Could a Microsoft security update make major changes to the IIS configuration like this?

asp.net windows-server-2008-r2 iis-7.5

I've recently noticed a number of significant changes to my IIS configuration, some of which have major implications. I've dug through the daily backups and found that the change coincides with the installation of several security updates on 12 Sep 2014.

The changes are anything but minor:

  1. The <handlers> element was locked; the update unlocked it and now any site's directory can have a web.config that adds handler mappings.
  2. A whole lot of default handler mappings were added, and got inherited into my sites. So, where previously a site was disallowed to execute, say, an .aspx file, after this update all sites were suddenly able to execute .aspx files from any directory.
  3. default.aspx was added to the list of permitted default documents.

plus a few less significant ones, like adding an X-Powered-By header to every single site I run! A full diff is available.

Comparing the last modified timestamp of applicationHost.config and the update log, the update that did this is either KB2972211 or KB2894854 (both have the same installation timestamp so can't tell which one it is). I suspect the former, because IIS and ASP.NET are mentioned in the description.

I'm relatively new to IIS, so I have several questions about this incident:

  1. Is this normal for IIS-related security updates to make changes as major as these?
  2. Was it really KB2972211, or could it be a malicious change by someone hiding their tracks?
  3. Was my IIS misconfigured to start with? E.g. I have deleted the default handler mappings; was I wrong to do so and expect it to stay that way?
  4. Are my sites supposed to be able to take such changes to the root config without breaking / suffering security issues?

Do not know about those specific updates but yes, it appears an update of .Net can modify web.config: http://www.asp.net/whitepapers/aspnet4/breaking-changes.

Something to consider: sometimes there are default settings that "roll" down a configuration tree. There may be something "higher up" that got locked down and what you are seeing is an attempt to maintain was previously implicit behaviour explicitly.

Related

Use mandatory profiles on the RD Session Host server
How do I enable SAML Passive Authentication in ADFS 3.0?
nginx reverse proxy not passing requests
POST of MTU + ~798 bytes gets lost
Puppet: Can't manually generate cert and issue cert request over API
Linux Authentication by Active Directory without joining to domain
What should an s3 end point look like when configuring an ALIAS record in Route53?
How to Configure A Software Update Baseline in SCCM 2012
BITS policies to limit bandwitdth usage is not taking effect
How to detect virtual machines freezes
vSphere/ESX How to log migration event to guest Windows OS
Load balancing network traffic using iptables