Microsoft IIS Overview

The history of IIS reaches back to the Windows NT 3.51 operating system. Access to frequently used networking components and its capability to service multiple collaboration and networking protocols and services makes IIS an attractive solution for administrators. Some of the more popular services and protocols provided by IIS include File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Network News Transfer Protocol (NNTP), Hypertext Transfer Protocol (HTTP), and Hypertext Transfer Protocol Secure (HTTPS). For many years, IIS has been the second most utilized Web server deployed for hosting production Web services as depicted by Netcraft's^[C] Web Server Survey.^[D] With this popularity, it has also been the target for and has drawn the attention of vulnerability researchers who continue to identify the flaws in various components of its implementation.

^Chttp://news.netcraft.com/

^Dhttp://news.netcraft.com/archives/web_server_survey.html

The information in Table 6.1 provides a short history of IIS version numbers and matches the version with the server platform it is most commonly associated with. Versions of IIS may also be installed and run on client operating systems such as Windows XP and Windows Vista. As new server class operating systems have been released, Microsoft has continued to improve the capabilities and appeal of the IIS product. Throughout its history, Microsoft has deployed updated versions of IIS with each new release of the supporting server platform allowing administrators to implement new features.

Table 6.1. IIS versions and platforms

IIS version 7.5	Windows Server 2008
IIS version 7.0	Windows Server 2008
IIS version 6.0	Windows Server 2003
IIS version 5.0	Windows 2000
IIS version 2.0 to 4.0	Windows NT 4.0
IIS version 1.0	Windows NT 3.51

The following topics will provide an overview of some of the technologies, extensions, and services that are part of IIS. Although IIS is fairly easy to use and configure, knowing some of the components and capabilities of IIS can help provide an understanding of how they may be leveraged by an attacker.

File Transfer Protocol Publishing Service

The FTP service, provided as a part of the IIS server, allows administrators and users to store and transfer content to and from IIS FTP-enabled servers. FTP is also frequently used as a method for uploading, downloading, and updating content in Web server directories. FTP provides administrators and users the capability to transfer large quantities of data to and from FTP servers with little concern for administrative overhead. Microsoft's FTP server is dependent on IIS, which means that IIS must be installed in order to use the FTP server component provided by Microsoft.

As with other components found in IIS, the FTP service has been the target of vulnerability researchers for quite some time. One of the recent vulnerabilities discovered affecting the FTP component allows remote code execution or may cause a denial of service (DoS) as outlined in Microsoft Security Bulletin MS09-053.^[E] Although this is a recent example, the FTP service has been the target of attackers for many years.

^Ewww.microsoft.com/technet/security/bulletin/MS09-053.mspx

WebDAV Extension

Microsoft's implementation of WebDAV extensions allows Web developers to publish and track revisions of Web content, which is easier than some of the legacy protocols used to support Web application updates. This type of interaction can be useful to developers when traditional methods of file transfer such as FTP are not available. WebDAV administrators are able to grant and control access to Web developers on a site-by-site and per Uniform Resource Locator (URL) basis in later versions of Microsoft WebDAV. In addition, using WebDAV tools, a developer can even publish content to a Web site through mapped network drives from the developers system to the Web server.

Microsoft's WebDAV follows the guidelines specified by the Internet Engineering Task Force (IETF^[F]) Request for Comments (RFC) 4918^[G] – HTTP Extensions for WebDAV. In the past, the Microsoft WebDAV implementation has had several vulnerabilities that were publicly disclosed and subsequently patched by Microsoft. Recently, Microsoft has issued another Security Bulletin^[H], addressing an elevation of privilege vulnerability in the WebDAV component of IIS.

^Fwww.ietf.org/

^Ghttp://tools.ietf.org/html/rfc4918

^Hwww.microsoft.com/technet/security/bulletin/ms09-020.mspx

ISAPI

Microsoft's Internet Server Application Programming Interface (ISAPI) comes in the form of extensions and filters as they apply to IIS and provide developers with the capability of extending IIS server functionality. These extensions and filters may be programmed in several different languages and are compiled into Dynamic Link Libraries (DLLs) for use by the Web server. Some of the popular languages used for creating ISAPI extensions are C and C++.

In earlier versions of IIS, several buffer overflow vulnerabilities were discovered, leveraging ISAPI extensions allowing attackers to take full control of the Web server and the supporting operating system. These flaws have had a profound impact on Web sites deployed on IIS and were wide spread due to ISAPI extensions being enabled as part of the default configuration.

How IIS Attacks Work

Attacks against IIS can take many forms and result in many different outcomes depending on the goals of the attacker. Some attacks can be performed against IIS, which leverage simple but significant misconfigurations in the IIS server and its components. Other attacks can be executed by taking advantage of well-known vulnerabilities that have been made public by security researchers. Misconfigured IIS servers can also provide easy access to administrative interfaces and content located on the server, allowing attackers to gain a foothold for follow-on attacks against your organizations network. Some examples of common misconfigurations include failure to restrict access to dangerous HTTP methods, directory browsing, vulnerable sample files, and unused Web service extensions installed and enabled.

Microsoft IIS and some of its components have vulnerabilities that have been publicly disclosed in the past. Many times, these vulnerabilities have been discovered by security researchers and exploits have been created to leverage the vulnerabilities. Access to these exploits reduce the complexity of attacks against IIS and may result in unauthorized access to resources on the IIS server, depending on the components of IIS attacked. Certain levels of access may allow an attacker to interact with the underlying operating system and allow for complete compromise of the IIS server and operating system.