Here are some steps you can take to make your environment more secure.
[Update 08/01/2013: We've created a utility that automatically runs through the steps below. You can find the utility here: EkSiteLockDown.exe -- download this file and run it on the server you'd like to secure]
Many hackers use viruses and worms to spread malicious code across the internet. In order to do this, hackers will often try to upload scripts to a web server, then try to execute those scripts on the server as a local user to run commands, gain full access and continue to infect more servers.
In these scenarios, the point of access is often a directory that already allows for uploaded content. To prevent hackers from exploiting your server, you can secure these directories to prevent execution of script files altogether. This blog post outlines exactly how to prevent execution of script files in a directory.
The steps protect the specific folders that have this configuration applied. Take note that not all folders allow for uploaded content, so you should not apply this configuration on every folder; doing so would prevent valid scripts from running and would prevent functionality from working. Also keep in mind this will still allow users to upload content, just prevent their execution -- which is exactly the desired behavior.
Securing Upload Directories in IIS8, IIS7.5, and IIS7
Create a web.config in all asset folders using the configuration below (images,
uploadedimages, uploadedfiles, assets, privateassets, anywhere else files might
be uploaded by users)
<validation validateIntegratedModeConfiguration="false" />
<add name="ek*" path="*" verb="GET,HEAD,POST" type="Ektron.ASM.EkHttpDavHandler.EkDavHttpHandlerFactory" modules="ManagedPipelineHandler" scriptProcessor="" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode" />
<add name="ekdav" path="*" verb="OPTIONS,PROPFIND,PUT,LOCK,UNLOCK,MOVE,COPY,GETLIB,PROPPATCH,MKCOL,DELETE,(GETSOURCE),(HEADSOURCE),(POSTSOURCE)" type="Ektron.ASM.EkHttpDavHandler.EkDavHttpHandlerFactory" modules="ManagedPipelineHandler" scriptProcessor="" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode" />
<add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" />
<add verb="*" path="*" type="Ektron.ASM.EkHttpDavHandler.EkDavHttpHandlerFactory" />
Open up IIS manager and navigate to each locked down directory in the site (images, uploadedimages, uploadedfiles, assets, privateassets, and anywhere else files may be uploaded by users)
- Right click on the folder and go to properties
- Change execute permissions from script to none
- Click "Create"
- Click Configuration and remove the wildcard application maps at the bottom of the popup window
- Click OK.
- Click "Remove" to remove the application again
- Ensure you can still access a file in that directory (a pdf or image)
comments powered by