I am dealing with user uploads via a PHP application.
I want to secure the server so no exploits are available to the user, such as uploading a php shell and executing it.
I have set it so all uploads are moved outside the webroot into a separate folder. As an extra security, I have removed all rights except "read" from the IUSR, on the specefic folder.
To take this a step further, I was told to disable script execution on the folder via IIS.
Is this necessary, given my situation and the things I have already done? If yes, how would I achieve this using IIS 8.
Thanks
Best Answer
The answer to the question "is this necessary" is that we need to examine the level of security that is required for this application and your organization.
Security best practices advocate the "Defense in Depth" approach, which means security is a layering of security controls to protect information (or other) assets.
To determine if this data needs the additional control, assess the risk - how likely is it that there is a threat that could be exploited, and what is the impact of this data / system being compromised - think of not only the confidentiality of the data, but a malicious user changing the data or bringing down the system or deleting the data. Then determine if the cost of the control exceeds the benefit of putting the control in. If it does not then implement the control, if it's more "expensive" to implement the control then accept the risk.
Denying script access on a virtual directory is a fairly trivial thing to implement, and would be a layer of defense against a malicious user who was able to elevate their permissions. It's common implement this control so that files uploaded to a directory cannot be executed - eg. to gain a remote shell. So if the "cost" is trivial and we assume gaining a remote shell would be high impact, even if it's low probability, then the answer would be to disable script execution on the folder (feel free to make up your own mind here if you disagree with this assessment).
To disable script access on the folder in IIS 8, the procedure should be the same as IIS 7, configure handler mappings in the web.config.
This link explains various options:
https://webmasters.stackexchange.com/questions/28733/prevent-iis-from-executing-scripts-in-a-specific-directory
This is likely what you want, which will preserve the static file handler:
Note also the last comment on that page for required configuration: