Would you like to be notified for every new articles? Please click HERE to subscribe for newsletter.

Protecting IIS 6 Behind Nginx

  • Posted on: 4 November 2017
  • By: admin

In March 2017, a fatal security hole in IIS 6 was found. Based on the news from https://www.theregister.co.uk/2017/03/31/microsoft_wont_patch_server_2003/, Microsoft has officially announced that they won't patch the security hole and recommended us to upgrate to new Windows Server immediately which has the new IIS version. But the problem is, not all people can upgrade their machines in instance. The reasons might be various such as the hardware specification need to be upgraded before updating the operating system, need more time to backup all the data in the old server, need time to make sure the application in the old server can run well in the new server, etc.

Mean while, there are still many machines uses Windows Server 2003 with IIS 6 as the webserver. If the WebDav extension is activated, the attackers can remotely inject the script to the web server by sending HTTP request with PROPFIND header. You might think turning off the WebDav extension can be an easy and simple solution, but without the WebDav extension activated the attack can still cause IIS 6 to crash. We might suddenly get the error message such as "The parameter is incorrect" when trying to open an IIS application. This is because the attacker try to exploit your IIS.

There is a mitigation solution to protect the IIS 6 from being attacked. We can use Nginx and its reverse proxy feature to protect the IIS. So, firstly we have to install Nginx in Windows Server. The instalation of Nginx in Windows is explained in http://nginx.org/en/docs/windows.html.

We will use Nginx as the main web server with port 80. The IIS itself will be running in another port such as 8080. You must protect this port to be inaccessible from the outside request. After that, use the reverse proxy feature in Nginx so the request will be forwarded to port which IIS is listening, in this case is 8080. Also remember that the problem is the PROPFIND method. We have to configure Nginx to reject the PROPFIND method. By doing that all requests with PROPFIND method will not be forwarded to IIS. Here is the snippet of Nginx configuration to run as reverse proxy.

server {
    listen  80;
    server_name  yourservername.com;
    location / {
        # This is the port where IIS is listening.
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        # Limit HTTP method to HEAD, GET, and POST only.
        # PROPFIND method will be rejected as HTTP 405 Not Allowed.
        # More importantly, it won't be forwarded to IIS.
        limit_except HEAD GET POST {
            deny all;

In my case, after applying that solution, I can see in Nginx access log that several PROPFIND attacks are still coming but they will not hit the IIS because Nginx already refuse them. - - [18/Oct/2017:16:14:27 +0700] "PROPFIND / HTTP/1.1" 405 568 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
... - - [19/Oct/2017:10:08:37 +0700] "PROPFIND / HTTP/1.1" 405 568 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
... - - [21/Oct/2017:22:13:05 +0700] "PROPFIND / HTTP/1.1" 405 568 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
... - - [24/Oct/2017:14:52:38 +0700] "PROPFIND / HTTP/1.1" 405 568 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
... - - [26/Oct/2017:09:07:13 +0700] "PROPFIND / HTTP/1.1" 405 568 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
... - - [03/Nov/2017:00:39:48 +0700] "PROPFIND / HTTP/1.1" 405 166 "-" "-"

Please note that this solution is only a temporary solution to give us time for upgrade preparation. Upgrading to the new Windows Server is a must to ensure the security of your system.

Add new comment

Limited HTML

  • Allowed HTML tags: <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.