LOCKDOWN!

By Support Group

Here are some steps you can take to make your environment more secure.

[Update 08/01/2013: We've created a utility that automatically runs through the steps below. You can find the utility here: EkSiteLockDown.exe -- download this file and run it on the server you'd like to secure]

Many hackers use viruses and worms to spread malicious code across the internet. In order to do this, hackers will often try to upload scripts to a web server, then try to execute those scripts on the server as a local user to run commands, gain full access and continue to infect more servers.

In these scenarios, the point of access is often a directory that already allows for uploaded content. To prevent hackers from exploiting your server, you can secure these directories to prevent execution of script files altogether. This blog post outlines exactly how to prevent execution of script files in a directory.

The steps protect the specific folders that have this configuration applied. Take note that not all folders allow for uploaded content, so you should not apply this configuration on every folder; doing so would prevent valid scripts from running and would prevent functionality from working. Also keep in mind this will still allow users to upload content, just prevent their execution -- which is exactly the desired behavior.
 
Securing Upload Directories in IIS8, IIS7.5, and IIS7
Create a web.config in all asset folders using the configuration below (images, uploadedimages, uploadedfiles, assets, privateassets, anywhere else files might be uploaded by users)

 <?xml version="1.0"?>
<configuration>
  <system.webServer>
    <validation validateIntegratedModeConfiguration="false" />
    <handlers>
      <clear />
      <add name="ek*" path="*" verb="GET,HEAD,POST" type="Ektron.ASM.EkHttpDavHandler.EkDavHttpHandlerFactory" modules="ManagedPipelineHandler" scriptProcessor="" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode" />
      <add name="ekdav" path="*" verb="OPTIONS,PROPFIND,PUT,LOCK,UNLOCK,MOVE,COPY,GETLIB,PROPPATCH,MKCOL,DELETE,(GETSOURCE),(HEADSOURCE),(POSTSOURCE)" type="Ektron.ASM.EkHttpDavHandler.EkDavHttpHandlerFactory" modules="ManagedPipelineHandler" scriptProcessor="" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode" />
      <add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" />
    </handlers>
    <modules>
      <clear />
    </modules>
  </system.webServer>
  <system.web>
    <httpHandlers>
      <clear />
      <add verb="*" path="*" type="Ektron.ASM.EkHttpDavHandler.EkDavHttpHandlerFactory" />
    </httpHandlers>
  </system.web>
</configuration>
 
For IIS6
Open up IIS manager and navigate to each locked down directory in the site (images, uploadedimages, uploadedfiles, assets, privateassets, and anywhere else files may be uploaded by users) 

  1. Right click on the folder and go to properties
  2. Change execute permissions from script to none
     Execute Permissions
  3. Click "Create"
    Create  
  4. Click Configuration and remove the wildcard application maps at the bottom of the popup window
    Configuration  
  5. Click OK.
  6. Click "Remove" to remove the application again
     Remove
  7. Ensure you can still access a file in that directory (a pdf or image)

 

comments powered by Disqus

What Do You Think of our New Design?

    

Have more to say? We’d love to hear it!