From Blueprint to Fortress: A Guide to Securing IIS 5.0

  • Article

By John Davis Microsoft Corporation

This document provides a blueprint for administrators and system architects to secure a Microsoft® Internet Information Server (IIS) 5.0 Web server. This document helps you lay the framework to design and implement a secure Web server on Microsoft technology. It is important that you carefully review these suggestions and use them to derive your own corporate settings and policies.

On This Page

Introduction Web Server Environment Specific Security Considerations Tools Registry Hardening References

Introduction

Servers can be vulnerable to a host of attacks. As a server administrator or architect, you want to be sure you account for all areas of security when setting up Web servers. The following information serves as a checklist to help you make sure you've covered all necessary areas.

Web Server Environment

The scenarios in this document assume the Web server being secured meets these specifications.

  • Running Microsoft Windows® 2000 Server or later

  • NTFS file system

  • Running Internet Information Server 5.0 or later

  • Incorporated with Active Directory.

Specific Security Considerations

File System

Access Control Lists (ACLs) must be set on folders that are part of the operating system. In addition, there are separate settings for the files that IIS uses specifically. When you secure a Web server, a key consideration is limiting the ability to browse the directories. This keeps would-be attackers from navigating to the directories that give them tools to do damage. Another key item is to not allow any one directory to have both write and execute privileges for the everyone group. This is often overlooked when securing a Web server.

Two directories need extra attention due to how easily they are compromised without correct ACLs. The default directory for FTP c:\inetpub\ftproot and SMTP c:\inetpub\mailroot both have full privileges for the everyone group by default. These should be changed, depending on the functionality you need. You can do this using the Xcacls.exe command. The following example gives everyone execute privilege and gives full control to administrators and system login accounts.

xcacls c:\inetpub\ftproot /e /c /p everyone:x administrators:f system:f /y

Bb742515.scriis01(en-us,TechNet.10).gif

Test this example on a nonproduction server, before implementing it on your Web servers, to verify that these are the ACLs that to incorporate. For more information on Xcacls.exe, see the IIS online help and the Windows 2000 Resource Kit for additional help.

When setting up a Web server, you need the ability to validate what the server is doing at any given time. You can do this by enabling logging of the Web server. From a security standpoint, this allows you to determine what has happened if the server is breached or rebooted. To prevent attackers from tampering with this information, you need to make sure that the correct ACLs are applied. By applying the correct permissions, you allow yourself to prevent the log file from being deleted.

To enable logging

  1. Start the Internet Information Services tool.

  2. Right-click the site in question and choose Properties.

  3. Click the Web Site tab.

  4. Choose Enable Logging.

  5. Choose W3C Extended Log File Format from the Active Log Format drop-down list.

  6. Click Properties.

  7. Click the Extended Properties tab, and set the following properties:

    • Client IP Address

    • User Name

    • Method

    • URI Stem

    • HTTP Status

    • Win32 Status

    • User Agent

    • Server IP Address

    • Server Port

The following table gives you an idea of the ACLs you should have for each file type. If you are setting up a Web site, you can make it easier to apply new ACLs by making separate directories for each file type. However, in a hosting environment, this becomes unmanageable for clients. Be sure to consider your environment as you structure how to apply ACLs.

File Type

Access Control Lists

CGI (exe, dll, cmd, pl)

Everyone (execute)
Administrators (full control)
System (full control)

Script files (asp)

Everyone (execute)
Administrators (full control)
System (full control)

Include files (inc, shtm, shtml)

Everyone (execute)
Administrators (full control)
System (full control)

Static content (txt, gif, jpg, html)

Everyone (read-only)
Administrators (full control)
System (full control)

Active Directory

Active Directory provides centralized administration along with tiered administrative support–two reasons why it is essential when designing a solution for Web hosting. Authentication and access control, both fully integrated into Active Directory, are key security features in the Windows 2000 operating system.

Policy-based administration is another benefit when looking at security in Active Directory. Group Policy stores configuration settings applied to computers or users. A Group Policy object contains all Group Policy settings and applies them to Active Directory sites, domains, or organizational units. With Group Policy objects, you can determine the applications that specific users or computers can use. Group Policy objects can also determine access to network resources, down to the user or computer. Taking the time to ensure that your group policy is correct and exactly what you want is essential to all basic security that you set up.

For information on deploying Active Directory, see: https://www.microsoft.com/windows2000/technologies/directory/AD/default.asp.

Security Configuration Manager

Security Configuration Manager is a Microsoft Management Console (MMC) snap-in that is used to set security attributes for areas such as account policies, local policies, event log, restricted groups, system services, registry and file system.

Windows 2000 server ships with several templates that are created based on the role of Windows 2000 server. Security Configuration Manager has been developed to enable you to edit template options. You can obtain information on downloading Security Configuration Manager from https://support.microsoft.com/default.aspx?scid=kb;en-us;245216. After you download this template, copy it to %SYSTEMROOT%\Security\Templates

To use Security Configuration Manager

  1. Click on Start and choose Run. In the text box type MMC.

  2. After MMC launches, expand the window. and choose Add/Remove Components.

  3. Add Security Configuration and Analysis and Security Templates from the list of snap-ins, as shown in the following screenshot.

    Bb742515.scriis02(en-us,TechNet.10).gif

  4. In the MMC, browse the Security Templates folder, to find the hisecweb template. Here you can view the settings by expanding each subcategory, as shown in the following screenshot.

    Bb742515.scriis03(en-us,TechNet.10).gif

  5. Make changes to the settings, as appropriate. Once you review the settings, right-click the hisecweb template in the left pane of the MMC. Choose Save As and name the template. For the purpose of this paper, call it my-hisecweb.

You have now developed a standard Web server template for your Web server deployments. The next step is to apply this template. To do this you must use the Security Configuration and Analysis MMC plug-in.

To apply your template

  1. In the MMC, right-click Security Configuration and Analysis and choose Open Database.

  2. In the open database selection window, type my-hisecweb and click OK.

  3. When prompted to select the template to import, select my-hisecweb.inf.

  4. Right-click Security Configuration and Analysis and choose Analyze Computer Now.

  5. Click OK to accept the default settings for log file locations The security analysis of your server begins, and the following progress indicator appears.

    Bb742515.scriis04(en-us,TechNet.10).gif

  6. When the analysis completes, review the analysis by expanding each category. As shown in the following screenshot, The right pane of the MMC contains columns for the database setting and computer setting. This enables you to compare the baseline settings of your server and the settings you defined in the template.

    Bb742515.scriis05(en-us,TechNet.10).gif

  7. Next, configure your server with the template. Right-click Security Configuration and Analysis and select Configure Computer Now. Click OK to accept the default location for log file.

  8. Close MMC without saving the console settings.

  9. Finally, you must verify that the settings you defined are actually applied on your server. Click Start and select Run. In the text box, type gpedit.msc. This starts the group policy editor, shown in the following screenshot.

    Bb742515.scriis06(en-us,TechNet.10).gif

  10. In the group policy editor, you can browse the settings you have defined to confirm they have been applied.

Hot Fixes and Service Packs

You can prevent many attacks by ensuring that security patches and service packs are up-to-date. One way to accomplish this is using the Windows 2000 IIS 5.0 Hotfix Checking tool (HFCheck), which ensures that any Web server running the tool is up-to-date on all security patches. The HFCheck tool is extremely functional; you don't have to connect all your Web servers to the Microsoft Web site for updates. If a single Web server is connected and up-to-date, your other servers can connect to that server for updates. This tool is specifically designed for IIS 5.0 and its security. You can download the HFCheck tool at https://www.microsoft.com/downloads/details.aspx?FamilyID=6c8afc1c-5008-4ac8-84e1-1632937dbd74&DisplayLang=en.

Another way to make sure that you have current security patches and service packs is through Microsoft Windows update, which all machines come with. This program checks that you are running all the operating system patches available for your server.

Product security notification is a third way to make sure that your service packs are up-to-date. This is a subscription-based service. The following procedure describes how to subscribe.

To subscribe to product security notification

  1. Compose an e-mail to microsoft_security-subscribe-request@announce.microsoft.com. The subject line and the message body are not used to process the subscription request; you can leave them blank.

  2. Send the e-mail.

  3. You'll receive a response that asks you to verify that you want to subscribe. Compose a reply e-mail with OK as the message body. Send the reply

  4. You'll receive two e-mails, one confirming that you've been added to the subscriber list, and the other with information on the notification service. After subscribing, you'll receive security notifications via e-mail.

This is a free e-mail notification service that Microsoft uses to send information to subscribers about the security of Microsoft products. The goal of this service is to provide accurate information that customers can use to protect themselves from malicious attacks. Microsoft's security team investigates issues reported directly to Microsoft, as well as issues discussed in certain popular security newsgroups. Bulletins contain information describing the issue, what products the issue affects, how to protect yourself, what security patches are available, and links to other information on the issue.

Microsoft digitally signs all security bulletins. To verify the signature, download the PGP key. The key's fingerprint is 5E39 0633 D6B3 9788 F776 D980 AB7A 9432.

If you have problems subscribing to the service, contact Microsoft_security-help@announce.microsoft.com.

Specific Hot Fixes

Unchecked buffer in ISAPI extension could enable compromise of IIS 5.0 server

Flaws in Web server certificate validation could enable spoofing

WebDAV service provider can allow scripts to levy requests as user

You can find many security patches in the Windows 2000 Service Pack 2. You can download this service pack here

Removing Samples

IIS 5.0 installs with samples that demonstrate how to set up the technology. These samples leave your server vulnerable to attack, because hackers know where they are and how to leverage them. Before putting a server into production on the Internet, you should always delete the samples. Most of these samples are piped through https://localhost or 127.0.0.l, but they are not necessary and should be removed from production servers. The following table lists samples that you should remove from the server before going live and operational.

Sample

Virtual Directory

Location

IIS Samples

\IISSamples

c:\inetpub\iissamples

IIS Documentation

\IISHelp

c:\winnt\help\iishelp

Data Access

\MSADC

c:\program files\common files\system\msadc

Along with these samples, you also need to consider other virtual directories that should be removed. You should removed IISADMPWD virtual directory, if present, and should not install it unless absolutely necessary as a management requirement. This directory is designed to allow the ability to reset passwords on intranets. By default, it is not installed in IIS 5.0, but if you upgrade from IIS 4.0, you should ensure that it is not present.

Tools

URLScan Security Tool

UrlScan is a security tool that screens all incoming requests to the server by filtering the requests based on rules that are set by the administrator. Filtering requests helps secure the server by ensuring that only valid requests are processed. UrlScan helps protect Web servers because most malicious attacks share a common ? characteristic they involve the use of a request that is unusual in some way. For instance, the request might be extremely long, request an unusual action, be encoded using an alternate character set, or include character sequences that are rarely seen in legitimate requests. By filtering unusual requests, UrlScan helps prevent such requests from reaching the server and potentially causing damage. To download URLScan, see https://www.microsoft.com/technet/security/tools/urlscan.mspx.

IIS Lockdown Tool

IIS Lockdown Tool provides templates for the major IIS-dependent Microsoft products. IIS Lockdown Tool functions by turning off unnecessary features, thereby reducing attack surface available to attackers. To provide in-depth defense or multiple layers of protection against attackers, URLscan, with customized templates for each supported server role, has been integrated into the IIS Lockdown Tool. To download the IIS Lockdown Tool, see https://www.microsoft.com/technet/security/tools/locktool.mspx.

To keep your server completely secure, however, all hotfixes must be applied before and after applying IIS Lockdown Wizard to stay protected against known security vulnerabilities.

AuditPol.exe

AuditPol.exe is a command-line tool used to modify audit polices from command line.

Syntax:

auditpol [\\computer] [/enable | /disable] [/help | /?] [/category:type] [/category:type]

Example:

C:\>auditpol
Running ...
(X) Audit Enabled
System                     = Success and Failure
Logon                      = Success and Failure
Object Access              = No
Privilege Use              = No
Process Tracking         = No
Policy Change              = Success and Failure
Account Management       = Success and Failure
Directory Service Access   = No
Account Logon             = Success and Failure

For more information, see the Windows 2000 Server Resource Kit

XcAcls

XcAcls is a powerful command line tool. You can use it to set file system security through Windows Explorer. It also has additional functionality, such as like edit ACLs, which is not possible through Windows Explorer.

Syntax:

xcacls filename [/T] [/E] [/C] [/G user:perm;spec] [/R user] [/P user:perm;spec
[...]] [/D user [...]] [/Y]

For more information, see the Windows 2000 Server Resource Kit

SecEdit

SecEdit is a command-line tool that enables you to manipulate security templates on a system. The operations that are supported by this tool are Create Template, Apply Template, and Analyze.

Syntax:

secedit /refreshpolicy {machine_policy | user_policy}[/enforce]
secedit /refreshpolicy
secedit /export [/mergedPolicy] [/DB filename ] [/CFG filename ] [/areas area 1
area 2...] [/log logPath] [/verbose] [/quiet]

For more information, see the Windows 2000 Server Resource Kit

IISPerms

IISPERMS is a "What if" tool designed to assist you in troubleshooting IIS security issues. You can download this tool and information about it at https://support.microsoft.com/default.aspx?scid=kb;en-us;229694&sd=tech.

QChain.exe

QChain.exe is a command-line tool that enables you to apply multiple hot fixes without rebooting the server.

Syntax:

qchain   [LogFileName]

You can download this tool at https://www.microsoft.com/downloads/results.aspx?pocId=&freetext=QChain.exe&DisplayLang=en

Registry Hardening

In securing IIS, you must modify some registry entries. Be sure to test the following entries in a lab before modifying your server registries, because many applications may not work after registry modifications. These entries are informative and must be used wisely.

SYN Flood Attack Protection

Basic attacks from the Internet can consist of distributed denial of service (DDOS) and SYN flooding. DDOS cannot be stopped, but can be reduced by a registry entry that helps the Web server. To protect against SYN flooding, edit the following registry key.

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters

Value name

SynAttackProtect

Value type

REG_DWORD

Value data

change to 2
0=default; normal protection against SYN attacks
1=connection times out more quickly
2=additional timeouts from 1; also limits certain socket options

Disabling Internet Printing

Windows 2000 provides the ability to print from the Internet; this functionality should be disabled. Printers are attached to the server by means of a Web page; administration of these printers is also accessed from a Web page. This creates a large hole through which your server can be attacked. Many times Internet printing is disabled from the Internet Service Manager, but after you reboot or log out, the Group Policy object that enables Internet printing will restart this functionality. Make sure that it is not in your Group Policy object before deploying the server.

To disable Internet printing, edit the following registry key.

HKLM\Software\Policies\Microsoft\Windows NT\Printers\DisableWebPrinting

Value name

DisableWebPrinting

Value type

REG_DWORD

Value data

default is nothing
change to 0x1

Restricting Anonymous Logging

With a server connected to the Internet, you should disable anonymous logging because it allows any would-be attacker to obtain information about the server from local account names and also gives them access to who is currently logged into the server. For more information, see "How to Use the RestrictAnonymous Registry Value in Windows 2000;&quot

To restrict anonymous logging, edit the following registry key.

HKLM \System\CurrentControlSet\Control\LSA

Value name

RestrictAnonymous

Value type

REG_DWORD

Value data

change to 2
0=no restrictions; use default permissions
1=do not allow enumeration of SAM accounts and names
2=no access with out explicit anonymous permissions

Removing Administrative Shares

Any server running Windows 2000 has default administration shares that should be removed. In removing this registry entry, you need to make sure that the Group Policy does not restore this entry after you set it. The hidden shares are designated by the logical drive names that you have on the server; for example, the C:\ drive is C$.

To remove administrative shares, edit the following registry key.

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters

Value name

AutoShareServer

Value type

REG_DWORD

Value data

Default is 1
change to 0

Disabling 8.3 File Format Compatibility

Administrators usually desire backward compatibility; however one form of compatibility is not desirable. Filename compatibility for 8.3 format is on by default; it should be turned off so that the server does not have to account for both types of filenames.

To restrict disable 8.3 compatibility, edit the following registry key.

HKLM\SYSTEM\CurrentControlSet\Control\FileSystem

Value name

NtfsDisable8dot3NameCreation

Value type

REG_DWORD

Value data

Default is 0
change to 1

Restricting Null Session Access

Null sessions are a weakness that can be exploited through the various shares that are on the system. You should consider modifying null session access to shares on the system. You can do this by adding RestrictNullSessAccess, a registry value that toggles null session shares on or off.

To restrict null session access, add the following registry key.

HKLM\System\CurrentControlSet\Services\LanManServer\Parameters

Value name

RestrictNullSessAccess

Value type

REG_DWORD

Value data

Set to 1

References

Security Web Sites

Knowledge Base Articles

Microsoft Windows 2000 Walkthroughs

The complete list of walkthroughs is located at https://www.microsoft.com/windows2000/techinfo/planning/default.asp.

White Papers