How to configure uploads for IIS Web applications

Article translations Article translations
Article ID: 979124 - View products that this article applies to.
Expand all | Collapse all

On This Page

INTRODUCTION

This article describes how to configure Internet Information Services (IIS) to allow more-secure file uploads through a Web application. Many Web applications such as Content Management Systems require supporting file uploads to the Web server that uses the Web application. Allowing files to be uploaded to the Web server that uses the Web application has security ramifications for the server, and you must understand all the implications for allowing this. This article guides you through securing your Web application uploads through IIS configuration. If your Web application has an automated installer, you can also incorporate the configuration in this article into your installer.

Note Some Web applications use databases to manage uploaded content. However, this article focuses on applications that use the file system.

MORE INFORMATION

Create a separate folder for your uploaded content and change the NTFS file permissions on the upload folder

By doing this, you can configure the behavior of uploaded content differently from the rest of your Web application. Grant the upload folder Read and Write permissions for the IIS worker process identity. For IIS 6.0 in Windows Server 2003, you can use the IIS_WPG user group for this. For IIS 7.0 and later, you can use the IIS_IUSRS user group.

For more information about IIS_WPG, visit the following Microsoft Web page:
Configuring Application Pool Identity in IIS 6.0
For more information about IIS_ISURS, visit the following Microsoft Web page:
Understanding the Built-In User and Group Accounts in IIS 7.0
For more information about how to help secure files with NTFS permissions, visit the following Microsoft Web page:
Securing Files with NTFS Permissions
Note In some cases, such as when impersonation is used, you would need to give Write access for the authenticated user context as well.

Disallow Script Permissions on the upload folder

Uploaded content for most Web applications are static content, such as images and documents. Uploaded content is not meant to be content that can be run, such as scripts or executable files. Therefore, it is important not to grant Script Permissions on this folder. Otherwise, users who can upload content can execute scripts in the context of your worker process identity on the server. If your Web application has logic to restrict uploads by file name extensions, you should use this restriction as a secondary measure. You should still make sure that your application’s upload directory has script permissions disabled.

To disable script permissions in IIS Manager User Interface (inetmgr) in IIS 5.x and 6.0, follow these steps:
  1. Click Start, and then click Run.
  2. Type inetmgr in the Open box, and then click OK.
  3. In the tree view in the navigation pane, select the path of the upload directory of your Web application.
  4. Right-click this path, and then click Properties.
  5. Click the Directory tab, and then select None in the Execute Permissions list.
For more information about how to how to set IIS permissions for specific objects, click the following article number to view the article in the Microsoft Knowledge Base:
324068 How to set IIS permissions for specific objects
Alternatively, you can disable script permissions by using metabase configuration in IIS 6.0 by setting AccessFlags property’s AccessScript flag to False at the upload directory level. For more information and for sample scripts that can be changed for this use, visit the following Microsoft Web page:
AccessFlags Metabase Property (IIS 6.0)
To disable script permissions in configuration for IIS 7.0 and later versions, you have to set the accessPolicy flag on the handlers section not to have the Script value.

For more information about how to do this in IIS 7.0 and later versions, visit the following Microsoft Web page:
Configure Request Restrictions for a Handler Mapping
Note Make sure that you read the Script value for the access flags.

For more information about how to set permissions, visit the following Microsoft Web page:
Securing Sites with Web Site Permissions

The Web application should restrict uploads to authenticated and authorized users only

This gives the server administrator the ability to audit uploads through the Web application. In the case a user is trying malicious activity, it gives the server administrator an easy mechanism to keep the application functional while blocking out users who are trying malicious activity. When users can upload scripts and execute them through the Web application, authentication should be required and the IIS application pool identity hosting the Web application should not be an Administrative account.

For more information about how to configure application pool identities, visit the following Microsoft Web pages:
Configuring Worker Process Identities (for IIS 6.0)
Specify and Identity for an Application Pool (for IIS 7.0 and later versions)

Follow security best practices for your Web application

It is important to follow security best practices for all parts of your Web application and not just the upload logic. For more information about best practices, visit the following Microsoft Web pages:
Securing IIS 5.0 Resource Guide
IIS 6.0 Security Best Practices
Configuring Security for IIS 7.0

Properties

Article ID: 979124 - Last Review: January 5, 2010 - Revision: 2.1
APPLIES TO
  • Microsoft Internet Information Services 7.5, when used with:
    • Windows 7 Enterprise
    • Windows 7 Home Basic
    • Windows 7 Home Premium
    • Windows 7 Professional
    • Windows 7 Ultimate
    • Windows Server 2008 R2 Standard
    • Windows Server 2008 R2 Enterprise
    • Windows Server 2008 R2 Datacenter
  • Microsoft Internet Information Services 7.0, when used with:
    • Windows Vista Business
    • Windows Vista Enterprise
    • Windows Vista Home Basic
    • Windows Vista Home Premium
    • Windows Vista Ultimate
    • Windows Vista Enterprise 64-bit Edition
    • Windows Vista Home Basic 64-bit Edition
    • Windows Vista Home Premium 64-bit Edition
    • Windows Vista Ultimate 64-bit Edition
    • Windows Vista Business 64-bit Edition
  • Microsoft Internet Information Services 6.0, when used with:
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
    • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
    • Microsoft Windows Server 2003, Web Edition
    • Microsoft Windows Server 2003, Datacenter x64 Edition
    • Microsoft Windows Server 2003, Enterprise x64 Edition
    • Microsoft Windows Server 2003, Standard x64 Edition
    • Microsoft Windows XP Professional x64 Edition
    • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
    • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Internet Information Services 5.1, when used with:
    • Microsoft Windows XP Professional
  • Microsoft Internet Information Services 5.0, when used with:
    • Microsoft Windows 2000 Advanced Server
    • Microsoft Windows 2000 Datacenter Server
    • Microsoft Windows 2000 Professional Edition
    • Microsoft Windows 2000 Server
Keywords: 
kbhowto kbexpertiseinter kbsecurity kbsecvulnerability kbsurveynew KB979124

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com