Restricting IIS from serving static content

I'm trying to determine the best way to restrict access to static files in
IIS6.0. From my understanding the recommended solution is to remove the
extension from the MIME types in the IIS6.0 console. However testing has
shown that you also need to remove these from HKEY_CLASSES_ROOT as well.

To be as secure as possible I want to limit ALL static content so this would
mean removing all extensions from HKEY_CLASSES_ROOT, and I'm not sure what
determental effect this would have on the server.

The other solution is using the [AllowExtensions] functionality of URLScan,
but Microsoft apparently does not recommend installing URLSCan on IIS6.0 as a
means of increasing security.

Re: Restricting IIS from serving static content

What do you mean by "restrict access"

Do you want to prevent all requests for these files?
Or do you want to restrict access to certain users/clients only?

The former can be done using URLScan etc. Version 2.5 of URLScan is
supported on IIS6.0
The later can be done via NTFS ACLs and IIS authentication mechanisms.

Cheers
Ken

"Nico" wrote in message
news:20C14FBF-4912-4CA8-BBE8-921A1B4143B8@microsoft.com...
: I'm trying to determine the best way to restrict access to static files in
: IIS6.0. From my understanding the recommended solution is to remove the
: extension from the MIME types in the IIS6.0 console. However testing has
: shown that you also need to remove these from HKEY_CLASSES_ROOT as well.
:
: To be as secure as possible I want to limit ALL static content so this
would
: mean removing all extensions from HKEY_CLASSES_ROOT, and I'm not sure what
: determental effect this would have on the server.
:
: The other solution is using the [AllowExtensions] functionality of
URLScan,
: but Microsoft apparently does not recommend installing URLSCan on IIS6.0
as a
: means of increasing security.

Re: Restricting IIS from serving static content

Please define:
1. what actions you want to control through authorization
2. how users are authenticated such that you can apply authorization rules

"Restricting access to static files" is pretty ambiguous.

If you want to prevent the files from being served by the static file
handler, then why put it in the URL namespace?

If you only want certain users to download the files but not others, then
you must authenticate users to obtain identity such that you can place
authorization rules like NTFS ACLs.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"Nico" wrote in message
news:20C14FBF-4912-4CA8-BBE8-921A1B4143B8@microsoft.com...
> I'm trying to determine the best way to restrict access to static files in
> IIS6.0. From my understanding the recommended solution is to remove the
> extension from the MIME types in the IIS6.0 console. However testing has
> shown that you also need to remove these from HKEY_CLASSES_ROOT as well.
>
> To be as secure as possible I want to limit ALL static content so this
> would
> mean removing all extensions from HKEY_CLASSES_ROOT, and I'm not sure what
> determental effect this would have on the server.
>
> The other solution is using the [AllowExtensions] functionality of
> URLScan,
> but Microsoft apparently does not recommend installing URLSCan on IIS6.0
> as a
> means of increasing security.

Re: Restricting IIS from serving static content

Hi,

What I would like to do is stop IIS6.0 from serving these static files
altogether. I'd like to create a whitelist of known file-types e.g. .aspx,
..asp, .html, .jpg and only have those files served and none other.

The reason for this is that while there may be no .txt or .zip files in the
web root at present, I want to avoid the possibility of of someone
accidentally allowing access to backup files or other such content on the web
server.

The URLScan documentation says that "UrlScan 2.5 is not included with IIS
6.0 because IIS 6.0 has built-in features that provide security functionality
that is equal to or better than most of the features of UrlScan 2.5."

Therfore, i am wondering if there is a way to restrict IIS6.0 to serving
only a known whitelist of authorised file-types without the use of URLScan.

Thank you for your responses.

"David Wang [Msft]" wrote:

> Please define:
> 1. what actions you want to control through authorization
> 2. how users are authenticated such that you can apply authorization rules
>
> "Restricting access to static files" is pretty ambiguous.
>
> If you want to prevent the files from being served by the static file
> handler, then why put it in the URL namespace?
>
> If you only want certain users to download the files but not others, then
> you must authenticate users to obtain identity such that you can place
> authorization rules like NTFS ACLs.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
>
> "Nico" wrote in message
> news:20C14FBF-4912-4CA8-BBE8-921A1B4143B8@microsoft.com...
> > I'm trying to determine the best way to restrict access to static files in
> > IIS6.0. From my understanding the recommended solution is to remove the
> > extension from the MIME types in the IIS6.0 console. However testing has
> > shown that you also need to remove these from HKEY_CLASSES_ROOT as well.
> >
> > To be as secure as possible I want to limit ALL static content so this
> > would
> > mean removing all extensions from HKEY_CLASSES_ROOT, and I'm not sure what
> > determental effect this would have on the server.
> >
> > The other solution is using the [AllowExtensions] functionality of
> > URLScan,
> > but Microsoft apparently does not recommend installing URLSCan on IIS6.0
> > as a
> > means of increasing security.
>
>
>

Re: Restricting IIS from serving static content

"Nico" wrote in message
news:273AD788-868A-4425-9207-2BCE726D3BED@microsoft.com...
: Hi,
:
: Therfore, i am wondering if there is a way to restrict IIS6.0 to serving
: only a known whitelist of authorised file-types without the use of
URLScan.

You would need to restrict this by using MIME types (i.e. removing those
that you don't want to allow).

Alternatively, if you want, you can use URLScan.

Cheers
Ken





: Thank you for your responses.
:
: "David Wang [Msft]" wrote:
:
: > Please define:
: > 1. what actions you want to control through authorization
: > 2. how users are authenticated such that you can apply authorization
rules
: >
: > "Restricting access to static files" is pretty ambiguous.
: >
: > If you want to prevent the files from being served by the static file
: > handler, then why put it in the URL namespace?
: >
: > If you only want certain users to download the files but not others,
then
: > you must authenticate users to obtain identity such that you can place
: > authorization rules like NTFS ACLs.
: >
: > --
: > //David
: > IIS
: > http://blogs.msdn.com/David.Wang
: > This posting is provided "AS IS" with no warranties, and confers no
rights.
: > //
: >
: > "Nico" wrote in message
: > news:20C14FBF-4912-4CA8-BBE8-921A1B4143B8@microsoft.com...
: > > I'm trying to determine the best way to restrict access to static
files in
: > > IIS6.0. From my understanding the recommended solution is to remove
the
: > > extension from the MIME types in the IIS6.0 console. However testing
has
: > > shown that you also need to remove these from HKEY_CLASSES_ROOT as
well.
: > >
: > > To be as secure as possible I want to limit ALL static content so this
: > > would
: > > mean removing all extensions from HKEY_CLASSES_ROOT, and I'm not sure
what
: > > determental effect this would have on the server.
: > >
: > > The other solution is using the [AllowExtensions] functionality of
: > > URLScan,
: > > but Microsoft apparently does not recommend installing URLSCan on
IIS6.0
: > > as a
: > > means of increasing security.
: >
: >
: >

Re: Restricting IIS from serving static content

Thanks again for the response.

My testing has shown that removing MIME types from within the IIS
configuration is not enough, you also have to remove them from the registry
under HKEY_CLASSES_ROOT\extensions.

To be as secure as possible and disallow all static files, would you have to
remove everything in that tree? and since that tree is server-wide, not just
related to IIS, what would be the impact of removing all MIME types from that
registry tree?

"Ken Schaefer" wrote:

> "Nico" wrote in message
> news:273AD788-868A-4425-9207-2BCE726D3BED@microsoft.com...
> : Hi,
> :
> : Therfore, i am wondering if there is a way to restrict IIS6.0 to serving
> : only a known whitelist of authorised file-types without the use of
> URLScan.
>
> You would need to restrict this by using MIME types (i.e. removing those
> that you don't want to allow).
>
> Alternatively, if you want, you can use URLScan.
>
> Cheers
> Ken
>
>
>
>
>
> : Thank you for your responses.
> :
> : "David Wang [Msft]" wrote:
> :
> : > Please define:
> : > 1. what actions you want to control through authorization
> : > 2. how users are authenticated such that you can apply authorization
> rules
> : >
> : > "Restricting access to static files" is pretty ambiguous.
> : >
> : > If you want to prevent the files from being served by the static file
> : > handler, then why put it in the URL namespace?
> : >
> : > If you only want certain users to download the files but not others,
> then
> : > you must authenticate users to obtain identity such that you can place
> : > authorization rules like NTFS ACLs.
> : >
> : > --
> : > //David
> : > IIS
> : > http://blogs.msdn.com/David.Wang
> : > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> : > //
> : >
> : > "Nico" wrote in message
> : > news:20C14FBF-4912-4CA8-BBE8-921A1B4143B8@microsoft.com...
> : > > I'm trying to determine the best way to restrict access to static
> files in
> : > > IIS6.0. From my understanding the recommended solution is to remove
> the
> : > > extension from the MIME types in the IIS6.0 console. However testing
> has
> : > > shown that you also need to remove these from HKEY_CLASSES_ROOT as
> well.
> : > >
> : > > To be as secure as possible I want to limit ALL static content so this
> : > > would
> : > > mean removing all extensions from HKEY_CLASSES_ROOT, and I'm not sure
> what
> : > > determental effect this would have on the server.
> : > >
> : > > The other solution is using the [AllowExtensions] functionality of
> : > > URLScan,
> : > > but Microsoft apparently does not recommend installing URLSCan on
> IIS6.0
> : > > as a
> : > > means of increasing security.
> : >
> : >
> : >
>
>
>

Re: Restricting IIS from serving static content

IIS Static File Handler MIME Types come from a merge of three locations:
1. Registry - HKCR\Extensions
2. IIS Global MIME Type - LM/MimeMap/MimeMap
3. Per-URL MIME Type - W3SVC/#/ROOT/?/MimeMap

If you do #1, on the server itself, Explorer won't be able to browse/open
files with those extensions because you would have removed their associated
extensions.

But, that is probably a valid tradeoff because if you are so security
conscious to control what is downloadable from IIS, you probably also do not
want to allow random users to login and run/copy arbitrary
programs/documents on that server.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"Nico" wrote in message
news:D4E16616-F138-49CA-AD56-59B27E5D66EB@microsoft.com...
> Thanks again for the response.
>
> My testing has shown that removing MIME types from within the IIS
> configuration is not enough, you also have to remove them from the
> registry
> under HKEY_CLASSES_ROOT\extensions.
>
> To be as secure as possible and disallow all static files, would you have
> to
> remove everything in that tree? and since that tree is server-wide, not
> just
> related to IIS, what would be the impact of removing all MIME types from
> that
> registry tree?
>
> "Ken Schaefer" wrote:
>
>> "Nico" wrote in message
>> news:273AD788-868A-4425-9207-2BCE726D3BED@microsoft.com...
>> : Hi,
>> :
>> : Therfore, i am wondering if there is a way to restrict IIS6.0 to
>> serving
>> : only a known whitelist of authorised file-types without the use of
>> URLScan.
>>
>> You would need to restrict this by using MIME types (i.e. removing those
>> that you don't want to allow).
>>
>> Alternatively, if you want, you can use URLScan.
>>
>> Cheers
>> Ken
>>
>>
>>
>>
>>
>> : Thank you for your responses.
>> :
>> : "David Wang [Msft]" wrote:
>> :
>> : > Please define:
>> : > 1. what actions you want to control through authorization
>> : > 2. how users are authenticated such that you can apply authorization
>> rules
>> : >
>> : > "Restricting access to static files" is pretty ambiguous.
>> : >
>> : > If you want to prevent the files from being served by the static file
>> : > handler, then why put it in the URL namespace?
>> : >
>> : > If you only want certain users to download the files but not others,
>> then
>> : > you must authenticate users to obtain identity such that you can
>> place
>> : > authorization rules like NTFS ACLs.
>> : >
>> : > --
>> : > //David
>> : > IIS
>> : > http://blogs.msdn.com/David.Wang
>> : > This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> : > //
>> : >
>> : > "Nico" wrote in message
>> : > news:20C14FBF-4912-4CA8-BBE8-921A1B4143B8@microsoft.com...
>> : > > I'm trying to determine the best way to restrict access to static
>> files in
>> : > > IIS6.0. From my understanding the recommended solution is to
>> remove
>> the
>> : > > extension from the MIME types in the IIS6.0 console. However
>> testing
>> has
>> : > > shown that you also need to remove these from HKEY_CLASSES_ROOT as
>> well.
>> : > >
>> : > > To be as secure as possible I want to limit ALL static content so
>> this
>> : > > would
>> : > > mean removing all extensions from HKEY_CLASSES_ROOT, and I'm not
>> sure
>> what
>> : > > determental effect this would have on the server.
>> : > >
>> : > > The other solution is using the [AllowExtensions] functionality of
>> : > > URLScan,
>> : > > but Microsoft apparently does not recommend installing URLSCan on
>> IIS6.0
>> : > > as a
>> : > > means of increasing security.
>> : >
>> : >
>> : >
>>
>>
>>