How does Iis LockDown tool handle application mappings?
Q: When we use the IIS LockDown tool on IIS 5, we disable all application mappings except .asp files. The LockDown tool does disable other application mappings, but they don't delete them. I have read many articles and books on security, most of which think that deleting unwanted application mappings is best practices, and it seems to be meaningful. But the LockDown tool does not delete the mapping, but maps these extensions to 404.dll programs. Why is it recommended to delete them in a security article, including "Microsoft IIS 5 Security Checklist"?
Answer: IIS 5 security checkout list is indeed a quite good entry, but if you want to know more about Web security knowledge, I recommend you to read the security of web applications: threats and countermeasures, this The article is very good, which is linked to http://msdn.microsoft.com/library/en-us/dnnetsec/html/threatcounter.asp.
However, you put forward a very good question about IIS LOCKDOWN tools, I have been recommended to use this tool on the IIS 5 server. LockDown is completely as described in the application map (see below):
You can see that any request for .htr or .idc will result in the run 404.dll, and this program will display a simple and no prompt information to the user - cannot find the file. So why map these extensions to 404.dll, not simply deleting them? We assume that you have multiple files that use .ida, .idq, and .htw to wait for an over-time extension to implement queries and display query results for the index server. After performing a slightly in-depth study, you are wisely decided to use ASP to provide the same function, which is more efficient and safer. After writing the code, you check the application mapping, delete those extensions because you no longer need .ida, .idq, and .htw. As a result, IIS will remain in the server on the server, and send it to the user in text. This may expose server information you are unwilling to disclose. Of course, you should delete these files from the source of the server, but map these extensions to 404.DLL can reduce risk because you may miss a file or developer to upload the old content to the server.
Note that you should check the application map regularly to ensure that the installation or unloading process is not modified. Web applications using a dedicated file will definitely add the extensions they need to the application map. For Indexing Service, only "Add / Remove Windows Components" to delete the indexing service from the IIS server, add the original .idq, .idq, and .htw mapping back to the application map, and will be related .dll program ( Idq.dll and webhits.dll remain in WinNT / System32. Therefore, if you don't plan to use Indexing Service, remove it before running the IIS LockDown tool.
