Technical: Microsoft – Information Integration Server (IIS) – Version 8 – Hardening\Securing


Still morose with the IIS web site hijack that I covered in a previous post (

BTW, the culprit ended up being a virus that pasted “http:\\” all over our web site.

Starting to take baby steps to harden IIS a bit.


Areas we will cover:

  • Web Server Extensions
  • Host Headers
  • Application Pools
  • Request Filtering – HTTP Verbs
  • Audit


Web Server Extensions

On the web server, here are the steps to review and adjust “ISAPI and CGI Restrictions”:

  • Launch IIS Manager
  • Select the Server
  • On the server level, make sure that you are viewing the “Features View”
  • Select the “ISAPI and CGI Restrictions” applet

Here is what our screen looks like:





As we are not familiar with the hcap\hcapext.dll module, not so sure what to make of it, and so we changed his Restriction from “Allowed” to “Not Allowed”.



Host Headers

On the web server, here are the steps to effect Host Header

  • Launch IIS Manager
  • Select the Server
  • Access the web site
  • At the web site level, transverse to the “Access” panel
  • In the “Edit Site” branch, click the “Bindings” branch
  • Review listed bindings and make sure that you have specific URLs listed; including the one for localhost, if you will be browsing from the local machine




This helps shield you from fly by night visitors; i.e those that are just performing IP Sweeps.



Application Pools

Review registered Application Pools and make sure that you ‘re using Active Directory accounts or local accounts with the most basic permission set.

On the web server, here are the steps to effect Host Header

  • Launch IIS Manager
  • Select the Server
  • Access the “Application Pools”
  • Review each Application pool, service account
  • Select the Application Pool, right click on your selection, and from the drop-down menu, choose “Advanced Settings” entry
  • In the “Advanced Settings” window, navigate to the Identity entry and note the Account that you ‘re running under




Please review the Application Pool user account on your Web Server, Active Directory, and Database, etc.

And, later be able to audit the account in terms of it activities.


Application – Request Filtering – HTTP Verbs

Aforementioned, we are quite concerned that some of our web site files are getting over-written.

To address, we will enable “Request Filtering” and only allow the following verbs – Get, Post.

To effect, we will slightly modify the Application’s web.config file:


Here is the snippet of code that filters out unlisted verbs; and adds\enables the two verbs that we want to allow – GET and POST.


		 <add verb="GET" allowed="true" />
		 <add verb="POST" allowed="true" />		 


To view the settings:

  • Launch IIS Manager
  • Access the web site
  • Ensure that the “Features Views” is active
  • Within the “IIS” sub-section, choose “Request Filtering”
  • In the “Request Filtering” window, select “HTTP Verbs” tab

  Request Filtering:





Audit – NTFS

Our primary hope at this time is to be better prepared to audit NTFS changes that is shamefully causing our website contents to be over-written.

Thankfully, Microsoft has built NTFS to be capably audit-able.


There are two steps.  The first one is to select the object we will like to audit and specify which actions we will like to audit.

Steps – Specify actions to audit

  • Launch Windows Explorer
  • Access Folder that contains web site folders & files
  • Right click on your selection, and from the drop-down menu, choose “Properties” entry
  • In the “Properties” window, access the security tab, and click on the “Advanced” button
  • In the “Advanced Security Settings” window, access the “Auditing” tab window
  • Review the accounts that are currently being audited
  • In our case, we will be adding “Domain  Users” to our list
  • And, as we are not interested in execute nor read activities, but changes to the actual file, please click on “Show advanced permissions” button

Here are entries that we selected:



And, here is the completed list:




Steps – Specify actions to audit

  • Launch Administrative Tools \ Local Security Settings
  • In the left panel, access Security Settings \ Local Policies\ Audit Policy
  • In the right panel, select “Audit object access” and double-click on your selection
  • In the “Audit object access properties” window, select “Success” and “Failure” — In many cases, it is OK to just audit failures — that is you want to know who is try gain access, but failure.  But, as I said, in our case, whomever or whoever is trying to gain access is successfully doing so
  • Click “OK” to enforce your changes






Please pay close attention to the “Security Setting” column, as in many shops changes can not be effected, due to “Group Policy” settings.




Program Features

Review Program Features and see whether new applications have been installed.  In our case, we wanted to source hcapexet.dll.

Especially, as we have a file creation date.



Good on Microsoft for augmenting “Add\Remove Programs” with an order-able “Installed On” column.   This way, we can correlate our initial problem date with Application Install days.



Who gets picked on ?  The security breach might very well be random in nature.  I know we sometimes feel picked on.  But, in the world wide web, there are no strangers and little anonymity.  We are all just IP friends and neighbors.

It seems the virus slash worm is targeting familiar folders; folders with names such as CascadingSyleSheets, Confide, DynamicData, and Northwind.

And, files with names such as default.asp and index.php.

Pasted below is a screen shot that shows infected folders and files.



The infected folders are:

  • App_Data
  • bin
  • Content
  • Controllers
  • Models
  • obj
  • Properties
  • Scripts
  • Views

And, the files are:

  • default.asp
  • index.php

The infection occurred on 4/7/2014 and the folders and files bear that DateModified timestamp .  Please keep in mind that even when we replace infected files with good ones, they are getting re-infected and the DateModified have the more recent dates.




References – General

References – Web Server Extensions

References – Web Server Extensions – IIS7


References – Host Headers


References – Request Filtering


One thought on “Technical: Microsoft – Information Integration Server (IIS) – Version 8 – Hardening\Securing

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s