|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Restricting IIS from serving static contentI'm trying to determine the best way to restrict access to static files in
IIS6.0. From my understanding the recommended solution is to remove the extension from the MIME types in the IIS6.0 console. However testing has shown that you also need to remove these from HKEY_CLASSES_ROOT as well. To be as secure as possible I want to limit ALL static content so this would mean removing all extensions from HKEY_CLASSES_ROOT, and I'm not sure what determental effect this would have on the server. The other solution is using the [AllowExtensions] functionality of URLScan, but Microsoft apparently does not recommend installing URLSCan on IIS6.0 as a means of increasing security. What do you mean by "restrict access"
Do you want to prevent all requests for these files? Or do you want to restrict access to certain users/clients only? The former can be done using URLScan etc. Version 2.5 of URLScan is supported on IIS6.0 The later can be done via NTFS ACLs and IIS authentication mechanisms. Cheers Ken Show quoteHide quote "Nico" <N***@discussions.microsoft.com> wrote in message news:20C14FBF-4912-4CA8-BBE8-921A1B4143B8@microsoft.com... : I'm trying to determine the best way to restrict access to static files in : IIS6.0. From my understanding the recommended solution is to remove the : extension from the MIME types in the IIS6.0 console. However testing has : shown that you also need to remove these from HKEY_CLASSES_ROOT as well. : : To be as secure as possible I want to limit ALL static content so this would : mean removing all extensions from HKEY_CLASSES_ROOT, and I'm not sure what : determental effect this would have on the server. : : The other solution is using the [AllowExtensions] functionality of URLScan, : but Microsoft apparently does not recommend installing URLSCan on IIS6.0 as a : means of increasing security. Please define:
1. what actions you want to control through authorization 2. how users are authenticated such that you can apply authorization rules "Restricting access to static files" is pretty ambiguous. If you want to prevent the files from being served by the static file handler, then why put it in the URL namespace? If you only want certain users to download the files but not others, then you must authenticate users to obtain identity such that you can place authorization rules like NTFS ACLs. -- Show quoteHide quote//David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Nico" <N***@discussions.microsoft.com> wrote in message news:20C14FBF-4912-4CA8-BBE8-921A1B4143B8@microsoft.com... > I'm trying to determine the best way to restrict access to static files in > IIS6.0. From my understanding the recommended solution is to remove the > extension from the MIME types in the IIS6.0 console. However testing has > shown that you also need to remove these from HKEY_CLASSES_ROOT as well. > > To be as secure as possible I want to limit ALL static content so this > would > mean removing all extensions from HKEY_CLASSES_ROOT, and I'm not sure what > determental effect this would have on the server. > > The other solution is using the [AllowExtensions] functionality of > URLScan, > but Microsoft apparently does not recommend installing URLSCan on IIS6.0 > as a > means of increasing security. Hi,
What I would like to do is stop IIS6.0 from serving these static files altogether. I'd like to create a whitelist of known file-types e.g. .aspx, ..asp, .html, .jpg and only have those files served and none other. The reason for this is that while there may be no .txt or .zip files in the web root at present, I want to avoid the possibility of of someone accidentally allowing access to backup files or other such content on the web server. The URLScan documentation says that "UrlScan 2.5 is not included with IIS 6.0 because IIS 6.0 has built-in features that provide security functionality that is equal to or better than most of the features of UrlScan 2.5." Therfore, i am wondering if there is a way to restrict IIS6.0 to serving only a known whitelist of authorised file-types without the use of URLScan. Thank you for your responses. Show quoteHide quote "David Wang [Msft]" wrote: > Please define: > 1. what actions you want to control through authorization > 2. how users are authenticated such that you can apply authorization rules > > "Restricting access to static files" is pretty ambiguous. > > If you want to prevent the files from being served by the static file > handler, then why put it in the URL namespace? > > If you only want certain users to download the files but not others, then > you must authenticate users to obtain identity such that you can place > authorization rules like NTFS ACLs. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no rights. > // > > "Nico" <N***@discussions.microsoft.com> wrote in message > news:20C14FBF-4912-4CA8-BBE8-921A1B4143B8@microsoft.com... > > I'm trying to determine the best way to restrict access to static files in > > IIS6.0. From my understanding the recommended solution is to remove the > > extension from the MIME types in the IIS6.0 console. However testing has > > shown that you also need to remove these from HKEY_CLASSES_ROOT as well. > > > > To be as secure as possible I want to limit ALL static content so this > > would > > mean removing all extensions from HKEY_CLASSES_ROOT, and I'm not sure what > > determental effect this would have on the server. > > > > The other solution is using the [AllowExtensions] functionality of > > URLScan, > > but Microsoft apparently does not recommend installing URLSCan on IIS6.0 > > as a > > means of increasing security. > > > "Nico" <N***@discussions.microsoft.com> wrote in message You would need to restrict this by using MIME types (i.e. removing those news:273AD788-868A-4425-9207-2BCE726D3BED@microsoft.com... : Hi, : : Therfore, i am wondering if there is a way to restrict IIS6.0 to serving : only a known whitelist of authorised file-types without the use of URLScan. that you don't want to allow). Alternatively, if you want, you can use URLScan. Cheers Ken Show quoteHide quote : Thank you for your responses. : : "David Wang [Msft]" wrote: : : > Please define: : > 1. what actions you want to control through authorization : > 2. how users are authenticated such that you can apply authorization rules : > : > "Restricting access to static files" is pretty ambiguous. : > : > If you want to prevent the files from being served by the static file : > handler, then why put it in the URL namespace? : > : > If you only want certain users to download the files but not others, then : > you must authenticate users to obtain identity such that you can place : > authorization rules like NTFS ACLs. : > : > -- : > //David : > IIS : > http://blogs.msdn.com/David.Wang : > This posting is provided "AS IS" with no warranties, and confers no rights. : > // : > : > "Nico" <N***@discussions.microsoft.com> wrote in message : > news:20C14FBF-4912-4CA8-BBE8-921A1B4143B8@microsoft.com... : > > I'm trying to determine the best way to restrict access to static files in : > > IIS6.0. From my understanding the recommended solution is to remove the : > > extension from the MIME types in the IIS6.0 console. However testing has : > > shown that you also need to remove these from HKEY_CLASSES_ROOT as well. : > > : > > To be as secure as possible I want to limit ALL static content so this : > > would : > > mean removing all extensions from HKEY_CLASSES_ROOT, and I'm not sure what : > > determental effect this would have on the server. : > > : > > The other solution is using the [AllowExtensions] functionality of : > > URLScan, : > > but Microsoft apparently does not recommend installing URLSCan on IIS6.0 : > > as a : > > means of increasing security. : > : > : > Thanks again for the response.
My testing has shown that removing MIME types from within the IIS configuration is not enough, you also have to remove them from the registry under HKEY_CLASSES_ROOT\extensions. To be as secure as possible and disallow all static files, would you have to remove everything in that tree? and since that tree is server-wide, not just related to IIS, what would be the impact of removing all MIME types from that registry tree? Show quoteHide quote "Ken Schaefer" wrote: > "Nico" <N***@discussions.microsoft.com> wrote in message > news:273AD788-868A-4425-9207-2BCE726D3BED@microsoft.com... > : Hi, > : > : Therfore, i am wondering if there is a way to restrict IIS6.0 to serving > : only a known whitelist of authorised file-types without the use of > URLScan. > > You would need to restrict this by using MIME types (i.e. removing those > that you don't want to allow). > > Alternatively, if you want, you can use URLScan. > > Cheers > Ken > > > > > > : Thank you for your responses. > : > : "David Wang [Msft]" wrote: > : > : > Please define: > : > 1. what actions you want to control through authorization > : > 2. how users are authenticated such that you can apply authorization > rules > : > > : > "Restricting access to static files" is pretty ambiguous. > : > > : > If you want to prevent the files from being served by the static file > : > handler, then why put it in the URL namespace? > : > > : > If you only want certain users to download the files but not others, > then > : > you must authenticate users to obtain identity such that you can place > : > authorization rules like NTFS ACLs. > : > > : > -- > : > //David > : > IIS > : > http://blogs.msdn.com/David.Wang > : > This posting is provided "AS IS" with no warranties, and confers no > rights. > : > // > : > > : > "Nico" <N***@discussions.microsoft.com> wrote in message > : > news:20C14FBF-4912-4CA8-BBE8-921A1B4143B8@microsoft.com... > : > > I'm trying to determine the best way to restrict access to static > files in > : > > IIS6.0. From my understanding the recommended solution is to remove > the > : > > extension from the MIME types in the IIS6.0 console. However testing > has > : > > shown that you also need to remove these from HKEY_CLASSES_ROOT as > well. > : > > > : > > To be as secure as possible I want to limit ALL static content so this > : > > would > : > > mean removing all extensions from HKEY_CLASSES_ROOT, and I'm not sure > what > : > > determental effect this would have on the server. > : > > > : > > The other solution is using the [AllowExtensions] functionality of > : > > URLScan, > : > > but Microsoft apparently does not recommend installing URLSCan on > IIS6.0 > : > > as a > : > > means of increasing security. > : > > : > > : > > > > IIS Static File Handler MIME Types come from a merge of three locations:
1. Registry - HKCR\Extensions 2. IIS Global MIME Type - LM/MimeMap/MimeMap 3. Per-URL MIME Type - W3SVC/#/ROOT/?/MimeMap If you do #1, on the server itself, Explorer won't be able to browse/open files with those extensions because you would have removed their associated extensions. But, that is probably a valid tradeoff because if you are so security conscious to control what is downloadable from IIS, you probably also do not want to allow random users to login and run/copy arbitrary programs/documents on that server. -- Show quoteHide quote//David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Nico" <N***@discussions.microsoft.com> wrote in message news:D4E16616-F138-49CA-AD56-59B27E5D66EB@microsoft.com... > Thanks again for the response. > > My testing has shown that removing MIME types from within the IIS > configuration is not enough, you also have to remove them from the > registry > under HKEY_CLASSES_ROOT\extensions. > > To be as secure as possible and disallow all static files, would you have > to > remove everything in that tree? and since that tree is server-wide, not > just > related to IIS, what would be the impact of removing all MIME types from > that > registry tree? > > "Ken Schaefer" wrote: > >> "Nico" <N***@discussions.microsoft.com> wrote in message >> news:273AD788-868A-4425-9207-2BCE726D3BED@microsoft.com... >> : Hi, >> : >> : Therfore, i am wondering if there is a way to restrict IIS6.0 to >> serving >> : only a known whitelist of authorised file-types without the use of >> URLScan. >> >> You would need to restrict this by using MIME types (i.e. removing those >> that you don't want to allow). >> >> Alternatively, if you want, you can use URLScan. >> >> Cheers >> Ken >> >> >> >> >> >> : Thank you for your responses. >> : >> : "David Wang [Msft]" wrote: >> : >> : > Please define: >> : > 1. what actions you want to control through authorization >> : > 2. how users are authenticated such that you can apply authorization >> rules >> : > >> : > "Restricting access to static files" is pretty ambiguous. >> : > >> : > If you want to prevent the files from being served by the static file >> : > handler, then why put it in the URL namespace? >> : > >> : > If you only want certain users to download the files but not others, >> then >> : > you must authenticate users to obtain identity such that you can >> place >> : > authorization rules like NTFS ACLs. >> : > >> : > -- >> : > //David >> : > IIS >> : > http://blogs.msdn.com/David.Wang >> : > This posting is provided "AS IS" with no warranties, and confers no >> rights. >> : > // >> : > >> : > "Nico" <N***@discussions.microsoft.com> wrote in message >> : > news:20C14FBF-4912-4CA8-BBE8-921A1B4143B8@microsoft.com... >> : > > I'm trying to determine the best way to restrict access to static >> files in >> : > > IIS6.0. From my understanding the recommended solution is to >> remove >> the >> : > > extension from the MIME types in the IIS6.0 console. However >> testing >> has >> : > > shown that you also need to remove these from HKEY_CLASSES_ROOT as >> well. >> : > > >> : > > To be as secure as possible I want to limit ALL static content so >> this >> : > > would >> : > > mean removing all extensions from HKEY_CLASSES_ROOT, and I'm not >> sure >> what >> : > > determental effect this would have on the server. >> : > > >> : > > The other solution is using the [AllowExtensions] functionality of >> : > > URLScan, >> : > > but Microsoft apparently does not recommend installing URLSCan on >> IIS6.0 >> : > > as a >> : > > means of increasing security. >> : > >> : > >> : > >> >> >> 
Other interesting topics
HTTP_AUTHORIZATION header
Anonymous Account not working IIS 5 allows anonymous editing via Frontpage IIS6 'forgets' "Connect As" password for Virtual Directory Passing form credentials to windows security 403 (Forbidden) after setting up SSL Redirect IIS and enterpise sub CA on different machines run cgi in localhost without SSL? Single authentication for multiple IIS 6 servers Cannot connect to Web Server from Different Domain |
|||||||||||||||||||||||
