Hack 58 Hide the Metabase

figs/moderate.gif figs/hack58.gif

Protect the metabase on your critical web servers by hiding its name and location from attackers.

Good security begins with pretty obvious things, such as renaming the default administrator account and assigning it a strong password. The same is true for the metabase, the database used by IIS to store its configuration information. In Windows 2000, the metabase file is metabase.bin and is located in the %SystemRoot%\System32\inetsrv directory. By changing both the name and location of the metabase, you can hide it from malicious hackers, making it harder for them to corrupt the configuration of your web servers.

Changing the name of the metabase first involves stopping the IIS Admin Service. This can be done either from the GUI, by using Internet Services Manager (right-click on the server node and select Restart IIS), or by typing net stop iisadmin /y at the command line. Once IIS is stopped, make a copy of metabase.bin before you proceed, just in case something goes wrong, and store this copy offline on a network share or floppy. Then, move metabase.bin to a new folder on your server, making sure the NTFS permissions on the folder include Full Control for the built-in SYSTEM identity and the built-in Administrators local group on the machine. IIS requires these permissions to load the metabase into memory and modify its contents when you change your IIS configuration, and you, as administrator, require these permissions to access the metabase later, if necessary. Rename the metabase.bin file to something different and give it a unique file extension?something like ab345mn7.pqr, for example.

Now, open Registry Editor (StartRunregedit) and find the HKLM\SOFTWARE\Microsoft\InetMgr\Parameters key. Add a new value to this key by right-clicking on Parameters and selecting NewString Value. Type MetadataFile for the value name and leave the data type as REG_SZ. Double-click on the value and change the value data to the full path to where ab345mn7.pqr (or whatever you've called it) is located, as shown in Figure 6-7. Be sure to include the drive letter in your path.

Figure 6-7. Hiding the name and location of the metabase

Now, start the IIS services by typing iisreset /start at the command line. Open Internet Services Manager and verify that you can modify the configuration and save changes successfully. You're metabase is now hidden from attackers, making your web server more secure.

Open Windows Explorer and find your %SystemRoot%\System32\inetsrv folder again. Surprise! There's a file named metabase.bin in this directory again. For some reason, when you delete or move this file and restart IIS services, Windows automatically creates a new metabase.bin file in the inetsrv directory. But if you click on this file, you'll see that it's only 610 bytes in size; it's not a working metabase. In fact, go ahead and delete this file?you don't have to stop the IIS Admin Services to do so?and it shouldn't appear again, even if you restart IIS again.

The metabase is hidden now, but what about backups of the metabase? [Hack #54] showed how to back up the metabase in order to prevent making configuration errors on your IIS machine. If you've saved the configuration of your IIS machine, copies of your metabase can be found in %SystemRoot%\System32\inetsrv\MetaBack. Unfortunately, there's no way to change the location where metabase backups are stored, so the best thing to do might be to copy these backups to a network share and then delete them from the web server itself. That way, there's only one copy of the metabase on your server, one that's hidden and has a different name than metabase.bin.

What about IIS 6? Unfortunately, on Windows Server 2003, creating a HKLM\SOFTWARE\Microsoft\InetMgr\Parameters\MetadataFile Registry key has no effect, so this method doesn't work. But IIS 6 is inherently more secure than IIS 5 for a number of reasons. Because you can encrypt metabase backups to prevent them from being misused, it's probably not that important that you can't hide the metabase on that platform.