The 15 Steps to Secure an IIS 5.0 Server

echinoidqueenServers

Dec 4, 2013 (3 years and 8 months ago)

106 views

This document on Securing Microsoft's IIS 5.0 Server on Windows 2000 has been created from many
sources by Thomas Jerry Scott for use in his security classes. It does not cover every potential
configuration issue for the IIS 5.0 server; instead, it concentrates only on securing your Web Server.
This short guide contains 15 tried and true steps that, if followed, will add much security to your
Microsoft IIS 5.0 Web Server. You should start with this document, and do each of the 15 steps.
The 15 Steps to Secure an IIS 5.0 Server
1.
Install Windows 2000 from the original installation media (via
CD) as a standalone server.
You can upgrade an existing Windows NT Server to a Windows
2000 Server. This is not recommended, as it results in more lax
permissions for the file system, and may bring in less secure and
different registry settings.
Whenever possible do not make your Windows 2000 Server a
member of a domain.
Certainly, do not install IIS 5.0 on a
domain controller. Having to support a domain requires lots of
work for the server, and, possibly worse, can make available
hacks through domain services.
2.
During the Install, disconnect the server from its internet
connection.
If your IIS 5.0 server is connected to the Internet while you
secure it, it may be hacked before you finish the additional steps
to secure the server.
You should connect your IIS server to the Internet only after the
all installation steps and security settings have been finished.
3.
Install the operating system on an NTFS partition.
The FAT file system offers no possibility of file system security,
so to get the kind of security you need to secure IIS, you must
run Windows 2000 Server on the NTFS 5.0 file system. You will
build your IIS 5.0 security using Access Control Lists (ACLs) for
important files and directories. An ACL is a list of "who can do
what?" for a file or folder. An ACL contains three items:
1.A User or Group Security Identifier, which is called a SID.
2.A Permission or set of access permissions for the file or
folder.
3.A set of "Allowed" or "Denied" flags for each of the
permissions the ACL specifies.
You can have your Windows 2000 Server use the NTFS 5 file
system in two ways:
¡ Install Windows 2000 server on FAT and then CONVERT it
to NTFS 5.0.
¡ Install Windows 2000 server originally on NTFS 5.0.
Installing Windows 2000 Server on an NTFS permission will
allow us to further secure critical files and directories using
Access Control Lists (ACLs). You could install Windows 2000
on a FAT partition, and then later use the "Convert" utility to
have your Windows 2000 Server using NTFS. The problem with
this approach is that the default file Access Control Lists are not
applied during the conversion process.
4.
DO NOT use the default installation paths provided by
Microsoft for the Install.
The default folders for the Windows 2000 install are
"C:\WINNT" for the Operating System,
"C:\INETPUB\WWWROOT" for the IIS 5.0 server, and
"C:\INETPUB\FTPROOT" for the ftp server.
If at all possible, install your system files to a partition other than
C: and a folder other than WINNT. Place your "INETPUB"
folder on a separate partition from your system folder.
5.
DO NOT SET a password for the administrator account during
installation, as this will be set later.
6.
Configure network cards and video adapters as needed.
Cards that are not auto-detected will need to have drivers
manually installed.
7.
Install only necessary protocols and network services.
A Web server only needs TCP/IP, so you should not install
NetBEUI and IPX/SPX on this system.
Furthermore, a WEB server does not need the Microsoft Server
Service, and the Microsoft Workstation Service. You should
remove, and not just disable, both the Server Service and the
Workstation Service from the list of services. Once the Server
service is removed, no one can see your IIS Server using the "My
Network Places" icon.
8.
Remove NETBIOS bindings on your Network Cards.
A Web Server is a TCP/IP Server. As such, it does not need, in
any way, the normal Microsoft NETBIOS capabilityh. The
standard addage to make any server more secure is to "Remove
un-necessary services." Make your installation even more secure
by removing the NETBIOS bindings from your Network card
interface. Removing NETBIOS means your server will not be
listening on ports 135 and 139, and as a result, many hacks that
use these listening ports to penetrate a Microsoft operating
system will fail.
9.
Install Service Pack 3 for Windows 2000 Server and any other
available hotfixes.
This takes advantage of many of the security upgrades that the
Service Pack and the hot-fixes have made available. Of course,
since you are modifying executable kernel images as well as
other utilities, you must reboot after the service pack install. You
may also have to reboot after a given hot-fix install. This takes
time, but good security is never easy, and it is definitely never
quickly achieved!
10.
Once the Service Pack and Hot-Fixes have been installed,
return to the work on Security the IIS 5.0 Server. The next task
here is to remove or disable all sample applications and
directories.
The Sample folders have examples of code, etc. Since they are
part of the default install, hackers know where they are, and have
exploited them. In the chart below, the "?" refers to where you
have installed the INETPUB folder.
11.
Secure the Telnet server.
Create a local TelnetClients group. Add users allowed to access
the Telnet server to this group. When this group is created, only
members of this group can access the Telnet server. If you don't
need Telnet, disable the service.
12.
Set appropriate ACLs for important IIS Files.
The following table provides the Microsoft reccomended ACLs
for important IIS files. The "X" permission in the chart means the
ability to eXecute an object or file.
Item to Be
Removed
Location of That Item
IIS Samples
?\Inetpub\iissamples
Admin Scripts
?\Inetpub\AdminScripts
IIS Documentation
%systemroot%\help\iishelp
Data Access
?\Program Files\common
files\system\msadc
Table 1: Items to Be Removed
13.
Check ftproot and mailroot ACLs.
By default the ACLs on these folders are set to Everyone (Full
Control). More restrictive settings are reccomended, but will vary
according to needs. If there is no need for these folders on the
webserver, remove them and disable the corresponding services.
14.
Set IIS log file ACLs.
The Microsoft recomended ACLs for %systemroot%\system32
\logfiles are:
Administrators (Full Control) System (Full Control) Everyone
File Type
Access Control List (ACL)
CGI Scripts
(.exe, .dll, .cmd, .pl)
Everyone Group has X Permission
Administrators have Full Control
System has Full Control
Script Files
(.asp)
Everyone Group has X Permission
Administrators Group has Full Control
System has Full Control
Include Files
(.inc, .shtm, .shtml)
Everyone Has X Permission
Administrators has Full Control
System has Full Control
Static Content Files
(.txt, .gif, .jpg, .html)
Everyone Has Read Permission (R)
Administrators have Full Control
System has Full Control
Table 2: Microsoft Recommended ACL Settings
(RWC)
15.
Remove dangerous script mappings.
If you don't use the following script types, remove their
mappings:
Most of these script mappings have been used to exploit IIS in
the past. If you must use these script mappings, ensure you are
up to date on all Service Packs and Hotfixes.
Script Type
Mapping
Web-based password reset
.htr
Internet Database Connector
.idc
Server-Side Includes
.stm .shtml .shtm
Internet Printing
.printer
Index Server
.ida .idq .hta
Table 3: Scripts to Be Removed