Microsoft Internet Information Server 4.0 Security Checklist

Last Updated: 31-Dec-1999                   

This table outlines some of the steps you should take to secure a Windows NT 4.0 Server running Microsoft Internet Information Server 4.0 on the Internet. Note, this document does not take into consideration firewalls or proxy servers. It also assumes the company has a security policy in place.

IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

Please email the author, Michael Howard ([email protected]), if you find any problems or have any comments.

Thanks!


Step 1: General Information

Server Name

 

Asset #

 

Setup Date

 

Manufacturer

 

Location

 

Set up by

 

Step 2: Background Work

 

Step

Read your corporate security policy

Configure hardware to meet security policy

Read the IIS4 Resource Kit Security Chapter

Subscribe to Microsoft Security Notification Service

Step 3: Windows NT 4.0 Settings

 

Step

Latest Service Pack and Hot-fixes applied

Hard disk(s) formatted to NTFS

Set NTFS ACLs

Turn off NTFS 8.3 Name Generation

System boot time set to zero seconds

Set Domain controller type

OS/2 Subsystem removed

POSIX Subsystem removed

Remove All Net Shares

Audit for Success/Failed Logon/Logoff

Set Overwrite interval for Audit Log

Hide last logon user name

Display a legal notice before log on

Remove Shutdown button from logon dialog

Set Password length

Disable Guest account

Rename Administrator account

Allow network-only lockout for Administrator account

Check user accounts, group membership and privileges

Set a very strong password for Admin account

Restrict Anonymous Network Access

Prevent unauthenticated access to the registry

ACL and Monitor Critical Registry Keys

Change "Access this computer from the network" from Everyone to Authenticated Users

Run SYSKEY Utility

Unbind NetBIOS from TCP/IP

Configure TCP/IP Filtering

Disable IP Routing

Move and ACL critical files

Synchronize Times
Remove Unused ODBC/OLE-DB Data Sources and Drivers

 

Step 4: Internet Information Server 4.0 Settings

 

Step

Install minimal Internet services required

Set appropriate authentication methods

Set appropriate virtual directory permissions and partition Web application space

Executable content validated for trustworthiness

Set IP Address/DNS Address restrictions

Set up Secure Sockets Layer

Migrate new Root Certificates to IIS

Remove Non-trusted Root Certificates

Set Appropriate IIS Log file ACLs

Logging enabled

Index Server only indexing documentation

Lock down Microsoft Certificate Server ASP Enrollment pages

Remove the iisadmpwd vdir

Remove Used Script Mappings

Disable RDS support

Disable or remove all sample applications

Disable or remove unneeded COM Components

Check <FORM> input

Disable calling the command shell with #exec

Disable 'Parent Paths'

Disable IP Address in Content-Location

Step 5: Install Scanner/Intrusion Software

Regularly run a security scanner on your Web server, such as software from one of the companies listed.

Step 6: Update the Emergency Repair Disk

You should regularly update the ERD by running the RDISK tool.


Microsoft Internet Information Server 4.0 Security Checklist Further Details

General Security

Read your Corporate Security Policy

Having a security policy is paramount. You need ready answers to questions like:


- How do we react to a break in?
- Where are the backups stored?
- Who is allowed to access the server?

Good sources of policy information may be found at SANS Institute, Baseline Software, Inc. and Practical Unix & Internet Security.
                                                                                                                                      
Read the IIS4 Resource Kit Security Chapter

The IIS4 Resource Kit security chapter covers many aspects of Windows NT and IIS security.

Subscribe to the Microsoft Security Notification Service

IMPORTANT: You MUST keep on top of new security issues as they arise. 

You can stay abreast of Microsoft-related security issues and fixes here. You will notice of security issues by email.

Windows NT Specific Security

Latest Service Pack and Hot-fixes applied

Currently Windows NT 4.0 SP6a is the latest Service Pack and is recommended for secure IIS4 sites. Review all Microsoft Security Bulletins and then check for hot-fixes - Windows NT, IIS, and Certificate Server. Also review the latest Microsoft Security News.

 

You should also consider placing a 'favorites shortcut' to the Microsoft Security Advisor Program. To do so, follow these steps:

 

     - Open Internet Explorer on your desktop

     - Navigate to http://www.microsoft.com/security

     - Select Favorites on the menu, then choose Add to Favorites

     - Check 'Make Available Offline'

     - Select Customize | Next | Yes (links to other pages) | '2' links deep

     - Next | Select 'I would like to create a new schedule' | use the defaults | finish

     - OK

     - Select Favorites on the menu, then choose Organize Favorites

     - Select Properties | Download | uncheck 'Follow links outside of this page's Web site'

     - OK

     - Close

 

 

If you now click on the Favorites icon in the toolbar, you can drag the 'Microsoft Security Advisory Program' link to your desktop. A small red mark will appear on the icon when there is new security news.


Hard disk(s) formatted to NTFS

Because NTFS supports Access Control Lists you can set security policy in Windows NT rather then spread around applications. If you are using FAT you can convert to NTFS using the CONVERT.EXE tool.

Set NTFS ACLs

There are many references to what the appropriate ACLs should be, such as the IIS4 Resource Kit and Windows NT Security Guidelines - a study for NSA Research by Trusted Systems Services Inc.


Turn off NTFS 8.3 Name Generation

NTFS can auto-generate 8.3 names for backward compatibility with 16-bit applications. As 16-bit apps should not be used on a secure web server 8.3 name generation can be safely turned off. Also note, there is a performance benefit to setting this. To turn off 8.3 name generation set the following registry entry:

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

\CurrentControlSet\Control\FileSystem

Name

NtfsDisable8dot3NameCreation

Type

REG_DWORD

Value

1

Set Domain controller type

Generally you should set the IIS server to be a standalone server as this will minimize any possible exposure of domain user accounts.

OS/2 and POSIX subsystems removed

Remove these subsystems by performing the following registry actions:

 

Hive

HKEY_LOCAL_MACHINE\SOFTWARE

Key

\Microsoft\OS/2 Subsystem for NT

Action

Delete all sub keys

 

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

\CurrentControlSet\Control\Session Manager\Environment

Name

Os2LibPath

Action

Delete

 

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

\CurrentControlSet\Control\Session Manager\SubSystems

Name

Optional

Action

Delete values

 

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

\CurrentControlSet\Control\Session Manager\SubSystems

Action

Delete entries for Posix and OS/2

 

Then delete the \winnt\system32\os2 directory and all subdirectories. The changes will take effect on the next reboot.

Remove All Net Shares

Run Net Share from the command-line and make sure you delete all of them using Net Share /d. You should also prevent all administrative shares (C$, D$, ADMIN$) by setting the following in the Registry:

 

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

CurrentControlSet\Services\LanmanServer\Parameters

Name

AutoShareServer

Type

REG_DWORD

Value

0

System boot time set to zero seconds

Go to Control Panel | System | Startup/Shutdown and set "Show list for" to zero.

Hide last logon user name

Set the following in the Registry to hide the name of the last user that logged on:

 

Hive

HKEY_LOCAL_MACHINE\SOFTWARE

Key

\Microsoft\Windows NT\Current Version\Winlogon

Name

DontDisplayLastUserName

Type

REG_SZ

Value

1

Display a legal notice before logon

Set the following in the Registry to display legal information about the use of this computer:

 

Hive

HKEY_LOCAL_MACHINE\SOFTWARE

Key

\Microsoft\Windows NT\Current Version\Winlogon

Name

LegalNoticeCaption

Type

REG_SZ

Value

Whatever you want for the title of the message box

                             

Hive

HKEY_LOCAL_MACHINE\SOFTWARE

Key

Microsoft\Windows NT\Current Version\Winlogon

Name

LegalNoticeText

Type

REG_SZ

Value

Whatever you want for the text of the message box

 

An excellent resource for login banner wording can be found at the CIAC web-site.

Set password length

Set to at least nine characters. This makes it much harder to guess than eight characters or less owing to the way Windows NT creates the hash of the password. Also, use punctuation and other non-alphabetic characters in the first 7 characters.

Remove Shutdown button from logon dialog

Set the following value in the Registry to remove the shutdown option at logon:

 

Hive

HKEY_LOCAL_MACHINE\SOFTWARE

Key

\Microsoft\Windows NT\Current Version\Winlogon

Name

ShutdownWithoutLogon

Type

REG_SZ

Value

0

Check user accounts, group membership and privileges

Minimize the number of users and groups on the server and keep group membership small. There should be only the most trusted accounts listed in the Administrators and Domain Admins groups. Also, be wary of the privileges given to users and groups beyond the default. You can access privilege information by opening User Manager | Policies | User Rights. A complete list of recommended user rights is detailed in the IIS4 Resource Kit

 

Note, three particularly powerful rights are:

 

    - Debug privilege

    - Act as part of operating system

    - Backup privilege

 

Scrutinize accounts with these rights.

Run SYSKEY Utility

SYSKEY, a tool introduced in Windows NT4, SP3 provides an extra safeguard for the SAM database. Refer to Q143475 for further details.

Rename Administrator account

While this is an example of "security through obscurity", it's an extra step a hacker must make to determine the admin account. Consider adding a 'fake' administrator to help detect account attacks. Give this 'Administrator' no rights and carefully audit its use.

 

Note: nbtstat -a or nbtstat -A may be used to determine the real administrator account if they are currently logged on.

Allow network-only lockout for the Administrator account

Normally, the Administrator account cannot be locked out if an attacker attempts to guess the password. However, a tool in the Windows NT Resource Kit called PASSPROP supports this option. If you run the following command the Administrator account will be locked out if an attacker attempts a brute force or dictionary attack but the administrator can still logon locally at the server:

 

  passprop /adminlockout

Set a very strong password for Admin account

Make sure the admin account has a very difficult to guess password and change it frequently. Click here for more info.

Prevent unauthenticated access to the registry

The Registry Editor supports remote access to the Windows NT registry. To restrict network access to the registry, use the Registry Editor to create the following registry Key

 

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

\CurrentControlSet\Control\SecurePipeServers

Name

\winreg

 

The security permissions (ACLs) set on this key define which users or groups can connect to the system for remote registry access.

Restrict Anonymous Network Access

Windows NT has a feature that allows non-authenticated users to enumerate users on a Windows NT domain. If you do not want this functionality, set the following in the Registry:

 

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

CurrentControlSet\Control\LSA

Name

RestrictAnonymous

Type

REG_DWORD

Value

1

ACL and Monitor Critical Registry Keys

The following registry entries should be tightly ACL'd and monitored as they can be used to launch trojan programs:

 

Hive

HKEY_LOCAL_MACHINE\SOFTWARE

Key

Microsoft\Windows\CurrentVersion\Run

   
Hive HKEY_LOCAL_MACHINE\SOFTWARE
Key Microsoft\Windows\CurrentVersion\RunOnce
   
Hive HKEY_LOCAL_MACHINE\SOFTWARE
Key Microsoft\Windows\CurrentVersion\RunOnceEx
   
Hive HKEY_LOCAL_MACHINE\SOFTWARE
Key Microsoft\Windows NT\CurrentVersion\AeDebug

 

 
Hive HKEY_LOCAL_MACHINE\SOFTWARE
Key Microsoft\Windows NT\CurrentVersion\WinLogon
   

 

The default ACLs should be:

 

    - Administrators (Full Control)

    - SYSTEM (Full Control)

    - Creator Owner (Full Owner)

    - Everyone (R)

Change "Access this computer from the network" from Everyone to Authenticated Users

This only allows users having an account in the domain or on the machine to access shares on the server. You can perform this by opening User Manager | Policies | User Rights, then choosing "Access this computer from network", remove Everyone from the list and add Authenticated Users to the list.

Unbind NetBIOS from TCP/IP

Unbinding NetBIOS from TCP/IP will prevent a user from accessing machine information using tools like NBTSTAT.

Disable IP Routing

If routing is enabled, you run the risk of passing data between the intranet and Internet. To disable routing, open the Control Panel | Network | Protocols | TCP/IP Protocol | Properties | Routing and clear the Enable IP Forwarding check box.

Audit for Success/Failed Logon/Logoff

Open User Manager | Policies | Audit | Audit these Events.

Set Overwrite interval for Audit log

Open Event Viewer | Log | Log Settings, and set a maximum size and "Overwrite Events Older than" for all three logs. If you are going to overwrite logs after only a few days and your log maximum size is small then you need to check the logs more frequently.

Configure TCP/IP Filtering

Configure TCP/IP filtering by specifying which ports are allowable on each network card. Go to Control Panel | Network | Protocols | TCP/IP | Advanced | Enable Security | Configure. Now set the following options:

 

    - Permit only TCP ports 80 and 443 (if you have SSL)

    - Permit no UDP ports

    - Permit only IP Protocol 6 (TCP)

Move and ACL Critical Files

Place all commonly used administrative tools in a special directory out of %systemroot% and ACL them so that only administrators have full access to these files. For example create a directory called \CommonTools and place the following files in there: 

 

xcopy.exe

wscript.exe

cscript.exe

net.exe

ftp.exe

telnet.exe

arp.exe

edlin.exe

ping.exe

route.exe

at.exe

finger.exe

posix.exe

rsh.exe

atsvc.exe

qbasic.exe

runonce.exe

syskey.exe

cacls.exe

ipconfig.exe

rcp.exe

secfixup.exe

nbtstat.exe

rdisk.exe

debug.exe

regedt32.exe

regedit.exe

edit.com

netstat.exe

tracert.exe

nslookup.exe

rexec.exe

cmd.exe

 

 

 

Synchronize Times

If you have multiple Web servers you should make sure the times are synchronized. This will aid you when you need to evaluate multiple audit logs in the case of any intrusion detection. The simplest way is to use the NET TIME command and nominate one server as having the base time.

Remove Unused ODBC/OLE-DB Data Sources and Drivers

Some sample applications install ODBC data sources for sample databases, while others may install unused ODBC/OLE-DB database drivers. It is prudent to remove any unwanted data sources and drivers using the ODBC Data Source Administrator tool. 

 

 

IIS Specific

Install minimal Internet services required

It is generally considered good practice to reduce the number of entry points into a server, for Windows NT this means reducing the number of services. You should stop and disable unneeded services using the Service Configuration Manager. The following services must be running to use IIS:

 

   - Event Log

   - License Logging Service

   - Windows NTLM Security Support Provider

   - Remote Procedure Call (RPC) Service

   - Windows NT Server or Windows NT Workstation

   - IIS Admin Service

   - MSDTC

   - World Wide Web Publishing Service

   - Protected Storage

Set appropriate authentication methods

These are application specific but you need to make sure you use 'strong enough' authentication for your application. The following lists the authentication schemes supported by IIS4 in increasing trust: 

- Anonymous

Basic

Windows NT Challenge/Response

Client Certificates

 

Refer to Q229694 for further details.

Set appropriate virtual directory permissions/Web application space

This is also application dependant, but the following rules-of-thumb apply:

 

File Type

ACL

CGI etc .EXE, .DLL, .CMD, .PL

Everyone (X)

Administrators (Full Control)

System (Full Control)

Script Files .ASP etc

Everyone (X)

Administrators (Full Control)

System (Full Control)

Include Files .INC, .SHTML, .SHTM

Everyone (X)

Administrators (Full Control)

System (Full Control)

Static Content .HTML, .GIF, .JPEG

Everyone (R)

Administrators (Full Control)

System (Full Control)

 

Rather than setting ACLs on each file, you are better off setting new directories for each type of file and setting ACLs on the dir and allow the ACLs to inherit to the files. For example a directory structure may look like this:

 

 c:\inetpub\wwwroot\myserver\static (.html)

 c:\inetpub\wwwroot\myserver\include (.inc)

 c:\inetpub\wwwroot\myserver\script (.asp)

 c:\inetpub\wwwroot\myserver\executable (.dll)

 c:\inetpub\wwwroot\myserver\images (.gif, .jpeg)

 

Real ACL inheritance is a feature of Windows NT4 SP4 with the Security Config Editor installed.

 

Also be aware that two directories need special attention:

 c:\inetpub\ftproot (FTP server)

 c:\inetpub\mailroot (SMTP server)

 

They are both Everyone (Full Control) and should be overridden with something tighter depending on your level of functionality. Place the folder on a different volume to the IIS server if you are going to support Everyone (Write).  

Set appropriate IIS log file ACLs

Make sure the ACLs on the IIS-generated log files (%systemroot%\system32\LogFiles) are:

 

- Administrators (Full Control)

- System (Full Control)  

- Everyone (RWC)

 

This is to help prevent malicious users deleting the files to cover their tracks.

Logging enabled

Logging is paramount when you want to see if your server is being attacked. You should use W3C Extended Logging format by Loading the IIS MMC tool | Right-click on site in question | Properties | Web Site | Enable Logging (W3C Extended Log), then set the following properties:

 

    - Client IP Address

    - User Name

    - Method

    - URI Stem

    - HTTP Status

    - User Agent

    - Server IP Address

    - Server Port

Set IP Address/DNS Address restrictions

This is not a common option to set, but if you wish to restrict your Web sites to certain users then this is one option. Note, if you enter DNS names then IIS has to do a lookup, which can be time consuming.

Executable content validated for trustworthiness

It is difficult to know whether executable content can be trusted or not. One small test is use the DumpBin tool to see if the executable calls certain APIs. DumpBin is included with many Win32 developer tools. For example, use the following syntax if you wish to see if a file called MyISAPI.DLL calls RevertToSelf():

 

  dumpbin /imports MyISAPI.DLL | find "RevertToSelf"

 

If no result appears on screen then MyISAPI.DLL does not call RevertToSelf() directly. It may call the API through LoadLibrary() in which case you could search for this too.  

Set up Secure Sockets Layer

SSL/TLS can be used to secure data as it's transferred from the client to the web server. SSL/TLS is used mainly when passwords or credit cards are to be transferred across the Internet. However, using SSL/TLS is slow, especially during the initial handshake, so keep pages that use SSL/TLS to a minimum and keep the content minimal.

Migrate new Root Certificates to IIS

If you are using SP4 or later you do not need to use the IISCA tool. Instead you can use the new certificate UI. Refer to Q194788 for further details.

Remove non-Trusted Root Certificates

In a public key infrastructure trust is determined by the root certifying authority (CA) certificates you have enabled. If you trust certificates issued by a CA then you must have that root CA certificate loaded in the operating system. You need to do the following to implement who you trust when using IIS:

 

    - Determine who you trust. Write the CA's names down.

    - Disable or remove the root CA certificates of those you don't trust. By implication, if you don't know the name of a CA then you cannot trust them.

 

How you achieve the second bullet point depends on what version of IIS, IE and Windows NT4 you are using:

 

IIS4 + IE4 + Windows NT 4 + SP4 or better
In this scenario, all root CA certificates are handled by schannel.dll, which stores its data in the registry. You will see a series of registry keys under the following "CertificationAuthorities" key, one for each preinstalled CA. Each CA key has an "Enabled" entry under it, set to 0x1 if the CA is trusted and 0x0 if the CA is not trusted. 

 

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

CurrentControlSet\Control\SecurityProviders\SCHANNEL\CertificationAuthorities

Name

Enabled

Type

REG_DWORD

Value

0


Note: you should not delete these registry entries, as Schannel will notice that they're missing and recreate them.

IIS4 + IE5 + Windows NT 4 + SP4 or better
For this scenario you need to perform the steps noted above and modify trusted roots in IE5:

    - Open IE5
    - Select Tools | Internet Options
    - Click on the Content tab
    - Click on the Certificates button
    - Click on the Trusted Root Certification Authorities tab
    - Remove any untrusted roots

Regardless of which route you take, you will need to stop and start IIS:

    - net stop iisadmin /y
    - net start w3svc

Index Server only indexing documentation

Check what documents you are indexing, make sure you are not indexing confidential source code!

Lock down Microsoft Certificate Server ASP Enrollment pages

By default the installed ASP pages for Certificate Server are not secured. You should either remove the pages or set very limited ACLs on the pages. They are located in the %systemroot%/certsrv directory. You should set the ACLs to:

 

- Administrators (Full Control)

- Certificate Issuers (Full Control)

- SYSTEM (Full Control)

 

then add trusted certificate operators to the Certificate Issuers group.

Disable or remove all sample applications

Samples are just that, samples, they are not installed by default and should never be installed on a production server. This includes documentation (the SDK docs include sample code), the Exploration Air sample site and others. Here are the default locations for some of the samples:

 

Technology

Location

IIS

c:\inetpub\iissamples

IIS SDK

c:\inetpub\iissamples\sdk

Admin Scripts

c:\inetpub\AdminScripts

Data access

c:\Program Files\Common Files\System\msadc\Samples

Disable or remove unneeded COM Components

Some COM components are not required for most applications and should be removed. Most notably consider disabling the File System Object component, however, this will also remove the Dictionary object. Be aware that some programs may require components you are disabling. For example, Site Server 3.0 uses the File System Object. The following will disable the File System Object:

 

  regsvr32 scrrun.dll /u

Remove the IISADMPWD virtual directory

This directory allows you to reset Windows NT passwords, it is designed primarily for intranet scenarios. It should be removed if this feature is not required or if the server is on the Web. Refer to Q184619 for more info about this functionality.

Remove Unused Script Mappings

IIS is preconfigured to support common filename extensions such as .ASP and .SHTM. When IIS receives a request for a file of one of these types the call is handled by a DLL. If you don't use some of these extensions or functionality you should remove the mappings by open Internet Services Manager then right-clicking the Web server | Properties | Master Properties | WWW Service | Edit | HomeDirectory | Configuration and remove these references:

 

If you don't use

Remove this entry

Web-based Password Reset

.htr

Internet Database Connector (new Web sites don't use this, they use ADO from Active Server Pages)

.idc

Server-side includes

.shtm, .stm, .shtml

Disable RDS support

This is an extremely important setting

When incorrectly configured Remote Data Services can make a server vulnerable to denial of service and arbitrary code execution attacks. You should either remove the capability or restrict it's usage using ACLs. Refer to MS98-004, MS99-025 and Q184375 for more info. Two other excellent articles by rain.forest.puppy (r.f.p.) can be found at RFP9901 and RFP9902.

 

Also, check your IIS logs regularly for signs of attack, the signature to look for is something like:

 

    1999-10-24 20:38:12 - POST /msadc/msadcs.dll ...

 

You can automate the searching process by using commend:

 

    find /i "msadcs" logfile.log

Check <FORM> input in your ASP code

Many sites use input from a user to call other code or build SQL statements directly. In other words they are treating the input as valid, well formed, non-malicious input. This should not be so, there are a number of attacks, most notably on Unix where user input was treated incorrectly as valid input and the user gained access to the server or caused damage. You should always check all user <FORM> input before passing it onto another process or method call which may use an external resource such as the file system or a database.

 

Checking the text can be performed with the new JScript and VBScript regular expression capabilities. The following example code will strip a string of all invalid characters (not 0-9a-zA-Z and _):

 

  Set reg = New RegExp

  reg.Pattern = "\W+" ' One or more characters which are NOT 0-9a-zA-Z or '_'

  strUnTainted = reg.Replace(strTainted, "")

 

The following sample will strip all text after a '|' operator:

 

  Set reg = New RegExp

  reg.Pattern = "^(.+)\|(.+)" ' Any character from the start of the string to a '|'

  strUnTainted = reg.Replace(strTainted,"$1")

 

Also, be careful you are using the opening or creating files using Scripting File System Object, where the filename is based on user's input, the user may attempt to open a serial port or printer. The following JScript code will strip out invalid filenames:

 

  var strOut = strIn.replace(/(AUX|PRN|NUL|COM\d|LPT\d)+\s*$/i,"");

 

The new pattern syntax is the same as that in Perl 5.0. Refer to the v5 scripting engine documentation at http://www.microsoft.com/jscript for further detail and http://msdn.microsoft.com/workshop/languages/clinic/scripting051099.asp for examples.

Disable Parent Paths

Parent Paths allows you to use '..' in calls to MapPath and the like. By default this option is enabled and should be disabled. To disable this option go to the root of the Web site in question, right click select Properties | Home Directory | Configuration | App Options and uncheck Enable Parent Paths.

Disable calling the command shell with #exec

The command can be used to call arbitrary commands at the Web server from within an HTML page. IIS disables this by default. You can double-check this by making sure the following is set to zero or is missing:

 

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

CurrentControlSet\Services\W3SVC\Parameters

Name

SSIEnableCmdDirective

Type

REG_DWORD

Value

0

Disable IP Address in Content-Location

The Content-Location header may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server. Refer to Q218180 for further information about disabling this option.

   


 

THE INFORMATION PROVIDED IN THIS CHECKLIST IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

 

(c) 1999 Microsoft Corporation. All rights reserved.