I began using IIS servers about a year ago. My Web site has several IIS 4.0 servers with Service Pack 6a (SP6a) and all hotfixes applied. What else do I need to do to secure my servers?
All IIS administrators have this concern—in fact, security should never stop being a concern. Regularly reviewing all new security fixes and staying informed about new hacking and cracking technologies is part of a Web server administrator's job description.
Fixing all known problems is essential, as is keeping up with the newest Microsoft security bulletins. Because you recently installed your servers, you might have overlooked an essential IIS 4.0 fix for a problem that occurred a few years ago.
This problem centers on the Microsoft Remote Data Services (RDS—formerly Microsoft Advanced Data Connector—ADC) functionality that you install by default when you install IIS 4.0. RDS is a component of ADO. RDS contains an object called the Data Factory Object, which lets a client work directly with an ODBC data source, such as a Microsoft SQL Server or Access database.
Because RDS lets a client provide database connection information to the server, RDS is a likely candidate for exploitation. Users can exploit it to gain access to databases and execute code on the server. For this reason, taking corrective measures on any IIS 4.0 server isn't optional. To disable RDS on your system, remove these registry entries:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w3svcparameters\ADCLaunch\RDSServer.DataFactory
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servicesw3svc\parameters\ADCLaunch\AdvancedDataFactory
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Ser
vices\w3svc\parameters\ADCLaunch\VbBusObj.VbBusObjCls
In addition, remove the RDS by removing the MSADC virtual directory from your IIS 4.0 Default Web site. I also recommend that you delete the C:\program files\common files\system\msadc folder and its contents. At a minimum, delete the Samples folder at that path if you installed the RDS sample files.
If you want to keep RDS capabilities, you can run handsafe.reg, which resides in C:\program files\common files\system\msadc by default. Handsafe.reg enables what Microsoft calls Safe mode for RDS. Even so, some security specialists consider this utility insufficient to secure these services.
You need to be completely informed about this vulnerability if you use RDS. For more information about the vulnerability, see the Microsoft articles "PRB: Security Implications of RDS 1.5, IIS 3.0 or 4.0, and ODBC" (http://support.microsoft.com/support/kb/articles/q184/3/75.asp) and "Re-Release: Unauthorized Access to IIS Servers Through ODBC Data Access with RDS" (http://www.microsoft.com/technet/security/bulletin/ms99-025.asp). You don't want to miss http://www.wiretrip.net/rfp/p/doc.asp?id=29&iface=2, which has the complete lowdown on this problem. To keep up with the latest security information and patches, consider subscribing to Security UPDATE (http://www.win2000mag.net/email).
I want to place a common footer at the bottom of all pages that my server sends. How can I add such a footer in IIS?
IIS 5.0 and IIS 4.0 contain a feature called Document Footer, which lets you add a footer to the bottom of your Web site's pages. You can set up this feature on the Documents tab in Internet Services Manager (ISM), which Figure 1 shows. When you enable this feature, you specify a file that contains the HTML code you want to add to the server's output. The footer file isn't a complete .html file—just the content you want to display.
Now that I've explained IIS's built-in footer capability, I'd like to explain why you shouldn't use it. First and most important, using your Web server to manage part of the content violates good design principles. You should manage content as part of the development cycle, not as part of Web server administration. By mixing Web server setup and Web site design, content management becomes a bit confusing.
Second, the Document Footer feature delivers only static content. Because IIS simply appends the footer file to the output, IIS can't parse the footer for server-side .inc files or Active Server Pages (ASP) content. Not only is the footer content static, but you can append it only to static content. In other words, IIS can't append footers to output from scripting languages such as ASP, Perl, or PHP Hypertext Preprocessor (PHP).
So, what solutions exist? If you use a tool for software development, such as Microsoft FrontPage or Allaire HomeSite, you can easily add footers to your content. These tools let you add a reference to the bottom of your pages to include a standard footer file. To change the content, you just change the footer file. You don't need to modify the original script to modify the footer.
Your only other solution is to develop a custom Internet Server API (ISAPI) filter that adds the content to all outgoing pages. This solution is the most scalable but the most difficult to develop because ISAPI filters aren't easy to code.
For those of you who develop ASP content, Microsoft's upcoming ASP.NET will have capabilities that make this kind of task much easier to manage. For information about ASP.NET, go to http://msdn.microsoft.com/library/dotnet/cpguide/cpconintroductiontoasp.htm.
Previous
)
Anonymous User March 25, 2005 (Article Rating: