Script the Configuration of Your Default Web Site
Write a script to secure your Default and Administration Web sites.
April 29, 2002
When you install IIS, it creates two Web sites: the Default Web Site and the Administration Web Site. Applications such as ColdFusion place their Web administration interfaces in the Default Web Site, and IIS installs its Web administration interface in the Administration Web Site. Because these sites exist on all IIS servers and contain sensitive information, they're popular targets for attack. Thus, restricting access to them is important. You probably want to use the same security restrictions for the Default and Administration Web sites on all your servers, so scripting the configuration is a good way to save time and ensure that all the sites are the same. I've written CreateSite.vbs to perform such a configuration for my servers. You can download CreateSite.vbs from the Code Library at http://www.windowswebsolutions.com.
Setting Property Values
A lot of the Web site properties in the IIS metabase—properties that you typically use the Microsoft Management Console (MMC) Internet Service Manager snap-in to set—have numeric values. CreateSite.vbs sets those Web site property values for you. However, you might not want to use exactly the same settings as I've chosen, so you need to understand the various setting options. (I also explain these options in the script comments.)
AccessFlags property. You can use the AccessFlags property to set multiple permissions that you would otherwise set on the Home Directory tab of the Web Site Properties dialog box. The property value is the sum of the values that correspond to your choices for the Script Source Access, Read, and Write check boxes and the Execute Permissions drop-down box. Table 1 shows the possible settings. CreateSite.vbs sets the value of AccessFlags to 513, which represents a value of 512 to indicate the script access permission and a value of 1 to reflect read access.
DontLog property. The Log visits check box on the Home Directory tab, which corresponds to the DontLog property, determines whether to track requests for access to the Web site. You set the property to 0 to log visits and 1 to disable logging. CreateSite.vbs sets the property to 1, although IIS logs can assist in the detection of performance problems and attacks.
ContentIndexed property. The ContentIndexed property corresponds to the Index this resource check box on the Home Directory tab. A value of 0 means that IIS won't index the Web site; a value of 1 means that IIS will index it. CreateSite.vbs sets the property to 0.
ServerBindings property. You can use the ServerBindings property to set the IP address, port, host name, or any combination of these three site-address properties. The format is "ipaddress:port:www.mycompany.com". If you want to set just one or two of the items, you can, but use both sets of colons. For example, CreateSite.vbs sets only the port—to ":9999:".
AuthFlags property. You use the AuthFlags property to set the authentication methods that you want to permit for the Web site. To arrive at the AuthFlags value, you add the numeric values that correspond to your choices on the Authentication Methods dialog box. Table 2 lists the authentication methods and their numeric values. CreateSite.vbs sets the AuthFlags property to 4 to allow only Integrated Windows Authentication.
AppIsolated property. You use the AppIsolated property to set the application protection level for a Web site. Table 3 shows the three possible levels; CreateSite.vbs sets the property to 2 for medium-level isolation.
Application Mappings
Application mappings can be dangerous because intruders often try to take advantage of applications installed on Web servers. Thus, to help reduce the security risk, you should limit the number of applications and what they can do. Every time you make a change to your IIS installation, unwanted application mappings can return. Thus, you should create a script that removes all unwanted application mappings and run it after you make any changes to your IIS configuration. To set an application mapping, you need to build an array that has the format "extension,executable,numericvalue,verb,verb". For example, CreateSite.vbs sets four application mappings, the first of which is
strNewArr(0) = ".asp,C:WINNT System32inetsrvasp.dll,5, GET,HEAD,POST,TRACE"
Table 4 shows the numeric values that you can use in the array. These values indicate whether the IIS script engine will run scripts and whether IIS will check for the existence of files and file paths.
You can also specify verbs such as Get, Head, Post, and Trace in the array. If you don't specify any verbs, IIS 5.0 assumes that you want to allow all the verbs. The Active Directory Service Interfaces (ADSI) PutEx command, which can set values for multivalued properties, places application mappings in the metabase.
IP Address Restrictions
You can set IP address restrictions to limit access to the server's administrative functions to only a few internal addresses. First, you need to specify the addresses that you want to restrict or grant special permissions. You create an array of IP address information in the format "IPaddress:subnetmask". For example, CreateSite.vbs sets three IP address arrays, the first of which is
IPList(0) = "192.168.0.0, 255.255.0.0"
Then, to establish IP address restrictions, you use the object and properties that Table 5 shows. For example, CreateSite.vbs sets the GrantByDefault property to FALSE to deny access to the Web site, then uses the IPGrant property to allow an exception for the IP addresses listed in IPList.
—James R. Fallon
[email protected]
About the Author
You May Also Like