Microsoft KB Archive/280383

= IIS Security Recommendations When You Use a UNC Share and Username and Password Credentials =

Article ID: 280383

Article Last Modified on 11/21/2006

-

APPLIES TO


 * Microsoft Internet Information Server 4.0
 * Microsoft Internet Information Services 5.0

-



This article was previously published under Q280383



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SUMMARY
There are instances when you can use Internet Information Server (IIS) as a portal to another device on the network that contains available storage. You can do this in the IIS Microsoft Management Console (MMC) snap-in by choosing the A share located on another computer option on the Web Site or Virtual Directory tab.

IIS can detect when the path is local or remote even when network mappings make the drive appear local. Therefore, for access to be granted, IIS must obtain credentials with permissions to the remote share. These credentials (the user ID and password) are encrypted and stored in the IIS metabase, but are available through an Application Programming Interface (API). If normal security practices are not followed, this can potentially pose a risk to secure operation of the server.

Server administrators should never allow untrusted code to run on the server. The potential damage that can result from allowing an untrusted user to run code on the server goes far beyond this specific incident.



MORE INFORMATION
Microsoft recommends that customers consult the following Knowledge Base articles for information on how to set the appropriate permissions for Web users:

155253 Improper NTFS Permissions May Result in IIS Failure

187506 List of NTFS Permissions Required for IIS Site to Work

216705 How to Set Permissions on a FrontPage Web on IIS

Even when proper permissions are set, Microsoft recommends that, in keeping with normal security recommendations, the user account that is used to access the share should have the fewest privileges possible. Specifically, Microsoft recommends that the account have the same permissions as the IUSR_Machinename account (Read and Execute). By following this recommendation, you ensure that even if a malicious user is able to run code on the server and gain the credentials used to access UNC shares, they cannot gain additional privileges by doing so.

For any Web site or virtual directory with a share, Microsoft recommends that you carefully plan permissions and do not use any accounts with administrative-level permissions.

If good security guidelines are followed, then this should not pose a security risk. However, there is a possibility that this information can be extracted from the metabase if the wrong security permissions are placed on the IIS server.

The information in this article was tested with Active Server Pages (ASP) and the GetObject method of the IIS provider. A vulnerability was discovered with the correct code method; however, the root cause of the problem is incorrect security permissions.