Securing Windows Internet Servers

Similar documents
A Roadmap for Securing IIS 5.0

Migrating helpdesk to a new server

Hardening IIS Servers

Configuration Task 3: (Optional) As part of configuration, you can deploy rules. For more information, see "Deploy Inbox Rules" below.

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

Agency Pre Migration Tasks

Locking down a Hitachi ID Suite server

Security. TestOut Modules

SecureAware on IIS8 on Windows Server 2008/- 12 R2-64bit

Data Stored on a Windows Server Connected to a Network

Device Log Export ENGLISH

Setup Corporate (Microsoft Exchange) . This tutorial will walk you through the steps of setting up your corporate account.

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

NODE4 SERVICE DESK SYSTEM

APPENDIX I Basic Windows NT Server 4.0 Installation and Configuration

Technical Note. Configuring Outlook Web Access with Secure WebMail Proxy for eprism

Installing GFI MailSecurity

Click Studios. Passwordstate. Installation Instructions

Activity 1: Scanning with Windows Defender

Using Microsoft s Free Security Tools Help Secure your Windows Systems taken from Web and Other Sources by Thomas Jerry Scott November, 2003

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 8 Desktop and Server OS Vulnerabilities

Windows IIS Server hardening checklist

Internet Information TE Services 5.0. Training Division, NIC New Delhi

Requirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module

Microsoft Baseline Security Analyzer

Web Security School Final Exam

Installation Steps on Desktop Clients

Setting up Microsoft Office 365

Outlook Express POP Instructions - Bloomsburg University Students

Setting up Microsoft Office 365

Data Execution Prevention DEP should NOT be turned on for all programs as this can cause access violations when running EXO

Step-by-Step Configuration Instructions

Business mail 1 MS OUTLOOK CONFIGURATION... 2

Exchange Server 2007 Turbo Transition Guide

Five Steps to Improve Internal Network Security. Chattanooga ISSA

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

Basic Exchange Setup Guide

Implementing and Managing Microsoft Exchange Server 2003

6445A - Implementing and Administering Windows Small Business Server 2008

SSH Secure Client (Telnet & SFTP) Installing & Using SSH Secure Shell for Windows Operation Systems

Spector 360 Deployment Guide. Version 7.3 January 3, 2012

Service Overview & Installation Guide

Installing GFI MailSecurity

8.6. NET SatisFAXtion Gateway Installation Guide. For NET SatisFAXtion 8.6. Contents

MCSE TestPrep: Windows NT Server 4, Second Edition Managing Resources

PROTECTING DATA IN TRANSIT WITH ENCRYPTION IN M-FILES

Kerio MailServer 6. Administrator s Guide. Kerio Technologies

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

ecopy ShareScan v4.3 Pre-Installation Checklist

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Out n About! for Outlook Electronic In/Out Status Board. Administrators Guide. Version 3.x

Designing, Deploying and Managing a Network Solution for Small- and Medium-sized Businesses Course No. MS Days

Documentation. OpenScape Office V3 OpenScape Office MX V2 Linking to MS Exchange Server 2010

Kaseya Server Instal ation User Guide June 6, 2008

IceWarp to IceWarp Server Migration

NeoMail Guide. Neotel (Pty) Ltd

Administration of Symantec Enterprise Vault 8.0 for Exchange Exam.

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

Getting Started with. Ascent Capture Internet Server Revision A

Talk Internet User Guides Controlgate Administrative User Guide

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

MAPI Connector Overview

Wireless Installation Checklist for Novell GroupWise Environments

Office of Information Technologies (OIT) Network File Shares

Microsoft Windows 7. Administration. Instant Reference. William Panek WILEY. Wiley Publishing, Inc.

Introduction. Before you begin. Installing efax from our CD-ROM. Installing efax after downloading from the internet

Astaro Mail Archiving Getting Started Guide

JapanCert 専 門 IT 認 証 試 験 問 題 集 提 供 者

Hosted Microsoft Exchange Client Setup & Guide Book

Eylean server deployment guide

Sage ERP MAS 90 Sage ERP MAS 200 Sage ERP MAS 200 SQL. Installation and System Administrator's Guide 4MASIN450-08

Quality of Service (bandwidth limitation): Default is 2 megabits per second.

Sophos for Microsoft SharePoint startup guide

POP3 Connector for Exchange - Configuration

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Host Hardening. OS Vulnerability test. CERT Report on systems vulnerabilities. (March 21, 2011)

Chapter 2 Editor s Note:

Network Configuration Settings

Quick Scan Features Setup Guide. Scan to Setup. See also: System Administration Guide: Contains details about setup.

Description of Microsoft Internet Information Services (IIS) 5.0 and

Version 3.8. Installation Guide

Flexbox (Zimbra) 5.09 Connector for Outlook BACKUP BEFORE YOU BEGIN TO UPGRADE!

Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses

ANNE ARUNDEL COMMUNITY COLLEGE ARNOLD, MARYLAND COURSE OUTLINE CATALOG DESCRIPTION

Kerio Connect. Administrator s Guide. Kerio Technologies

Exchange Server Cookbook

Quick Scan Features Setup Guide

REST Professional Network Troubleshooting Guide

Application Note 02 Advanced SMTP setup

Click Studios. Passwordstate. Installation Instructions

How to Secure a Groove Manager Web Site

A Transend Corporation White Paper Preparing Microsoft Exchange Server for Migration

MCSA Objectives. Exam : TS:Exchange Server 2007, Configuring

Configuring your client to connect to your Exchange mailbox

המרכז ללימודי חוץ המכללה האקדמית ספיר. ד.נ חוף אשקלון טל' פקס בשיתוף עם מכללת הנגב ע"ש ספיר

Table Of Contents. - Microsoft Windows - WINDOWS XP - IMPLEMENTING & SUPPORTING MICROSOFT WINDOWS XP PROFESSIONAL...10

Exchange 2013 mailbox setup guide

Transcription:

Securing Windows Internet Servers Jon Miller Senior Security Engineer Covert Systems, Inc. jon.miller@covertsystems.net 23.org / Covert Systems

Installation Upgrading? Always try to use a fresh install and migrate existing data over Make sure to convert to NTFS Default Security Settings are not applied You must apply them manually using MMC

Installation Service Packs Always check windows update and TechNet to make sure you have the most current patches and SPs HFNETCHK

File Systems NTFS or FAT

Services Always decide what services you require prior to installation Never install superfluous services Now is the time to decide what form of remote administration software, if any you will use Terminal Server Vshell SSH & SFTP (www.vandyke.com)

Services COMPAQ INSTALLATION =

Network Configuration TCP/IP should be the only protocol Use TCP/IP Filtering (and IPSec when applicable) Nmap the server to make sure you don t have any surprise ports open If it is an IIS box it can NEVER be on a domain Use second Ethernet card for remote admin and have only the Internet Service on the primary interface

Using the MMC Customize your own security template and use it Establish standards within your template that apply to all servers from PDCs to desktops

Security Configuration Password Complexity / Length Always remember passwords so they cannot be reused Event Log Access Define Permissions for Services Rename Administrator Account

Common Sense Delete or rename files that may be used against you in the event of an attack Do you really use MS TFTP? Rename CMD.exe Create partitions or move directory structure to protect against directory transversal Do you really want an IIS server running on your companies Mail server? Remove OWA Microsoft Security Alerts microsoft.com/technet/security/notify.asp

IIS 4 / 5 Try to run only base services The services below are the only services required to run a functional IIS server: Event License Windows Remote Windows IIS MSDTC World Log Protected Logging Service NTLM Security Support Provider Procedure Call (RPC) Service NT Server or Windows NT Workstation Admin Service Wide Web Publishing Service Storage

Stuff to Remove C:\inetpub - sample files c:\inetpub\iissamples c:\inetpub\iissamples\sdk c:\inetpub\adminscripts c:\program Files\Common Files\System\msadc\Samples * HTW Mapping IISADMPWD RDS (Remote Data Services)

Stuff to Remove Parent Paths? (Disallows.. *be careful*) Web server Properties Home Directory Configuration App Options Script Mappings (.htr.idc.stm.shtml.shtm.printer.ida.idq.hta ) Web server Properties Master Properties WWW Service Edit Home Directory Configuration

Misc. Restrict Anonymous HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA Name: RestrictAnonymous Type: REG_DWORD Value: 1.

Permissions Set Your ACL's (next page) Make sure that the IIS log files are not publicly readable winnt\system32\logfiles

Permissions CGI s - (.exe,.dll,.cmd,.pl) Everyone (X) Administrators (Full Control) System (Full Control)

Permissions Script Files - (.asp) Everyone (X) Administrators (Full Control) System (Full Control)

Permissions Include Files - (.inc,.shtm,.shtml) Everyone (X) Administrators (Full Control) System (Full Control)

Permissions Static Content - (.txt,.gif,.jpg,.html) Everyone (R) Administrators (Full Control) System (Full Control)

Exchange Exchange is one of the few servers that does outgoing mail authentication well Take advantage of that and don t an open relay (5.5) Use Encrypted File System (EFS) to protect data Anti-Virus Internet Mail Connector Limit your outgoing size Relaying from DMZ server to Exchange Use sendmail to relay all mail to an internal exchange server Or with another copy of Exchange: install Exchange, add the Internet Mail Connector, and add it to your existing site. No mailboxes or folders are required

Exchange Setup Exchange Administrators (2000) Not All Admins are Full Admins Exchange Administrator Exchange Full Administrator Exchange View Only Administrator Security Page HKCU\Software\Microsoft\Exchange\ExAdmin Value: ShowSecurityPage Date: 1 (REG_DWORD) Tracking Logs Remove Everyone Read \Exchsrvr\%COMPUTERNAME%.log

Outlook Web Access Lock Down IIS Use SSL Front End / Back End Mode http://www.microsoft.com/exchange/techinfo/deployment/2000/e2kfrontback.asp

Exchange Diagram

Tools URL Scan (Microsoft) Baseline Security Analyzer (Microsoft) IIS Lockdown (Microsoft) Secure IIS (Eeye) Tripwire for NT (Tripwire) Anti-Virus (Symantec, McAfee) Hire a Security Company http://www.23.org/~humperdink/

Q & A Y all ask me stuff jon.miller@covertsystems.net http://www.23.org/~humperdink/ http://www.covertsystems.net

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information