How vulnerable is Microsoft IIS 7.5 to attacks?

Microsoft further established its security stance with the rewrite of Internet Information Services (IIS) 7.0 back with the original release of Windows Server 2008. Building on that success

    Requires Free Membership to View

is IIS 7.5 -- the latest version of the world’s second most popular Web server.

IIS 7.5 has been out for over a year now, having shipped with Windows Server 2008 R2 and Windows 7. But while I had expected to see more installations of IIS 7.5 by now, it just hasn’t happened yet. Nevertheless, I’ve performed security assessments against a handful of IIS 7.5 installations, with positive results.

As with Windows 7 and Server 2008 R2, the reduced attack surface and “secure out of the box” approach Microsoft has taken with IIS 7.5 seems to have worked out pretty well. But IIS 7.5 is still not without its flaws. At best, these can leave you with a few gaps in your next compliance audit. At worst, the result is a compromised Web server that might include the following:

  • ASP.NET debugging enabled, which can inadvertently reveal sensitive configuration information back to the user
  • FrontPage Extensions enabled, which can be enumerated to reveal configuration information
  • IIS with a missing host header, which reveals the server’s internal IP address as shown in the following HTTP response:
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 15 Nov 2010 10:51:43 GMT
Connection: close
Content-Length: 154
<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found
<a HREF="">here</a></body>

These vulnerabilities don’t pose a direct exposure, but they can give an attacker a leg up on penetrating your network.

More importantly, vulnerabilities involving ASP stack consumption/FastCGI request header buffer overflow (MS10-065) and IIS authentication memory corruption (MS10-040) can cause a direct compromise of IIS 7.5-based systems. Exploit code is readily available for the MS10-065 vulnerability; it’s just a matter of someone finding the flaw on one of your systems and exploiting it. Once that occurs, the attacker has full control and free reign of the box.

Looking past direct IIS issues, there’s the Oracle padding vulnerability that can cause some serious grief, not to mention weak passwords, input validation and so on within specific applications.

All in all, IIS 7.5 is solid, stable and secure -- within reason. New server-level and application flaws will arise, however, and can be used against you if you let your guard down. Harden IIS 7.5 with Microsoft’s Windows Server 2008 R2 Security Baseline or whatever standards you deem important, keep it patched, test your Web environment periodically and make the necessary tweaks when required. It won’t buy you 100% security, but it’ll come pretty darn close.

You can follow SearchWindowsServer.com on Twitter @WindowsTT.

Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored eight books on information security. He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at his website www.principlelogic.com.

This was first published in December 2010

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.