A Roadmap for Securing IIS 5.0



Similar documents
Windows IIS Server hardening checklist

Web Security School Entrance Exam

Web Security School Final Exam

Securing Windows Internet Servers

Setting Up SSL on IIS6 for MEGA Advisor

Security Guidelines for MapInfo Discovery 1.1

5. At the Windows Component panel, select the Internet Information Services (IIS) checkbox, and then hit Next.

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3)

Using Microsoft s Free Security Tools Help Secure your Windows Systems taken from Web and Other Sources by Thomas Jerry Scott November, 2003

Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses

Securing IIS Servers. Securing IIS Servers. Securing IIS Servers. Securing IIS Server. Securing IIS Servers. Securing IIS Servers.

Hardening IIS Servers

Guide to the Secure Configuration and Administration of Microsoft Internet Information Server 4.0

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

Reference and Troubleshooting: FTP, IIS, and Firewall Information

FTP, IIS, and Firewall Reference and Troubleshooting

Creating and Managing Shared Folders

BusinessObjects Enterprise XI Release 2

Setting Up Scan to SMB on TaskALFA series MFP s.

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

IIS, FTP Server and Windows

CCM 4350 Week 11. Security Architecture and Engineering. Guest Lecturer: Mr Louis Slabbert School of Science and Technology.

About Microsoft Windows Server 2003

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Pcounter CGI Utilities Installation and Configuration For Pcounter for Windows version 2.55 and above

By Citrix Consulting Services. Citrix Systems, Inc.

Installing the SSH Client v3.2.2 For Microsoft Windows

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

Using Microsoft Windows Authentication for Microsoft SQL Server Connections in Data Archive

Installation and Deployment

6WRUP:DWFK. Policies for Dedicated IIS Web Servers Group. V2.1 policy module to restrict ALL network access

31 Ways To Make Your Computer System More Secure

FactoryTalk View Site Edition IIS Handbook. Rev. 1.1, May 2007

Installing Active Directory

Remote Administration

VPN Overview. The path for wireless VPN users

Nessus scanning on Windows Domain

Defense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations

RSA Security Analytics

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

My FreeScan Vulnerabilities Report

Windows Operating Systems. Basic Security

Chapter 2 Editor s Note:

Desktop Surveillance Help

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

Internet Information TE Services 5.0. Training Division, NIC New Delhi

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

To install the SMTP service:

New Zealand National Cyber Security Centre

McAfee.com Personal Firewall

ecopy ShareScan v4.3 Pre-Installation Checklist

SellerDeck. IIS6 Setup Guide. Detailing the setup Windows 2003 (IIS6) Server

Network Setup Instructions

Log Management and Intrusion Detection

Configuring Security Features of Session Recording

Windows Client/Server Local Area Network (LAN) System Security Lab 2 Time allocation 3 hours

ScriptLogic File System Auditor User Guide

Installation Guide For Choic Enterprise Edition

Windows Security Scoring Tool Implementation Guide v2.0.1

Security IIS Service Lesson 6

CitectSCADA V7.20 WebClient Quick Start Guide

Windows Clients and GoPrint Print Queues

How To - Implement Single Sign On Authentication with Active Directory

SHARING FILE SYSTEM RESOURCES

OrgPublisher EChart Server Setup Guide

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

INSTALLING MOODLE 2.5 ON A MICROSOFT PLATFORM

ilaw Installation Procedure

FREQUENTLY ASKED QUESTIONS

Server Security. Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Aliases 4

RE:Anywhere for Remote Access Installation Guide

Ekran System Help File

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

HoneyBOT User Guide A Windows based honeypot solution

Locking down a Hitachi ID Suite server

IIS Web Server Hardening

Sophos Anti-Virus for NetApp Storage Systems startup guide

Using Internet or Windows Explorer to Upload Your Site

Setting up an MS SQL Server for IGSS

BillQuick Web i Time and Expense User Guide

6WRUP:DWFK. Policies for Dedicated SQL Servers Group

Web-Access Security Solution

NAS 225 Introduction to FTP Explorer

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Click Studios. Passwordstate. Installation Instructions

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

ILTA HANDS ON Securing Windows 7

Configuration Guide. BES12 Cloud

Secure Messaging Server Console... 2

Manual Password Depot Server 8

Host Hardening. OS Vulnerability test. CERT Report on systems vulnerabilities. (March 21, 2011)

Getting Started with. Ascent Capture Internet Server Revision A

PineApp Surf-SeCure Quick

WS_FTP Server. User s Guide. Software Version 3.1. Ipswitch, Inc.

enicq 5 System Administrator s Guide

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

LAE 5.1. Windows Server Installation Guide. Version 1.0

Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab

Transcription:

This document was grafted together from various Web and other sources by Thomas Jerry Scott for use in his Web and other Security courses. Jerry hopes you find this information helpful in your quest to secure your IIS 5.0 server. A Roadmap for Securing IIS 5.0 Microsoft's Internet Information Services (IIS) default install contains several known holes and exploits that can cause significant or even total data loss or compromise. Fortunately there are some basic steps you can take to lock down your server to prevent such attacks from occuring. This document will provide explicit techniques that can be used to effectively secure your IIS servers without losing major system performance and functionality. Had a few of these steps been taken, major attacks like Code Red I and II and Nimda could have easily been prevented even without the system patches! Of course, installing the patches is always the recommended route for any major system in order to ensure the most basic security level. Vulnerabilities often go unknown and are quietly solved in patches and service pack releases. Patches can be obtained for most Windows systems at http://windowsupdate.microsoft.com. Note: This document is tailored to cover security essentials for IIS Servers running Windows 2000 Server and Advanced Server. Many of these techniques can be applied to NT 4.0 systems, but not all tools will be available. Twenty-One (21) Steps You Should Take to Secure Your IIS 5.0 Server

1. Determine the role of your machine. 2. Do NOT install executable files in the same directory as your web content. 3. Delete all the files from selected directories. 4. Delete the /MSADC folder. 5. Use IPSec to allow your IIS server to communicate with the Domain Controller and other internal machines. 6. Install the IIS Manager snap-in. 7. Create a group policy on your Domain Controller that can be pushed out to all your IIS servers in a domain. 8. Disable all unnecessary services in the Administrative Tools. 9. Disable unused network bindings. 10. Change a certain TCP/IP parameter to greatly reduce your chances for a SYN Flood. 11. Implement some sort of authentication method. 12. Set your NTFS permissions and IIS permissions. 13. Install the Security Configuration and Analysis snap-in. 14. Disable the Indexing Service. 15. Set permissions for your Web files.

16. Divide your content into different folders, each with different permissions. 17. Never allow write and execute privileges to a folder. 18. Delete all unused ISAPI extensions and HTTP verbs. 19. Use URLScan.dll. 20. Prevent directory traversals. 21. Audit files that should be protected via NTFS permissions and log your web site hits. Detailed Steps to Securing IIS 5.0 The rest of this document provides more detail for the steps above. 1. Determine the role of your machine. You need to ask yourself the following simple question. Is your server going to serve web pages, host FTP content, or both? 2. Do you really need *.asp or cgi-bin support for pages? 3. Ideally, you only want one major service per system. However, often due to budget constraints, you may find it necessary to combine services on the same machine. In IIS, you should definitely put everything you are serving to the public on a different slice of your drive. So rather than put your pages on the C:\ drive, make a new partition and put your web/ftp content there. 4. Do NOT install executable files in the same directory as your

web content. Otherwise, in the event that outside parties are able to access your web volume, they might be able to execute programs that could damage your volume. 5. Delete all the files from the following directories: \Inetpub\iissamples \InetPub\AdminScripts \Program Files\Common Files\System\msadc\Samples \WINNT\help\iishelp \WINNT\System32\Inetsrv\iisadmpwd \WINNT\web\printers Deleting these default files is crucial since many current exploits take advantage of default files and samples, especially the printers folder, including the \printers virtual folder. 6. Delete the /MSADC folder. 7. Use IPSec to allow your IIS server to communicate with the Domain Controller and other internal machines. The only packets that should not be filtered should be the traffic leaving the machine on port 80 (web traffic). Use ipsecpol.exe to set up your filtering rules. 8. Install the IIS Manager snap-in. This is found in Add/Remove Programs (under IIS). Manage all aspects of your server by going to

Start --> Administrative Tools to use IIS Manager. 9. Create a group policy on your Domain Controller that can be pushed out to all your IIS servers in a domain. This will enforce a policy that can be customized on each host, but will allow a very tight and configurable configuration that can be centrally managed. Security templates can be created by the user or the domain administrator, or you can download and customize good security templates that already exist from The NSA (a great resource) or from Microsoft. 10. Disable all unnecessary services in the Administrative Tools. A web server only needs World Wide Web Publishing Service, Remote Procedure Call, Event Log, Protected Storage, and Windows NTLM Security Support Provider. 11. Disable unused network bindings. Right-click on My Network Places and select Properties. Unbind File and Printer Sharing at the minimum. This would have stopped one of Nimda's infection vectors. You can also safely disable NetBIOS over TCP/IP in Windows 2000. Select the Advanced tab under TCP/IP Settings and check to disable NetBIOS over TCP/IP. This will set your server to retrive information from file servers and domain controllers via port 445 automatically rather than port 139. 12. Change the following TCP/IP parameter to greatly reduce your chances for a SYN Flood.

Browse to: HKEY_LOCAL_MACHINE --> \System\CurrentControlSet\Services\Tcpip\Parameters --> SynAttackProtect and change the value data to '2'. This will force the remote host to comply with standard TCP/IP connection protocol. Implement some sort of authentication method, even if it is only basic (i.e. username and password) for specific folders. 13. Set your NTFS permissions and IIS permissions. Set your NTFS permissions first, completely disabling write access to any web folders. If you run scripts, put those scripts into another folder and reference them that way. You may also wish to change the folder that contains your scripts to display something like 'scr' instead of "scripts" or "cgi-bin" or "bin" as most unmanaged vulnerability scanners look for these directories first by name. If you have renamed them, then only a flesh and blood hacker will know they exist. 14. Install the Security Configuration and Analysis snap-in Check "No access without explicit anonymous permissions" under Local Policies and Security Options. This denies all null sessions and related attacks. Disable the Indexing Service. It is completely unnecessary for your web server, though if you feel you still need it for your machine you should disable indexing on your web content folders. 15. Indexing can be turned off completely under the General tab in

Windows Explorer. 16. Set permissions for your Web files. Most files that deal with web content need only the following permissions available: List Folder/Read Data Read Attributes Read Extended Attributes Read Permissions This applies to files like *.html,.asp,.jpg.,.txt, etc. The only permissions needed for *.dll and *.exe files should be Traverse Folder/Execute File. 17. Divide your content into different folders, each with different permissions. Remember that there are separate NTFS and IIS permissions, so all your folders should be marked read for the generic user (i.e. the person viewing the page, not the Administrator, or content developer). A good way to lay your your folders would be: /root (normally defaults to wwwroot) /scr (your scripts folder, if you need one) /exe (for all your executables - make sure the NTFS permissions are set to Traverse Folder/Execute File instead of Read) /images (optional, though easier to manage, especially if you want to log hits to just your pages and not every image). For these folders you will want the following minimum permissions: /root (Script Source: No, Read: Yes, Write: No, Browsing: No,

Log: Yes, Index: No, Execute: None) /scr (the same as above except for Read: No and Execute: Scripts Only) /exe (the same as above except for Execute: Scripts and Executables) /images (the same as /root but set Log to No if you don't want to clutter your log files with requests for images) Never allow write and execute privileges to a folder. 18. Delete all unused ISAPI extensions and HTTP verbs. This is very important and would have completely prevented Code Red and Nimda from compromising a system. This is a small detail, but will save you a lot of time and effort if an attack similar in nature to Code Red and Nimda were to hit again. Go to Website Properties --> Home Directory --> Configuration - -> App Mappings. From here you can safely delete almost all of these ISAPI extensions unless you are certain you will use them. Keep in mind that if you plan on serving *.asp pages, then of course you would not want to delete the mapping for that. This isn't deleting the mappings in case you ever decide to go back and create more content that will actually use them, this is simply disabling them. You can of course go back later and re-enable them if you need. Note: your ISAPI mappings will return to the default if you make any system changes via Add/Remove Programs. Also note that the IIS Lock Down tool (updated to ver. 2.1) will remove the mappings, among other things, for you.

19. You can also change the HTTP verbs on your mappings by selecting Edit and allowing only GET, since this is usually the only verb you'll need. If your content contains a form, you will also need POST. 20. Use URLScan.dll. This can audit all incoming requests for certain ISAPI filters and drop those attempts to access filters that do not exist or should not be accessed. URLScan can be highly configured to suit your IIS Server. 21. Prevent directory traversals. Traversals can account for a HUGE portion of attacks. In one University study, traversals caused an average of 500,000 alerts per month. Go to Website Properties --> Home Directory --> Configuration - -> App Options, and uncheck Enable Parent Paths. This step is also crucial to maintaing a base level of security for your site. This prevents attackers from entering a URL such as http://yoursite.com/../../../../../../cmd.exe?/ and getting a command prompt on your machine! 22. Audit files that should be protected via NTFS permissions and log your web site hits. If you have good logs that show someone attempting to break in, Security personnel will have a better chance of tracking down the offender(s) and trying to prevent illegal access to your machine.

23. Enable the Event Viewer to monitor accesses to specific files and programs.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information