How vulnerable is Microsoft IIS 7.5 to attacks?

Microsoft further established its security stance with the rewrite of Internet Information Services (IIS) 7.0 back with the original release of Windows Server 2008. Building on that success is IIS 7.5 -- the latest version of the world’s second most popular Web server.

IIS 7.5 has been out for over a year now, having shipped with Windows Server 2008 R2 and Windows 7. But while I had expected to see more installations of IIS 7.5 by now, it just hasn’t happened yet. Nevertheless, I’ve performed security assessments against a handful of IIS 7.5 installations, with positive results.

As with Windows 7 and Server 2008 R2, the reduced attack surface and “secure out of the box” approach Microsoft has taken with IIS 7.5 seems to have worked out pretty well. But IIS 7.5 is still not without its flaws. At best, these can leave you with a few gaps in your next compliance audit. At worst, the result is a compromised Web server that might include the following:

• ASP.NET debugging enabled, which can inadvertently reveal sensitive configuration information back to the user
• FrontPage Extensions enabled, which can be enumerated to reveal configuration information
• IIS with a missing host header, which reveals the server’s internal IP address as shown in the following HTTP response:

HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: http://172.16.1.10/site/
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 15 Nov 2010 10:51:43 GMT
Connection: close
Content-Length: 154

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found
<a HREF="http://172.16.1.10/site/">here</a></body>

These vulnerabilities don’t pose a direct exposure, but they can give an attacker a leg up on penetrating your network.

More importantly, vulnerabilities involving ASP stack consumption/FastCGI request header buffer overflow (MS10-065) and IIS authentication memory corruption (MS10-040) can cause a direct compromise of IIS 7.5-based systems. Exploit code is readily available for the MS10-065 vulnerability; it’s just a matter of someone finding the flaw on one of your systems and exploiting it. Once that occurs, the attacker has full control and free reign of the box.

Looking past direct IIS issues, there’s the Oracle padding vulnerability that can cause some serious grief, not to mention weak passwords, input validation and so on within specific applications.

All in all, IIS 7.5 is solid, stable and secure -- within reason. New server-level and application flaws will arise, however, and can be used against you if you let your guard down. Harden IIS 7.5 with Microsoft’s Windows Server 2008 R2 Security Baseline or whatever standards you deem important, keep it patched, test your Web environment periodically and make the necessary tweaks when required. It won’t buy you 100% security, but it’ll come pretty darn close.

You can follow SearchWindowsServer.com on Twitter @WindowsTT.

ABOUT THE AUTHOR
Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored eight books on information security. He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at his website www.principlelogic.com.