ASP-Related Security Changes
Updated: August 22, 2005
Applies To: Windows Server 2003, Windows Server 2003 with SP1
There are several important changes to the way IIS interacts with ASP that improve security and reduce the attack surface of IIS.
ASP and ASP.NET Are Disabled by Default
In IIS 6.0, ASP and ASP.NET are disabled by default. If you want to serve ASP or ASP.NET content from IIS 6.0, you must first enable ASP or ASP.NET in the Web Service Extensions node.
|If your content requires ISAPI, CGI, WebDAV, or other extensions, you must enable those extensions as well.|
Parent Paths Are Disabled by Default
When parent paths are enabled, ASP pages allow you to include files with paths that are relative to the current directory (using the ..\ notation). This constitutes a potential security risk because a server-side include (SSI) path can provide access to critical or confidential files that are outside the root directory of the application. When parent paths are enabled, a Web server is more susceptible to traversal attacks, which allow a malicious user to execute commands or view data that is outside the intended target path.
In IIS 6.0, because parent paths are disabled by default, an existing application that has a Web page that contains the #include SSI directive and uses ..\ notation to refer to a parent directory will not work unless you enable parent paths. The parent paths correspond to the AspEnableParentPaths metabase property. For more information about enabling parent paths, see Configuring ASP Applications. For more information about SSI directives, see Using Server-Side Include Directives.
Global.asa Events Are Run As Anonymous User
In earlier versions of IIS, ASP executes events in the security context (or user identity) of the host process because during ASP-executed events there is no user context. Global.asa executes events in earlier versions of IIS as follows:
Application_OnStart Impersonated user
Application_OnEnd Host identity
Session_OnStart Impersonated user
Session_OnEnd Host identity
In IIS 6.0, ASP executes the Global.asa events Application_OnEnd and Session_OnEnd anonymously by default. This change prevents user code from running as the base identity of the worker process. For example, if Application_OnEnd and Session_OnEnd run under the host identity context, and an Internet service provider (ISP) allows users to upload Global.asa files, a malicious user might be able to use the FileSystemObject to access files that are otherwise inaccessible in the anonymous context.
If you want to change this default setting, use the AspRunOnEndAnonymously metabase property. For more information about this setting, see the AspRunOnEndAnonymously Metabase Property.