News Stay informed about the latest enterprise technology news and product updates.

IIS configuration error leads to increased threat, Microsoft says

A configuration error could lead to a vulnerable Microsoft IIS web server, Microsoft said after investigating reports of an IIS parsing extension flaw.

Microsoft said an Internet Information Services (IIS) parsing extension issue,which could lead to a vulnerable system, is not a flaw that can be patched, but an IIS configuration error that can be avoided by following best practices.

Microsoft IIS best practices:
IIS 6.0 security best practices: Microsoft TechNet document outlines best practices for configuring the Web server.

Microsoft updates:

Dec. - Microsoft gives Internet Explorer a major security overhaul: The final regular Microsoft update of 2009 repairs five critical vulnerabilities in IE and blocks public exploit code, which surfaced in November.

The software giant issued an update on its blog last week, giving links outlining best practices for configuring the IIS Web server. A security expert warned last week about the discovery of a parsing extension vulnerability that could be exploited to pass malicious code and ultimately gain control of the Web server. The issue was described as an error in the way IIS 6 handles semicolons in URLs.

But Microsoft's Christopher Budd explained on the company's Security Response Center blog that the issue is a IIS configuration error that could lead to a vulnerable system. The out-of-the-box, default configuration will not enable an attacker to bypass content filtering software to upload malicious code on the Microsoft Web server.

"This is not the default configuration for IIS and is contrary to all of our published best practices," Budd wrote. "Quite simply, an IIS server configured in this manner is inherently vulnerable to attack."

Budd added that users of IIS with both "write" and "execute" privileges on the same directory should review best practices and make changes to mitigate similar threats to the Web server.

Dig Deeper on Microsoft Windows security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.