IIS Web Server Hardening

Transcription

1 403_Ent_DMZ_AC.qxd 10/25/06 12:04 PM Page A:183 Appendix C IIS Web Server Hardening Solutions in this chapter: Understanding Common Vulnerabilities with Microsoft IIS Web Server Patching and Securing the OS Hardening the IIS Application Monitoring the Web Server for Secure Operation A:183

2 403_Ent_DMZ_AC.qxd 10/25/06 12:04 PM Page A:184 A:184 Appendix C IIS Web Server Hardening Introduction As security professionals, we understand that every operating system, application, and service has potential security vulnerabilities.throughout this book, we have examined many ways to minimize security risk through proper design, secure configuration, and intelligent monitoring. We have learned that blocking services to people who would do our systems harm is a good first step in preventing security incidents.yet to provide business functionality and information to our customers, there must be exposed services and applications. Web servers are most often the systems chosen to convey our information. For that reason, we have included two appendixes to review the methods by which we can secure the most prevalent Web server applications used today: Microsoft IIS and Apache Web Server. In this and the following appendix, we discuss some of the common vulnerabilities of these applications, the steps you ll use to secure the Web servers, and the way you can monitor your successful secure implementation. This appendix is written specifically for Windows 2003 Server and IIS 6.0. TIP After finishing the recommended steps in this appendix, be sure to make a full backup of the server before placing it into the production environment. Should you have trouble in the future, you can always rely on a secure baseline backup for quick reinstallation of the Web server. Understanding Common Vulnerabilities Within Microsoft IIS Web Server As with all software, there are four general types of vulnerability associated with Microsoft IIS Web Server. These types include the following: Poor application configuration Unsecured Web-based code Inherent IIS security flaws Foundational Microsoft OS vulnerabilities We ll investigate these four types in detail in the remaining sections of this appendix.

3 403_Ent_DMZ_AC.qxd 10/25/06 12:04 PM Page A:185 Poor Application Configuration The easiest to prevent yet most frequent vulnerabilities are those stemming from poor configuration of the application itself. Many default settings within the IIS server require modification for secure operation, as we ll discuss in subsequent sections of this appendix. Furthermore, because many configuration options exist within the IIS server, it can be easy to make configuration errors that expose the application to attack. Unsecured Web-Based Code The second manner in which vulnerabilities are exposed is via poorly implemented code on the IIS server. Often Web developers are far more concerned with business functionality than the security of their code. For instance, poorly written dynamic Web pages can be easy DoS targets for attackers, should coded limitations be absent from back-end database queries. Simply publishing confidential or potentially harmful information without authentication can provide enemies with ammunition for attack. For these reasons, you must review and understand not only the IIS application but the information and functionality being delivered via the system. Inherent IIS Security Flaws A third pathway for vulnerability is within the application code itself. Occasionally, IIS security flaws are discovered and announced by Microsoft or by various security groups. Fortunately, Microsoft is relatively quick to respond and distribute patches in response to such events. For this reason, it is critical that you remain vigilant in your attention to security newsgroups and to Microsoft s security advisory site at Foundational Microsoft OS Vulnerabilities Another source of vulnerability within Microsoft s IIS Web Server occurs as a result of foundational security flaws in the Microsoft operating system. Because the Microsoft OS and applications are tightly integrated, security problems in the OS can be used to exploit applications such as IIS.This brings us to our next section, in which we discuss the merits of patching and securing the Microsoft OS. Patching and Securing the OS IIS Web Server Hardening Appendix C A:185 As we discussed in the previous section and in Chapter 2, code deficiencies could exist in the Microsoft OS that can lead to OS and application vulnerabilities. It is therefore imperative that you fully patch newly deployed Microsoft OSs and remain current with all released functional and security patches. At regular intervals, thoroughly review the published vulnerabilities at and monitor security newsgroups

4 403_Ent_DMZ_AC.qxd 10/25/06 12:04 PM Page A:186 A:186 Appendix C IIS Web Server Hardening for 0-day exploits. It might be a good idea to subscribe to security-related updates at Patching the Microsoft Operating System Microsoft provides a full suite of tools designed to help you remain current of its released software updates at One such tool that Microsoft provides is the Microsoft Baseline Security Analyzer (MBSA), which can automate the retrieval and installation of patches.the software and additional information about MBSA are available at As the security administrator, you should reserve predetermined time periods for maintenance windows during episodes of low customer activity. However, the discovery of serious OS vulnerabilities may necessitate emergency downtime while patches are applied. Configuring a Secure Operating System You should complete several tasks immediately after a new installation of the Windows OS, because several vulnerabilities related to default configuration exist in the OS. First, we ll ensure that the user accounts on the new server are configured properly.the tasks associated with account security are as follows: Delete or disable all unnecessary accounts. Windows 2003 automatically disables the Guest account, but other accounts for applications, users, or remote support could exist and should be removed.this includes the IUSR_MACHINE and/or ASP.NET accounts if they are not necessary. Reconfigure the Administrator account. Alter the Administrator account name from the default to provide extra security during brute-force password attacks. Configure a strong password for this account using: At least eight alphanumeric (digits, punctuation, and letters) characters Upper- and lowercase Words and terms not found in a dictionary Enable account lockout for administrative logins. Use the passprop command-line tool available in the Windows 2000 Server Resource Kit to automatically lock the Administrative account after a specified number of login failures. Enforce strong password and login policies. Like the administrative account, required user accounts on the server should adhere to good policy. Using the Local (or Domain) Security Policy manager, configure the NSA-recommended policies shown in Table C.1. Configure appropriate audit policies. Without proper auditing configurations, you ll have little in your logs to help diagnose potential security problems.

5 403_Ent_DMZ_AC.qxd 10/25/06 12:04 PM Page A:187 IIS Web Server Hardening Appendix C A:187 Several auditing policies should be configured so that critical events are captured for later use.table A2 lists some NSA-recommended settings to be configured via the Local (or Domain) Security Policy manager. Define logging parameters. Configure Windows logging parameters to properly capture event data for a long period of time. So that you don t lose important forensic data, set the maximum log size to a high value as your disk space permits. Configure appropriates file system attributes. The IIS server should have NTFS file systems so that you can adequately secure your content.the Everyone group should have restricted access to content and server binaries. Configure access to directories and files for only those user and group accounts that require it. Disable remote registry access. In Windows Server 2003, members of the Administrators and Backup operators groups have access to the registry, but you might want to consider restricting all remote access.to change the default settings, use regedit.exe and navigate to HKLM\SYSTEM\CurrentControlSet\ Control\SecurePipeServers\winreg. From there, choose Permissions from the Security menu and modify the registry settings. Table C.1 NSA-Recommended Password and Login Policies Policy Attribute Recommended Configuration Enforce password history 24 Maximum password age 42 days Minimum password age 2 Minimum password length 8 Password must meet complexity requirements Enabled Store passwords using reversible encryption Disabled Interactive Logon: Do not display last Enabled user name Table C.2 NSA-Recommended Settings for Audit Policies Audit Attribute Audit account logon events Audit account management Audit directory service access Audit logon events Recommended Configuration Success, Failure Success, Failure Success, Failure Success, Failure Continued

6 403_Ent_DMZ_AC.qxd 10/25/06 12:04 PM Page A:188 A:188 Appendix C IIS Web Server Hardening Table C.2 continued NSA-Recommended Settings for Audit Policies Audit Attribute Audit object access Audit policy change Audit privilege use Audit process tracking Audit system events Recommended Configuration Success, Failure Success Failure No auditing Success Configuring Windows Firewall Once you have patched the OS and implemented good policies, you ll need to install antivirus software and implement host-based firewall services using third-party tools or Microsoft s imbedded firewall capabilities.to install antivirus software properly, refer to your selected antivirus vendor s installation documentation. Follow these steps to successfully implement Microsoft Firewall on your Windows 2003 IIS server: 1. From the Control Panel, select Windows Firewall.The Windows Firewall window appears, as shown in Figure C.1. Figure C.1 The Windows Firewall Window 2. Click the On radio button to turn the Windows Firewall services on. 3. Click to uncheck the box beside Don t allow exceptions, to allow access to your server.

7 403_Ent_DMZ_AC.qxd 10/25/06 12:04 PM Page A: Select the Exceptions tab and click Add a Port to modify the TCP ports permitted to your server.the Add a Port window appears, as shown in Figure C.2. Figure C.2 The Add a Port Window IIS Web Server Hardening Appendix C A: Use the radio buttons to select TCP or UDP. 6. Use the Name and Port number fields to permit only the necessary services to your server.table C.3 shows a recommended configuration. Table C.3 Recommended Configuration Name: TCP Port HTTP 80 HTTPS 443 NOTE Other services could be required to properly run and/or manage your IIS Web site. For instance, you might need to enable DNS, SNMP, or Remote Management protocols in your Windows Firewall configurations for full system functionality.

8 403_Ent_DMZ_AC.qxd 10/25/06 12:04 PM Page A:190 A:190 Appendix C IIS Web Server Hardening 7. Click OK to apply the filters. 8. Continue to click OK until you exit the Windows Firewall window. Now that we ve fully patched the OS and configured Windows Firewall, let s continue and disable vulnerable OS services. Disabling Vulnerable Services The default Microsoft OS and IIS server are installed with several services you should disable because they pose potential vulnerabilities. Let s examine the OS first, since many of the IIS services vulnerabilities are solved with the IISLockdown tool, which we ll examine in the next section. One of the first steps you should take is to identify unnecessary protocols and services within the IP stack on the server. For instance, does your server need Client for Microsoft Windows or File and Print Sharing for Windows? If not, these services should be uninstalled from the OS.The two services associated with Client and File and Print Sharing for Windows are NetBIOS and SMB.To disable NetBIOS over TCP/IP, use the following procedure: 1. From the desktop, right-click My Computer and select Manage. 2. Select Device Manager from System Tools. 3. Right-click Device Manager and click Show hidden devices from the View submenu. 4. Right-click NetBios over Tcpip and click Disable from the Plug and Play Drivers menu. To disable SMB, use the following procedure: 1. Right-click My Network Places and select Properties. 2. Right-click Local Area Connection and select Properties. 3. Click Client for Microsoft Networks and click Uninstall. 4. Click File and Printer Sharing for Microsoft Networks and click Uninstall. 5. Click OK to exit the Local Area Connection box. WARNING Use caution when disabling services. Before doing so, determine the dependencies of your system software and the underlying Microsoft services. Failure to understand what services you require to operate could result in loss of critical functionality. It might be prudent to test your configuration in a lab environment before disabling services on a production server.

9 403_Ent_DMZ_AC.qxd 10/25/06 12:04 PM Page A:191 IIS Web Server Hardening Appendix C A:191 Next, consider the services than run within the Microsoft OS itself. On a Web server, you might not need to run some of the following services that are enabled by default: Browser Alerter Messenger Netlogon (required only for domain controllers) Spooler Simple TCP/IP Services Should you determine that these services are not necessary, disable them using the Services MMC snap-in available in the Administrative Tools programs group. In Windows Server 2003, the Telnet service is disabled by default. However, you should verify that this service is truly disabled, since it is often enabled by administrators. Often, SNMP is used to monitor the performance and availability of IIS servers. Although this is good operations management practice, you must ensure that SNMP is configured in a secure manner. Check that the SNMP RO and RW strings are not set to Public and Private, respectively. Also, you might want to restrict SNMP access to the server using TCP/IP filtering on UDP ports 161 and 162. Finally, verify that unnecessary third-party software, such as chat programs, peer-to-peer file sharing programs, or client software, is not loaded on the server.this will reduce security risks while ensuring that your server does not waste cycles on needless programs. Hardening the IIS Application Microsoft has made significant improvements in the default security configuration of the IIS 6.0 Web Server. In previous versions such as IIS 5.0, administrators were required to make many configuration changes or risk exposure to security threats. Even with the advent of better initial security in version 6.0, you must take several steps to securely deploy your IIS server.this appendix deals exclusively with IIS 6.0, but you should be aware of two useful tools in the event that you maintain previous versions of IIS. Microsoft makes IISLockdown and URLScan tools available to automate the process of securing your Web server. Both tools functionalities are included in the 6.0 release of IIS but should be used against all 5.0 or earlier IIS versions. Using secure templates based on the type of role you intend for your Web server, IISLockdown applies rules to either disable or secure various IIS features. URLScan is an ISAPI filter that is installed when you use IISLockdown; it accepts or rejects potentially malicious page requests based on criteria set forth in rules. Fortunately, IISLockdown and URLScan functionality is included in IIS 6.0, greatly reducing the security configurations required when you re building a server.there are, however, several tasks to complete on installation and configuration of the version 6.0 server to increase security.

10 403_Ent_DMZ_AC.qxd 10/25/06 12:04 PM Page A:192 A:192 Appendix C IIS Web Server Hardening IIS Installation Options and Basic Services Setup When initially installing IIS 6.0, be sure that the following services are not installed unless you require their use: FTP Server NNTP Service SMTP Service Internet Service Manager Microsoft FrontPage Server Extensions Visual InterDev Remote Support By default, the services are not installed in IIS 6.0, because the components expose the IIS server to security vulnerabilities. For instance, FTP, NNTP, and SMTP are all services provided by the IIS server, but they might not be necessary in your environment. Disabling these services reduces your exposure to customers and therefore reduces the potential of a security breech. After installation, you might want to consider deleting the default site that is installed on the IIS server. This is recommended by Microsoft and is good practice because it reduces the amount of security configuration tasks you would otherwise need to perform. Virtual Directories, Script Mappings, and ISAPI Filters When configuring your site within the IIS server, be sure to locate the Web root on nonsystem NTFS volumes to prevent directory traversal attacks on the system. Also make sure the use of Parent Paths (using../../, for example) is disabled, which is default for IIS 6.0. Ensure that dangerous virtual directories such as ISSamples, IISAdmin, IISHelp, and Scripts are removed and that Remote Data Services (RDS) is disabled to further secure your IIS server. Each site within your IIS server configuration should also be securely configured without directory browsing and should not permit script source access, to secure your code. Proper Web page permissions are a critical part of maintaining IIS Web sites. Failure to apply restrictions provides potentially dangerous functionality to customers. Microsoft recommends that the permissions shown in Table C.4 be used on all Web content.

11 403_Ent_DMZ_AC.qxd 10/25/06 12:04 PM Page A:193 IIS Web Server Hardening Appendix C A:193 Table C.4 Microsoft-Recommended Permissions Type of Permission Read permission Write and execute permission Script source access permission Write permission Where to Apply Restrict read permission on include directories Restrict write and execute permissions on virtual directories that allow anonymous access Configure script source access permissions only on folders that allow content authoring Configure write permissions only on folders that allow content authoring; grant write access only to content authors Once you ve set the proper permissions on your Web page directories, you ll need to consider script-mapping settings within the IIS server. Script mapping associates various functional DLLs with page file extensions such as.asp,.shtml, and so on. As general practice, you should map any unused file extensions to the 404.dll, which prohibits access to the page and DLL. Doing so reduces exposure to potential extension vulnerabilities and prohibits download of server resources by clients. Also, evaluate the ISAPI applications shown in the Master Properties of the WWW Service. Delete extensions that are not required for your site operation, because historically these filters have been extensively exploited.to examine your ISAPI filters, use the following procedure: 1. Open the Internet Services Manager from the Administrative Tools programs group. 2. Select your computer and click Properties. ISAPI filters apply to the entire IIS machine, not just individual Web sites. 3. Click the Edit button. 4. Click the ISAPI Filters tab to view your ISAPI configuration. 5. To remove an ISAPI filter, highlight the filter you want to delete and click Remove. Now that our application is more secure, let s look at the IIS logging configuration to ensure that we re able to monitor the server properly. Logging There are many reasons to configure logging on your IIS server. Whether helping you see top page hits, hours of typical high-volume traffic, or simply understanding who s using your system, logging plays an important part in any installation. More important, logging can provide a near-real-time and historic forensic toolkit during or after security events. In this section, we examine some logging configuration best practices.

12 403_Ent_DMZ_AC.qxd 10/25/06 12:04 PM Page A:194 A:194 Appendix C IIS Web Server Hardening Begin by changing the default location for your IIS logs. Use a nonsystem location and an NTFS volume.to secure the logs, permit Full Control for Administrators and System, and allow Backup Operators to Read the files. Deny all other access. Because we secured the Microsoft OS in previous sections of this appendix, we don t need to revisit the particular auditing configurations you ll need to ensure you re logging the proper information on your server. In general, however, you should log all failed login attempts and all failed actions within the OS. Additionally, you should audit all access to the Metabase.bin file located in the \WINNT\System32\inetsrv directory, because it contains your IIS configuration. TIP It is good practice to archive your system and IIS log files to backup location. This prevents loss of critical forensic data due to accidental deletion or malicious activity. Finally, configure IIS W3C Extended Log File Format logging.to do so, from your Web site Properties box, click the Web Site tab and select W3C Extended Log File Format. You might also want to configure Extended Properties such as URI Stem and URI Query for additional auditing information. Monitoring the Server for Secure Operation Even with the best defenses and secure configurations, breeches in your systems and applications can occur.therefore, you cannot simply set up a hardened Microsoft IIS Web server and walk away thinking that everything will be just fine. Robust and comprehensive monitoring is perhaps the most important part of securely operating servers and applications on the Internet. Throughout this book, we have discussed myriad techniques to ensure your IT security. You must leverage all these secure DMZ functions in your job. With regard to Microsoft IIS, there are several things to consider that will help you identify and react to potential threats. Your primary source of data will be through IIS and Microsoft OS audit logs. Even with small Web sites, however, sifting through this information can be a challenge. One of the first things to consider is integrating your IIS logs with other tools to help organize and identify the potential incident needles in your log file haystack. Many open source and commercial products are available to aid you in securing your site. For instance, Microsoft makes a Log Parser, among other utilities, available through the IIS 6.0 Resource Kit found at

13 403_Ent_DMZ_AC.qxd 10/25/06 12:04 PM Page A:195 IIS Web Server Hardening Appendix C A:195 ADE629C89499&displaylang=en.This tool can be used with SQL Server to facilitate better organization of the log file data. SNMP polling and graphing constitute another methodology commonly employed for secure monitoring. Often it is extremely difficult to gauge the severity or magnitude of an event without visualization of data from logs or SNMP counters. One tool you can consider using is MRTG to graph SNMP information that could help identify a security problem. The SecurityFocus Web site at provides an excellent primer on installing and configuring MRTG to monitor IIS 6.0 Web sites. You may consider other commercial SNMP-based solutions, especially for enterprisescale deployments.these tools help expedite monitoring deployment and usually include enhanced functionality to automatically alert you when important thresholds, such as Web site concurrent connections, are crossed.

14 403_Ent_DMZ_AC.qxd 10/25/06 12:04 PM Page A:196