if you don't want to deal with the hassle of doing it yourself, get a cheap webhost to do it for you.  Webhost4Life (http://www.webhost4life.com) offers a basic ASP hosting package for $4.95/month... cheapest you're going to find.

Greg Hurlman
Saturday, January 17, 2004

" My problem is that I have absolutely zero interest in keeping IIS up to date with security patches. "

Typical Windows admin.  No wonder the Unix community looks up to them.

Arthur
Saturday, January 17, 2004

"Typical Windows admin.  No wonder the Unix community looks up to them."

I don't really think using a bit of IIS' functionality at home qualifies one as an "admin", and it'd be pretty silly if the UNIX community used that as the standard. On the flip side, the "negligent computer owner" (coupled with MS security faults) has been responsible for TB upon TB of worm data. On the flip side at least this guy is asking.

Dennis Forbes
Saturday, January 17, 2004

A note to Andrew, and any other Cygwin user:

Cygwin was NOT designed for security. Every cygwin process basically trusts every other Cygwin process. It was also not designed for performance (even though it's not too bad in that department, generally).

If you want to run Apache on Windows, run the native Apache. Running the cygwin apache, you're exposed to inherent cygwin security issues, and the hopelessly inefficient fork() implementation in cygwin (alas, it seems there is no better way to get fork semantics on Windows).

Ori Berger
Saturday, January 17, 2004

Recommending Apache might not directly address the question, but it is a very good solution to the more generalized problem of web serving.  As long as you don't have a need for IIS specific features it's a good choice, very easy to set up and maintain.

If you're looking for minimized headaches though IIS with automatic updates is your best friend.  Even Apache will need updating from time to time, but last I checked there wasn't an automatic updating service.

Clay Dowling
Sunday, January 18, 2004

Run IIS lockdown and keep up to date with windowsupdate and you'll be fine with regards to IIS.
The problems will more probably be the "few applications for personal use" you intend to run.
You will have to keep up with the patches for those, and especially if it is some goofy freeware stuff that can be taxing. If it is just access from the localhost or LAN you are after, restrict accordingly.

Just me (Sir to you)
Monday, January 19, 2004

Windows Update does not - *not* - cover IIS updates, and it likely never will.  When I was a part of their support team, we fought to have it included, and was shot down from Redmond.

Greg Hurlman
Monday, January 19, 2004

Greg, are you sure? I thought this policy was changed in 2001?

Just me (Sir to you)
Tuesday, January 20, 2004

I'm absolutely sure, at least for the publicly-available http://windowsupdate.microsoft.com - SUS solutions most likely cover everything.

In 2001 (while my team was doing it's best to get IIS included), Microsoft very briefly had a cumulative patch posted; I believe it was the one that covered Code Red.  After a week or two, it was taken off.  Windows Update is primarily for core-OS updates only - anything else can't be assumed.

Greg Hurlman
Tuesday, January 20, 2004

*  Recent Topics

*  Fog Creek Home