Windows IIS Server hardening checklist



Similar documents
Understanding Microsoft Web Application Security

Web Plus Security Features and Recommendations

IIS Web Server Hardening

A Roadmap for Securing IIS 5.0

Hardening IIS Servers

Web Security School Entrance Exam

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

Microsoft Baseline Security Analyzer

Center for Internet Security Benchmark for IIS 5.0 and 6.0 for Microsoft Windows 2000, XP, and Server 2003 Version 1.

About Microsoft Windows Server 2003

Data Stored on a Windows Server Connected to a Network

Windows Server 2008/2012 Server Hardening

Security Guidelines for MapInfo Discovery 1.1

Web. Security Options Comparison

Windows Server. Introduction to Windows Server 2008 and Windows Server 2008 R2

IIS Deployment Procedures

Guide to the Secure Configuration and Administration of Microsoft Internet Information Server 4.0

Configuring Web services

Using Microsoft s Free Security Tools Help Secure your Windows Systems taken from Web and Other Sources by Thomas Jerry Scott November, 2003

Locking down a Hitachi ID Suite server

Securing IIS Servers. Securing IIS Servers. Securing IIS Servers. Securing IIS Server. Securing IIS Servers. Securing IIS Servers.

Walton Centre. Document History Date Version Author Changes 01/10/ A Cobain L Wyatt 31/03/ L Wyatt Update to procedure

Chapter 2 Editor s Note:

Web Security School Final Exam

Password Reset PRO INSTALLATION GUIDE

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

Security. TestOut Modules

Data Stored on a Windows Computer Connected to a Network

Click Studios. Passwordstate. Installation Instructions

Click Studios. Passwordstate. Installation Instructions

SQL Server Hardening

Setting Up Scan to SMB on TaskALFA series MFP s.

Application Security Policy

By Citrix Consulting Services. Citrix Systems, Inc.

Click Studios. Passwordstate. Installation Instructions

WS_FTP Server. User s Guide. Software Version 3.1. Ipswitch, Inc.

Windows Operating Systems. Basic Security

Advantage for Windows Copyright 2012 by The Advantage Software Company, Inc. All rights reserved. Client Portal blue Installation Guide v1.

Activity 1: Scanning with Windows Defender

Microsoft Solutions for Security and Compliance. Windows Server 2003 Security Guide

Windows 2000/Active Directory Security

Installing, Configuring, and Managing a Microsoft Active Directory

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 8 Desktop and Server OS Vulnerabilities

System Administration Training Guide. S100 Installation and Site Management

Guide to the Secure Configuration and Administration of Microsoft Internet Information Services 5.0

Magenic Practices: Application Security

IIS 6: The Complete Reference

E-Commerce for IT Advanced. Louis Aguila & Matt Burt

Security IIS Service Lesson 6

FactoryTalk View Site Edition IIS Handbook. Rev. 1.1, May 2007

Sitefinity Security and Best Practices

Server Installation Manual 4.4.1

How the Active Directory Installation Wizard Works

Windows Assessment. Vulnerability Assessment Course

User Guide. WS_FTP Server

Belarc Advisor Security Benchmark Summary

Active Directory. Users & Computers. Group Policies

Lesson Plans Administering Security in a Server 2003 Network

Password Reset PRO. Quick Setup Guide for Single Server or Two-Tier Installation

To install Multifront you need to have familiarity with Internet Information Services (IIS), Microsoft.NET Framework and SQL Server 2008.

CITY UNIVERSITY OF HONG KONG Network and Platform Security Standard

Windows 2000 Security Configuration Guide

Table of Contents. Introduction. Audience. At Course Completion

Agency Pre Migration Tasks

Installation Documentation Smartsite ixperion 1.3

Host Hardening. OS Vulnerability test. CERT Report on systems vulnerabilities. (March 21, 2011)

BusinessObjects Enterprise XI Release 2

Secure Messaging Server Console... 2

RE:Anywhere for Remote Access Installation Guide

imagepress CR Server A7000 Powered by Creo Color Server Technology For the Canon imagepress C7000VP/C6000VP/ C6000

Description of Microsoft Internet Information Services (IIS) 5.0 and

Managing and Maintaining a Microsoft Windows Server 2003 Environment

Migrating helpdesk to a new server

How To - Implement Single Sign On Authentication with Active Directory

WS_FTP Server. User Guide

Your Question. Net Report Answer

User Guide. WS_FTP Server

Active Directory Authentication Integration

Installing Moodle on a Windows x64 Environment

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Capture Link Server V1.00

EPiServer Operator's Guide

NETWRIX ACCOUNT LOCKOUT EXAMINER

Network Setup Instructions

Security Audit Report for ACME Corporation

Enterprise Security Critical Standards Summary

Avatier Identity Management Suite

Oracle Security on Windows

CAC/PIV PKI Solution Installation Survey & Checklist

TABLE OF CONTENTS. Features - SharePoint Server idataagent. Page 1 of 72 OVERVIEW SYSTEM REQUIREMENTS - SHAREPOINT SERVER IDATAAGENT INSTALLATION

Exam: QUESTION 1 QUESTION 2 QUESTION 3 QUESTION 4

Systems Management Server 2003 Security Guide

Masterclass: Internet Information Services Management (IIS 8.5 / 8 / 7.5)

How to Secure a Groove Manager Web Site

inforouter V8.0 Server & Client Requirements

Transcription:

General Windows IIS Server hardening checklist By Michael Cobb Do not connect an IIS Server to the Internet until it is fully hardened. Place the server in a physically secure location. Do not install the IIS server on a domain controller. Do not install a printer. Use two network interfaces in the server one for admin and one for the network. Install service packs, patches and hot fixes. Run IISLockdown run on the server. Install and configure URLScan. Secure remote administration of the server and configure for encryption, low session time-outs and account lockouts. Disable unnecessary Windows services. Ensure services are running with least-privileged accounts. Disable FTP, SMTP and NNTP services if they are not required. Disable Telnet service. Disable ASP.NET state service if not used by your applications. Disable webdav if not used by the application, or secure it if it is required. (See How To: Create a secure webdav Publishing Directory at support.microsoft.com.)

Do not install Data Access Components unless specifically needed. Do not install the HTML version of the Internet Services Manager. Do not install the MS Index Server unless required. Do not install the MS FrontPage Server extensions unless required. Harden TCP/IP stack. Disable NetBIOS and SMB (closing ports 137, 138, 139 and 445). Reconfigure Recycle Bin and Page file system data policies. Secure CMOS settings. Secure physical media (floppy drive, CD-ROM drive and so on). Accounts Remove unused accounts from the server. Disable Windows Guest account. Rename Administrator account and set a strong password. Disable IUSR_MACHINE account if it is not used by the application. Create a custom least-privileged anonymous account if applications require anonymous access. Do not give the anonymous account write access to Web content directories or allow it to execute command-line tools. If you host multiple Web applications, configure a separate anonymous user account for each one. Configure ASP.NET process account for least privilege. (This only applies if you are not using the default ASP.NET account, which is a least-privileged account.)

Enforce strong account and password policies for the server. Restrict remote logons. (The "Access this computer from the network" user-right is removed from the Everyone group.) Do not share accounts among administrators. Disable Null sessions (anonymous logons). Require approval for account delegation. Do not allow users and administrators to share accounts. Do not create more than two accounts in the Administrators group. Require administrators to log on locally or secure the remote administration solution. Files and Directories Use multiple disks or partition volumes and do not install the Web server home directory on the same volume as the operating system folders. Contain files and directories on NTFS volumes. Put Web site content on a non-system NTFS volume. Create a new site and disable the default site. Put log files on a non-system NTFS volume but not on the same volume where the Web site content resides. Restrict the Everyone group (no access to \WINNT\system32 or Web directories). Ensure Web site root directory has deny write ACE for anonymous Internet accounts. Ensure content directories have deny write ACE for anonymous Internet accounts. Remove remote IIS administration application (\WINNT\System32\Inetsrv\IISAdmin).

Remove resource kit tools, utilities and SDKs. Remove sample applications (\WINNT\Help\IISHelp, \Inetpub\IISSamples). Remove IP address in header for Content-Location. Shares Remove all unnecessary shares (including default administration shares). Restrict access to required shares (the Everyone group does not have access). Remove Administrative shares (C$ and Admin$) if they are not required (Microsoft Management Server (SMS) and Microsoft Operations Manager (MOM) require these shares). Ports Restrict Internet-facing interfaces to port 80 (and 443 if SSL is used). Encrypt Intranet traffic (for example, with SSL), or restrict Internet traffic if you do not have a secure data center infrastructure. Registry Restrict remote registry access. Secure SAM (HKLM\System\CurrentControlSet\Control\LSA\NoLMHash). This applies only to standalone servers. Auditing and Logging Audit failed logon attempts. Relocate and secure IIS log files.

Configure log files with an appropriate file size depending on the application security requirement. Regularly archive and analyze log files. Audit access to the Metabase.bin file. Configure IIS for W3C Extended log file format auditing. Read How to use SQL Server to analyze Web logs at support.microsoft.com Sites and Virtual Directories Put Web sites on a non-system partition. Disable "Parent paths" setting. Remove potentially dangerous virtual directories including IISSamples, IISAdmin, IISHelp and Scripts. Remove or secure MSADC virtual directory (RDS). Do not grant included directories Read Web permission. Restrict Write and Execute Web permissions for anonymous accounts in virtual directories. Ensure there is script source access only on folders that support content authoring. Ensure there is write access only on folders that support content authoring and these folders are configured for authentication (and SSL encryption, if required). Remove FrontPage Server Extensions (FPSE) if not used. If FPSE are used, update and restrict access to them. Remove the IIS Internet Printing virtual directory. Script Mappings Map extensions not used by the application to 404.dll (.idq,.htw,.ida,.shtml,.shtm,.stm, idc,.htr,.printer).

Map unnecessary ASP.NET file type extensions to "HttpForbiddenHandler" in Machine.config. ISAPI Filters Remove from the server unnecessary or unused ISAPI filters. IIS Metabase Restrict access to the metabase by using NTFS permissions (%systemroot%\system32\inetsrv\metabase.bin). Restrict IIS banner information (Disable IP address in content location). Server Certificates Ensure certificate date ranges are valid. Only use certificates for their intended purpose (For example, the server certificate is not used for e-mail). Ensure the certificate's public key is valid, all the way to a trusted root authority. Confirm that the certificate has not been revoked. Machine.config Map protected resources to HttpForbiddenHandler. Remove unused HttpModules. Disable tracing. <trace enable="false"/> Turn off debug compiles. <compilation debug="false" explicit="true" defaultlanguage="vb">

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information