Baseball may be the national pastime, but it seems as if poking holes in Internet Information Services (IIS) is the pastime of hackers around the world. Microsoft does a pretty good job of issuing patches when new vulnerabilities are discovered, but it’s tough to keep up with them all, especially older updates. To help, Microsoft has released the Internet Information Services Security Roll-up Package. In this Daily Feature, I’ll take a look at the package, showing you what’s in it and how to apply it.

Fix numerous security issues with one download
Microsoft has released dozens of hot fixes and security updates for IIS since shipping IIS 4.0 for Windows NT. Because there are so many of them, it’s easy to miss a critical fix. It’s also time-consuming to apply all the fixes on an individual basis. Microsoft decided it would be a good idea to follow the Roll-up Package philosophy it began with Windows NT and create one large package for all the IIS security fixes.

There are actually three different versions of the IIS Security Roll-up Package, one for each version of IIS Microsoft currently supports. These versions are:

  • IIS 4.0 running under Windows NT 4.0
  • IIS 5.0 running under Windows 2000
  • IIS 5.1 running under Windows XP

The package for each version contains all of the fixes released for that version by April 10, 2002. Microsoft will probably release updated versions of the package as additional IIS fixes appear.

The IIS Security Roll-up Package only applies to IIS, so to maximize security, you should also apply all of the Security Roll-up Packages for Windows NT and Windows 2000 as well as any other applicable Services Packs and hot fixes. You should also obtain and use the IIS Lockdown Tool to increase security on your IIS server. Problems addressed by the IIS Security Roll-up Package include:

  • Buffer overruns that can create a vulnerability involving Active Server Pages in IIS 4.0 and 5.0.
  • Buffer overruns caused by the way IIS 4.0, 5.0, and 5.1 process HTTP header information.
  • Buffer overruns that affect the HTR ISAPI extension in IIS 4.0 and 5.0.
  • A denial of service that can occur due to the way IIS handles error conditions from ISAPI filters.
  • A denial of service vulnerability in IIS’s FTP service that can allow a hacker to make a connection to FTP and create an error condition that disrupts service.
  • Problems with WebDAV where you can still issue PUT and DELETE requests regardless of ACLs set.
  • Problems with PDF files after running URLSCAN in which IIS will issue errors about a good PDF file being corrupt or damaged.

What the IIS Security Roll-up Package won’t do
Unfortunately, the Internet Information Services Security Roll-up Package doesn’t fix every security problem with IIS. New problems appear on a reasonably regular basis, so it’s difficult for Microsoft to produce new patches to keep up. The current version of the package doesn’t address problems that have arisen since Microsoft Security Bulletin MS02-018, which was issued in April 2002.

The package only addresses security problems that occur in IIS itself. It doesn’t address security issues relating to Windows or other Microsoft products. With the exception of a single error in Index Server relating to a severe buffer overflow condition, the package doesn’t even address issues related to software tightly integrated with IIS, such as the FrontPage Server Extensions and Index Server.

In addition, many security issues arise from poor administrative practices rather than security problems, due to breakdowns inherent in the system. Don’t expect the IIS Security Roll-up Package to save you from your own administrative mistakes.

Obtaining and installing the package
Which version of the package you need depends on the version of IIS you’re running. Microsoft has separate download pages for IIS 4.0, IIS 5.0, and IIS 5.1. You can go to the Internet Information Services Security Roll-up Package information page for the appropriate version and click the download link.

Author’s Note

For some reason, Microsoft has chosen to make each page a little different in the ways you obtain the package, but you should be able to follow the download links with little trouble. The packages aren’t very large, so they’ll download very quickly. The largest one is the package for IIS 5.0, which weighs in at about 2.5 MB. The rest are under 1 MB in size. For the purposes of this Daily Feature, I’ll assume you’re working with IIS 5.0. Other versions work essentially the same way with some filename differences.

After you’ve downloaded the package to a temporary location on your server, run the self-extracting executable to begin installation. IIS 5.0’s installation routine will ask for a temporary location to extract files to. Enter the command in the field and click OK.

After the files extract, don’t panic if a Digital Signature Not Found error screen appears. Click Yes to continue. The Package’s Setup routine will begin by checking to see what services are running on your server. If necessary, Setup will display the services running that conflict with the package. Click Continue to allow Setup to temporarily stop the affected services.

Setup will then copy the package files to your server. The amount of time it will take to complete will vary depending on the speed of your server, but it shouldn’t take very long at all. Setup displays a window that shows the progress of the file copy process.

When the files are copied, Setup will indicate that you should reboot your server. After the server reboots, you’re done! Just add the hot fixes Microsoft has released since April 2002 and you’re safe and sound.