Improving Web Application Security: Threats and - CGISecurity

Chapter 16: Securing Your Web Server 429●●●●●●●Auditing and LoggingAuditing is one of your most important tools for identifying intruders, attacks inprogress, and evidence of attacks that have occurred. Use a combination ofWindows and IIS auditing features to configure auditing on your Web server.Event and system logs also help you to troubleshoot security problems.Sites and Virtual DirectoriesSites and virtual directories are directly exposed to the Internet. Even thoughsecure firewall configuration and defensive ISAPI filters such as URLScan (whichships with the IISLockdown tool) can block requests for restricted configurationfiles or program executables, a defense in depth strategy is recommended.Relocate sites and virtual directories to non-system partitions and use IIS Webpermissions to further restrict access.Script MappingsRemove all unnecessary IIS script mappings for optional file extensions to preventan attacker from exploiting any bugs in the ISAPI extensions that handle thesetypes of files. Unused extension mappings are often overlooked and represent amajor security vulnerability.ISAPI FiltersAttackers have been successful in exploiting vulnerabilities in ISAPI filters.Remove unnecessary ISAPI filters from the Web server.IIS MetabaseThe IIS metabase maintains IIS configuration settings. You must be sure that thesecurity related settings are appropriately configured, and that access to themetabase file is restricted with hardened NTFS permissions.Machine.configThe Machine.config file stores machine-level configuration settings applied to.NET Framework applications including ASP.NET Web applications. Modify thesettings in Machine.config to ensure that secure defaults are applied to anyASP.NET application installed on the server.Code Access SecurityRestrict code access security policy settings to ensure that code downloaded fromthe Internet or intranet have no permissions and as a result will not be allowed toexecute.