Could a Microsoft security update make major changes to the IIS configuration like this?
I've recently noticed a number of significant changes to my IIS configuration, some of which have major implications. I've dug through the daily backups and found that the change coincides with the installation of several security updates on 12 Sep 2014.
The changes are anything but minor:
- The
<handlers>
element was locked; the update unlocked it and now any site's directory can have a web.config that adds handler mappings. - A whole lot of default handler mappings were added, and got inherited into my sites. So, where previously a site was disallowed to execute, say, an .aspx file, after this update all sites were suddenly able to execute .aspx files from any directory.
-
default.aspx
was added to the list of permitted default documents.
plus a few less significant ones, like adding an X-Powered-By header to every single site I run! A full diff is available.
Comparing the last modified timestamp of applicationHost.config
and the update log, the update that did this is either KB2972211 or KB2894854 (both have the same installation timestamp so can't tell which one it is). I suspect the former, because IIS and ASP.NET are mentioned in the description.
I'm relatively new to IIS, so I have several questions about this incident:
- Is this normal for IIS-related security updates to make changes as major as these?
- Was it really KB2972211, or could it be a malicious change by someone hiding their tracks?
- Was my IIS misconfigured to start with? E.g. I have deleted the default handler mappings; was I wrong to do so and expect it to stay that way?
- Are my sites supposed to be able to take such changes to the root config without breaking / suffering security issues?
Do not know about those specific updates but yes, it appears an update of .Net can modify web.config: http://www.asp.net/whitepapers/aspnet4/breaking-changes.
Something to consider: sometimes there are default settings that "roll" down a configuration tree. There may be something "higher up" that got locked down and what you are seeing is an attempt to maintain was previously implicit behaviour explicitly.