ASP-Related Security Changes

  • Article

Applies To: Windows Server 2003, Windows Server 2003 with SP1

There are several important changes to the way IIS interacts with ASP that improve security and reduce the attack surface of IIS.

ASP and ASP.NET Are Disabled by Default

In IIS 6.0, ASP and ASP.NET are disabled by default. If you want to serve ASP or ASP.NET content from IIS 6.0, you must first enable ASP or ASP.NET in the Web Service Extensions node.

Note

If your content requires ISAPI, CGI, WebDAV, or other extensions, you must enable those extensions as well.

For more information about enabling ASP or ASP.NET, see Enabling ASP Pages in IIS 6.0 and Enabling ASP.NET.

Parent Paths Are Disabled by Default

When parent paths are enabled, ASP pages allow you to include files with paths that are relative to the current directory (using the ..\ notation). This constitutes a potential security risk because a server-side include (SSI) path can provide access to critical or confidential files that are outside the root directory of the application. When parent paths are enabled, a Web server is more susceptible to traversal attacks, which allow a malicious user to execute commands or view data that is outside the intended target path.

In IIS 6.0, because parent paths are disabled by default, an existing application that has a Web page that contains the #include SSI directive and uses ..\ notation to refer to a parent directory will not work unless you enable parent paths. The parent paths correspond to the AspEnableParentPaths metabase property. For more information about enabling parent paths, see Configuring ASP Applications. For more information about SSI directives, see Using Server-Side Include Directives.

Global.asa Events Are Run As Anonymous User

In earlier versions of IIS, ASP executes events in the security context (or user identity) of the host process because during ASP-executed events there is no user context. Global.asa executes events in earlier versions of IIS as follows:

  • Application_OnStart Impersonated user

  • Application_OnEnd Host identity

  • Session_OnStart Impersonated user

  • Session_OnEnd Host identity

In IIS 6.0, ASP executes the Global.asa events Application_OnEnd and Session_OnEnd anonymously by default. This change prevents user code from running as the base identity of the worker process. For example, if Application_OnEnd and Session_OnEnd run under the host identity context, and an Internet service provider (ISP) allows users to upload Global.asa files, a malicious user might be able to use the FileSystemObject to access files that are otherwise inaccessible in the anonymous context.

If you want to change this default setting, use the AspRunOnEndAnonymously metabase property. For more information about this setting, see the AspRunOnEndAnonymously Metabase Property.