Windows – IIS | Block execution of files in directory

iisPHPwindowswindows-server-2012

I am dealing with user uploads via a PHP application.

I want to secure the server so no exploits are available to the user, such as uploading a php shell and executing it.

I have set it so all uploads are moved outside the webroot into a separate folder. As an extra security, I have removed all rights except "read" from the IUSR, on the specefic folder.

To take this a step further, I was told to disable script execution on the folder via IIS.

Is this necessary, given my situation and the things I have already done? If yes, how would I achieve this using IIS 8.

Thanks

Best Answer

The answer to the question "is this necessary" is that we need to examine the level of security that is required for this application and your organization.

Security best practices advocate the "Defense in Depth" approach, which means security is a layering of security controls to protect information (or other) assets.

To determine if this data needs the additional control, assess the risk - how likely is it that there is a threat that could be exploited, and what is the impact of this data / system being compromised - think of not only the confidentiality of the data, but a malicious user changing the data or bringing down the system or deleting the data. Then determine if the cost of the control exceeds the benefit of putting the control in. If it does not then implement the control, if it's more "expensive" to implement the control then accept the risk.

Denying script access on a virtual directory is a fairly trivial thing to implement, and would be a layer of defense against a malicious user who was able to elevate their permissions. It's common implement this control so that files uploaded to a directory cannot be executed - eg. to gain a remote shell. So if the "cost" is trivial and we assume gaining a remote shell would be high impact, even if it's low probability, then the answer would be to disable script execution on the folder (feel free to make up your own mind here if you disagree with this assessment).

To disable script access on the folder in IIS 8, the procedure should be the same as IIS 7, configure handler mappings in the web.config.

This link explains various options:

https://webmasters.stackexchange.com/questions/28733/prevent-iis-from-executing-scripts-in-a-specific-directory

This is likely what you want, which will preserve the static file handler:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <handlers>
            <clear />
            <add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" />
        </handlers>
    </system.webServer>
</configuration>

Note also the last comment on that page for required configuration:

Just to add to the posted solution for others who might be running into the same issue: None of those worked for me until I figured out that the handlers were locked at the top level. I'm not a server admin or even close to it, so that took me a little while. Until the applicationHost.config file was edited to allow overrides, including even an empty section in a lower level web.config file was enough to break everything from that level down. Works great now, though.

Best Answer

Related Solutions

PHP 5.3 on IIS gives 404 error in CGI mode

PHP + IIS Application Pool Identity Windows\Temp permissions

Related Topic