Improving Web Application Security: Threats and - CGISecurity

656 Part V: Assessing Your SecurityIIS MetabaseThe IIS Metabase contains IIS configuration settings, many but not all of which areconfigured through the IIS administration tool. The file itself must be protected andspecific settings that cannot be maintained using the IIS configuration tool should bechecked. Review the following questions to ensure appropriate metabaseconfiguration:● Have you restricted access to the metabase?Check that the ACL on the metabase file allows full control access to the systemaccount and administrators. No other account should have access. The metabasefile and location is:%windir%\system32\inetsrv\metabase.bin●Do you reveal internal IP addresses?By default, IIS returns the internal IP address of your server in the Content-Location section of the HTTP response header. You should prevent this by settingthe UseHostName metabase property to true. To check if it has been set, run thefollowing command from the \inetpub\adminscripts directory:adsutil GET w3svc/UseHostNameConfirm that the property value has been set to true. If the property is not set, thiscommand returns the message “The parameter ‘UseHostName’ is not set at thisnode.” For more information, see “Step 14. IIS Metabase” in Chapter 16, “SecuringYour Web Server.”Server CertificatesIf your applications use SSL, make sure that you have a valid certificate installedon your Web server. To view the properties of your server’s certificate, click ViewCertificate on the Directory Security page of the Properties dialog of your Website in IIS. Review the following questions:● Has your server certificate expired?● Are all public keys in the certificate chain valid up to the trusted root?●Has your certificate been revoked?Check that it is not on a Certificate Revocation List (CRL) from the server thatissued the certificate.