Export (0) Print
Expand All

Chapter 9: The Web Server Role

Published: December 31, 2003   |   Updated: April 26, 2006

Overview

This chapter provides guidance that will help you harden the Web servers in your environment that run Microsoft® Windows Server™ 2003 with SP1. To provide comprehensive security for Web servers and applications within your organization's intranet, Microsoft recommends that you protect each Microsoft Internet Information Services (IIS) server as well as each Web site and application that run on these servers from client computers that can connect to them. You should also protect these Web sites and applications from the Web sites and applications that run on the other IIS servers within your organization’s intranet.

To help protect against malicious users and attackers, the default configuration for members of the Windows Server 2003 family does not install IIS. When it is installed, IIS is configured in a highly secure, "locked" mode. For example, in its default state IIS will only serve static content. Because they could be exploited by potential intruders, features such as Active Server Pages (ASP), ASP.NET, Server Side Includes (SSI), Web Distributed Authoring and Versioning (WebDAV) publishing, and Microsoft FrontPage® Server Extensions will not work until an administrator enables them. These features and services can be enabled through the Web Service Extensions node in Internet Information Services Manager (IIS Manager). IIS Manager has a graphical user interface (GUI) that is designed to facilitate administration of IIS. It includes resources for file management, directory management, and configuration of application pools, as well as security, performance, and reliability features.

You should consider implementation of the settings that are described in the following sections of this chapter to enhance the security of IIS Web servers that host HTML content within your organization’s intranet. To help secure your servers, you should also implement security monitoring, detection, and response procedures to watch for new threats.

Most of the settings in this chapter are configured and applied through Group Policy. An incremental GPO that complements the MSBP is linked to the appropriate OUs and provides additional security for the Web servers. To improve the usability of this chapter, only those policy settings that vary from the MSBP are discussed.

Where possible, these settings are gathered in an incremental Group Policy template that will be applied to the Web Servers OU. Some of the settings in this chapter cannot be applied through Group Policy. Detailed information about how to configure these settings manually is provided.

The following table shows the names of the Web server security templates for the three environments that are defined in this guide. These Web server security templates provide the policy settings for the incremental Web Server template. You can use this template to create a new GPO that is linked to the Web Servers OU in the appropriate environment. Chapter 2, "Windows Server 2003 Hardening Mechanisms," provides step-by-step instructions to help you create the OUs and Group Policies and then import the appropriate security template into each GPO.

Table 9.1 IIS Server Security Templates

Legacy ClientEnterprise ClientSpecialized Security – Limited Functionality

LC-Web Server.inf

EC-Web Server.inf

SSLF-Web Server.inf

For information about all default setting configurations, see the companion guide, Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, which is available at http://go.microsoft.com/fwlink/?LinkId=15159.

This guide illustrates how to secure IIS with minimal features installed and enabled. If you plan to use additional features in IIS you may need to need to adjust some of the security settings. If you install additional services such as SMTP, FTP, or NNTP, you will need to adjust the provided templates and policies.

The online article "IIS and Built-in Accounts (IIS 6.0)" at www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/3648346f-e4f5-474b-86c7-5a86e85fa1ff.mspx explains the accounts that different features of IIS use and the privileges that are required by each. To implement more secure settings on Web servers that host complex applications, you may find it useful to review the complete IIS 6.0 Documentation at www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/848968f3-baa0-46f9-b1e6-ef81dd09b015.mspx.

Anonymous Access and the SSLF Settings

Four of the user rights that are explicitly defined in the SSLF scenario in the MSBP are designed to break anonymous access to IIS Web sites. However, if you need to allow anonymous access in an SSLF environment you will need to make some important changes to the OU structure and GPOs that are described in Chapters 2, 3, and 4 of this guide. You will need to create a new OU that is not part of the hierarchy below the Member Servers OU. This OU could be linked directly to the domain root, or it could be a child OU of some other OU hierarchy. However, you should not assign user rights in a GPO that will affect the IIS servers that will be placed in this new OU. You can move the IIS servers to the new OU, create a new GPO, apply the MSBP settings to it, and then reconfigure user rights assignments so that they can be controlled by local policy rather than the domain–based GPO. In other words, you should configure the following user rights settings to Not defined in this new GPO.

  • Access this computer from the network
  • Allow log on locally
  • Bypass traverse checking
  • Log on as a batch job

The IIS features that you need to enable will determine whether you will need to also reconfigure other user rights assignment settings to Not defined.

Audit Policy Settings

The Audit policy settings for IIS servers in the three environments that are defined in this guide are configured through the MSBP. For more information about the MSBP, see Chapter 4, "The Member Server Baseline Policy." The MSBP settings ensure that all the relevant security audit information is logged on all IIS servers.

User Rights Assignments

The user rights assignment settings for IIS servers in the three environments that are defined in this guide are configured through the MSBP. For more information about the MSBP, see Chapter 4, "The Member Server Baseline Policy." The MSBP settings ensure that all the relevant security audit information is logged on all IIS servers.

Security Options

The security option settings for IIS servers in the three environments that are defined in this guide are configured through the MSBP. For more information about the MSBP, see Chapter 4, "The Member Server Baseline Policy." The MSBP settings ensure that all the relevant security options are uniformly configured on all IIS servers.

Event Log Settings

The event log settings for IIS servers in the three environments that are defined in this guide are configured through the MSBP. For more information about the MSBP, see Chapter 4, "The Member Server Baseline Policy." The MSBP settings ensure that the appropriate event log settings are uniformly configured on all IIS servers in an organization.

Additional Security Settings

When IIS is installed on a computer that runs Windows Server 2003 with SP1, its default setting only allows transmission of static Web content. When Web sites and applications contain dynamic content or require one or more additional IIS components, each additional IIS feature must be individually enabled. However, you should be careful to minimize the attack surface of each IIS server in your environment. If the Web sites in your organization are comprised of static content and do not require any other IIS components, then the default IIS configuration is sufficient to minimize the attack surface of the IIS servers.

The security settings that are applied through the MSBP provide a great deal of enhanced security for IIS servers. However, there are a few additional settings that you should consider. The settings in the following sections cannot be implemented through Group Policy and must therefore be performed manually on all IIS servers.

Installing Only Necessary IIS Components

IIS 6.0 includes other components and services in addition to the World Wide Web Publishing Service, such as the services that are required to provide FTP, NNTP, and SMTP support. IIS components and services are installed and enabled with the Windows Components Wizard Application Server that can be launched through Add or Remove Programs in Control Panel. After you install IIS, you will need to enable all IIS components and services that are required by your Web sites and applications.

To install Internet Information Services (IIS) 6.0

  1. In Control Panel, double-click Add or Remove Programs.
  2. Click the Add/Remove Windows Components button to start the Windows Components Wizard.
  3. In the Components list, click Application Server, and then Details.
  4. In the Application Server dialog box, under Subcomponents of Application Server, click Internet Information Services (IIS), and then Details.
  5. In the Internet Information Services (IIS) dialog box, in the Subcomponents of Internet Information Services (IIS) list, do either of the following:
    • To add optional components, select the check box next to the component that you want to install.
    • To remove optional components, clear the check box next to the component that you want to remove.
  6. Click OK until you return to the Windows Component Wizard.
  7. Click Next, and then Finish.

You should only enable essential IIS components and services that are required by Web sites and applications. If you enable unnecessary components and services, the attack surface of an IIS server increases. The following illustrations and tables show the location and suggested settings for IIS components.

The subcomponents in the Application Server dialog box are shown in the following figure:

 

Figure 9.1 Application Server dialog box with list of subcomponents

Figure 9.1 Application Server dialog box with list of subcomponents

See full-sized image

 

The following table briefly describes the Application Server subcomponents and provides recommendations for when to enable them.

Table 9.2 Recommended Application Server Subcomponents Settings

Component name in UISettingSetting logic

Application Server Console

Disabled

Provides a Microsoft Management Console (MMC) snap-in that you can use to administer all the Web Application Server components. This component is not required on a dedicated IIS server because IIS Server Manager can be used.

ASP.NET

Disabled

Provides support for ASP.NET applications. Enable this component when an IIS server runs ASP.NET applications.

Enable network COM+ access

Enabled

Allows an IIS server to host COM+ components for distributed applications. Required for FTP, BITS server extension, World Wide Web Service, and IIS Manager among others.

Enable network DTC access

Disabled

Allows an IIS server to host applications that participate in network transactions through Distributed Transaction Coordinator (DTC). Disable this component unless the applications that run on the IIS server require it.

Internet Information Services (IIS)

Enabled

Provides basic Web and FTP services. This component is required for dedicated IIS servers.

Note: If this component is not enabled, then all subcomponents are disabled.

Message Queuing

Disabled

Microsoft Message Queuing (MSMQ) Provides a message routing, storage, and forwarding middleware layer for enterprise Web applications.

The subcomponents in the Internet Information Services (IIS) dialog box are shown in the following figure:

 

Figure 9.2 IIS dialog box with list of subcomponents

Figure 9.2 IIS dialog box with list of subcomponents

See full-sized image

 

The following table briefly describes the IIS subcomponents and provides recommendations for when to enable them.

Table 9.3 Recommended IIS Subcomponents Settings

Component name in UISettingSetting logic

Background Intelligent Transfer Service (BITS) server extension

Disabled

The BITS server extension allows BITS on the clients to upload files to this server in the background. If you have an application on the clients that uses BITS to upload files to this server, then enable and configure the BITS server extension; otherwise, leave it disabled. Note that Windows Update, Microsoft Update, SUS, WSUS, and Automatic Updates do not require this component to run. They require the BITS client component, which is not part of IIS.

Common Files

Enabled

IIS requires these files and they must always be enabled on IIS servers.

File Transfer Protocol (FTP) Service

Disabled

Allows IIS servers to provide FTP services. This service is not required for dedicated IIS servers.

FrontPage 2002 Server Extensions

Disabled

Provides FrontPage support to administer and publish Web sites. Disable on dedicated IIS servers when no Web sites use FrontPage extensions.

Internet Information Services Manager

Enabled

Administrative interface for IIS.

Internet Printing

Disabled

Provides Web-based printer management and allows printers to be shared over HTTP. This component is not required on dedicated IIS servers.

NNTP Service

Disabled

Distributes, queries, retrieves, and posts Usenet news articles on the Internet. This component is not required on dedicated IIS servers.

SMTP Service

Disabled

Supports the transfer of electronic mail. This component is not required on dedicated IIS servers.

World Wide Web Service

Enabled

Provides Web services, static, and dynamic content to clients. This component is required on dedicated IIS servers.

The subcomponents in the Message Queuing dialog box are shown in the following figure:

 

Figure 9.3 Message Queuing dialog box with list of subcomponents

Figure 9.3 Message Queuing dialog box with list of subcomponents

See full-sized image

 

The following table briefly describes the Message Queuing subcomponents and provides recommendations for when to enable them.

Table 9.4 Recommended Message Queuing Subcomponents Settings

Component name in UIInstallation optionSetting logic

Active Directory Integration

Disabled

Provides integration with the Active Directory® directory service whenever an IIS server belongs to a domain. This component is required when Web sites and applications that run on IIS servers use Microsoft Message Queuing (MSMQ).

Common

Disabled

This component is required when Web sites and applications that run on IIS servers use MSMQ.

Downlevel Client Support

Disabled

Provides access to Active Directory and site recognition for downstream clients. This component is required when an IIS server's Web sites and applications use MSMQ.

MSMQ HTTP Support

Disabled

Provides the ability to send and receive messages over the HTTP transport. This component is required when an IIS server's Web sites and applications use MSMQ.

Routing support

Disabled

Provides store-and-forward messaging as well as efficient routing services for MSMQ. This component is required when Web sites and applications that run on IIS servers use MSMQ.

Triggers

Disabled

Associates the arrival of incoming messages at a queue with functionality in a COM component or a stand-alone executable program.

The subcomponents in the Background Intelligent Transfer Service (BITS) Server Extensions dialog box are shown in the following figure:

 

Figure 9.4 BITS Server Extensions with list of subcomponents

Figure 9.4 BITS Server Extensions with list of subcomponents

See full-sized image

 

The following table briefly describes the BITS Server Extensions subcomponents and provides recommendations for when to enable them.

Table 9.5 Recommended BITS Server Extensions Subcomponents Settings

Component name in UIInstallation optionSetting logic

BITS management console snap-in

Disabled

Installs an MMC snap-in to administer BITS. Enable this component when the BITS server extension for Internet Server Application Programming Interface (ISAPI) is enabled.

BITS server extension ISAPI

Disabled

Installs the BITS ISAPI so that an IIS server can transfer data using BITS. BITS Server Extensions allow BITS on the clients to upload files to this server in the background. If you have an application on the clients that uses BITS to upload files to this server, then enable and configure the BITS server extension; otherwise leave it disabled. Note that Windows Update, Microsoft Update, SUS, WSUS, and Automatic Updates do not require this component to run. They require the BITS client component, which is not part of IIS.

The subcomponents in the World Wide Web Service dialog box are shown in the following figure:

 

Figure 9.5 World Wide Web Service dialog box with list of subcomponents

Figure 9.5 World Wide Web Service dialog box with list of subcomponents

See full-sized image

 

The following table briefly describes the World Wide Web Service subcomponents and provides recommendations for when to enable them.

Table 9.6 Recommended World Wide Web Service Subcomponent Settings

Component name in UIInstallation optionSetting logic

Active Server Pages

Disabled

Provides support for ASP. Disable this component when no Web sites or applications on IIS servers use ASP, or disable it by using the Web service extensions. For more information, see the following “Enabling Only Essential Web Service Extensions” section in this chapter.

Internet Data Connector

Disabled

Provides support for dynamic content that is provided through files with .idc extensions. Disable this component when no Web sites or applications that run on IIS servers include files with .idc extensions, or disable it by using the Web service extensions. For more information, see the following “Enabling Only Essential Web Service Extensions” section in this chapter.

Remote Administration (HTML)

Disabled

Provides an HTML interface to administer IIS. Use IIS Manager instead to provide easier administration and to reduce the attack surface of an IIS server. This feature is not required on dedicated IIS servers.

Remote Desktop Web Connection

Disabled

Includes Microsoft ActiveX® control and sample pages to host Terminal Services client connections. Use IIS Manager instead to provide easier administration and to reduce the attack surface of an IIS server. Not required on a dedicated IIS server.

Server – Side Includes

Disabled

Provides support for .shtm, .shtml, and .stm files. Disable this component when no Web sites or applications that run on IIS server use include files with these extensions.

WebDAV

Disabled

WebDAV extends the HTTP/1.1 protocol to allow clients to publish, lock, and manage resources on the Web. Disable this component on dedicated IIS servers or disable it by using the Web service extensions. For more information, see the following “Enabling Only Essential Web Service Extensions” section in this chapter.

World Wide Web Service

Enabled

Provides Web services, static, and dynamic content to clients. This component is required on dedicated IIS servers.

Enabling Only Essential Web Service Extensions

Many Web sites and applications that run on IIS servers have extended functionality that goes beyond static pages, including the ability to generate dynamic content. Any dynamic content that is served or extended through features that are provided by an IIS server is accomplished through Web service extensions.

Enhanced security features in IIS 6.0 allow individual Web service extensions to be enabled or disabled. As stated earlier, IIS servers will transmit only static content after a new installation. Dynamic content capabilities can be enabled through the Web Service Extensions node in IIS Manager. These extensions include ASP.NET, SSI, WebDAV, and FrontPage Server extensions.

One way to ensure the highest possible compatibility with existing applications is to enable all Web service extensions, but this method also creates a security risk because it increases the attack surface of IIS. You should only enable those Web service extensions that are required by the Web sites and applications that run on IIS servers in your environment. This approach will minimize server functionality and reduce the attack surface of each IIS server.

To reduce the attack surface of IIS servers as much as possible, only necessary Web service extensions are enabled on IIS servers in the three environments that are defined in this guide.

The following table lists predefined Web service extensions, and provides details on when to enable each extension.

Table 9.7 Enabling Web Service Extensions

Web service extensionEnable extension when

Active Server Pages

One or more Web sites and applications that run on IIS servers contain ASP content.

ASP.NET v1.1.4322

One or more Web sites and applications that run on IIS servers contain ASP.NET content.

All Unknown CGI Extensions

One or more Web sites and applications that run on IIS servers contain unknown CGI extension content.

All Unknown ISAPI Extensions

One or more Web sites and applications that run on IIS servers contain unknown ISAPI extension content.

FrontPage Server Extensions 2002

One or more Web sites that run on IIS servers use FrontPage Extensions.

Internet Data Connector (IDC)

One or more Web sites and applications that run on IIS servers use IDC to display database information (this content includes .idc and .idx files).

Server Side Includes (SSI)

One or more Web sites that run on IIS servers use SSI directives to instruct IIS servers to insert reusable content (for example, a navigation bar, a page header or footer) into different Web pages.

Web Distributed Authoring and Versioning (WebDav)

WebDAV support is required on IIS servers for clients to transparently publish and manage Web resources.

Placing Content on a Dedicated Disk Volume

IIS stores files for its default Web site in the <systemroot>\inetpub\wwwroot folder (where <systemroot> is the drive on which the Windows Server 2003 operating system is installed).

In the three environments that are defined in this guide, all files and folders that make up Web sites and applications are placed on dedicated disk volumes that are separate from the operating system. This approach helps prevent directory traversal attacks in which an attacker sends requests for a file that is located outside the directory structure of an IIS server.

For example, the Cmd.exe file exists in the <systemroot>\System32 folder. An attacker could make a request to the following location:

..\..\Windows\system\cmd.exe

in an attempt to invoke the command prompt.

If the Web site content is on a separate disk volume, a directory traversal attack of this type would not work for two reasons. First, permissions on the Cmd.exe file have been reset as part of the base build of Windows Server 2003 with SP1 that restricts access to a much more limited group of users. Second, the Cmd.exe file would not exist on the same disk volume as the Web root, and there are currently no known methods to access commands on a different drive with this type of attack.

In addition to the security-related benefits, administration tasks such as backup and restore are easier when Web site and application files and folders are placed on a dedicated disk volume. Also, use of a separate, dedicated physical drive can help reduce disk contention on the system volume and improve overall disk access performance.

Setting NTFS Permissions

Computers that run Windows Server 2003 with SP1 examine NTFS file system permissions to determine the types of access a user or a process has on a specific file or folder. You should assign NTFS permissions to allow or deny access to specific users for Web sites on IIS servers in the three environments that are defined in this guide.

NTFS permissions affect only the accounts that have been allowed or denied access to the Web site and application content. You should use NTFS permissions in conjunction with Web permissions, not instead of Web permissions. Web site permissions affect all users who access the Web site or application. If Web permissions conflict with NTFS permissions for a directory or file, the more restrictive settings are applied.

You should explicitly deny access to anonymous accounts on Web sites and applications for which anonymous access is not desired. Anonymous access occurs when a user who has no authenticated credentials accesses network resources. Anonymous accounts include the built-in Guest account, the Guests group, and IIS Anonymous accounts. Also, eliminate any write-access permissions to all users except those who are IIS administrators.

The following table provides some recommendations about the NTFS permissions that should be applied to the different file types on an IIS server. The different file types can be grouped in separate folders to simplify the application of NTFS permissions.

Table 9.8 Recommended NTFS Permissions Settings

File typeRecommended NTFS permissions

CGI files (.exe, .dll, .cmd, .pl)

Everyone (execute)

Administrators (full control)

System (full control)

Script files (.asp)

Everyone (execute)

Administrators (full control)

System (full control)

Include files (.inc, .shtm, .shtml)

Everyone (execute)

Administrators (full control)

System (full control)

Static content (.txt, .gif, .jpg, .htm, .html)

Everyone (read-only)

Administrators (full control)

System (full control)

Setting IIS Web Site Permissions

IIS examines Web site permissions to determine the types of action that can occur within a Web site, such as script source access or directory browsing. You should assign Web site permissions to provide additional security for Web sites on IIS servers in the three environments that are defined in this guide.

Web site permissions can be used in conjunction with NTFS permissions, and can be configured for specific sites, directories, and files. Unlike NTFS permissions, Web site permissions affect everyone who tries to access a Web site that runs on an IIS server. Web site permissions can be applied with the MMC IIS Manager snap-in.

The following table lists the Web site permissions that are supported by IIS 6.0, and provides brief explanations of when to assign any given permission to a Web site.

Table 9.9 IIS 6.0 Web Site Permissions

Web site permissionPermission granted

Read

Users can view the content and properties of directories or files. This permission is selected by default.

Write

Users can change content and properties of directories or files.

Script Source Access

Users can access source files. If Read is enabled, then the source can be read; if Write is enabled, then the script source code can be changed. Script Source Access includes the source code for scripts. If neither Read nor Write is enabled, this option is not available.

Important: When Script Source Access is enabled, users may be able to view sensitive information, such as a user name and password. They may also be able to change source code that runs on an IIS server and seriously affect the server's security and performance.

Directory browsing

Users can view file lists and collections.

Log visits

A log entry is created for each visit to the Web site.

Index this resource

Allows the Indexing Service to index resources, which allows searches to be performed on resources.

Execute

The following options determine the level of script execution for users:

  • None. Does not allow scripts executables to run on the server.
  • Scripts only. Allows only scripts to run on the server.
  • Scripts and Executables. Allows both scripts and executables to run on the server.

Configuring IIS Logging

Microsoft recommends that IIS logging be enabled on IIS servers in the three environments that are defined in this guide.

Separate logs can be created for each Web site or application. IIS logs more information than the event logs and performance monitoring features that are provided by the Windows operating system. The IIS logs can include information such as who has visited a site, what the visitor viewed, and when the information was last viewed. IIS logs can be used to assess content popularity, identify information bottlenecks, or as resources to help investigate attacks.

The MMC IIS Manager snap-in can be used to configure the log file format, the log schedule, and the exact information to be logged. To limit the size of the logs, you should use a careful planning process to determine which fields to log.

When IIS logging is enabled, IIS uses the W3C Extended Log File Format to create daily activity logs in the directory that is specified for the Web site in IIS Manager. To improve server performance, you should store logs on a non-system striped or striped/mirrored disk volume.

Logs can also be written to a remote share over a network by using a full, Universal Naming Convention (UNC) path. Remote logging allows administrators to set up centralized log file storage and backup. However, server performance could be negatively affected when log files are written over the network.

IIS logging can be configured to use several other ASCII or Open Database Connectivity (ODBC) log file formats. ODBC logs can store activity information in a SQL database. However, note that when ODBC logging is enabled, IIS disables the kernel-mode cache, which can degrade overall server performance.

IIS servers that host hundreds of sites can enable centralized binary logging to improve logging performance. Centralized binary logging enables all Web sites on an IIS server to write activity information to a single log file. This method can greatly increase the manageability and scalability of the IIS logging process because it reduces the number of logs that need to be individually stored and analyzed. For more information about centralized binary logging, see the IIS Centralized Binary Logging (IIS6.0) page at www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/13a4c0b5-686b-4766-8729-a3402da835f1.mspx.

When IIS logs are stored on IIS servers, only server administrators have permission to access them by default. If a log file directory or file owner is not in the Local Administrators group, the HTTP.sys file (the kernel-mode driver in IIS 6.0) publishes an error to the NT event log. This error indicates that the owner of the directory or file is not in the Local Administrators group, and that logging has been suspended for that site until the owner is added to the Local Administrators group, or the existing directory or log file is deleted.

Manually Adding Unique Security Groups to User Rights Assignments

Most user rights assignments that are applied through the MSBP have the proper security groups specified in the security templates that accompany this guide. However, there are a few accounts and security groups that cannot be included in the templates because their security identifiers (SIDs) are specific to individual Windows 2003 domains. User rights assignments that must be configured manually are specified in the following table.

Warning: The following table contains values for the built-in Administrator account. Do not confuse the Administrator account with the built-in Administrators security group. If you add the Administrators security group to any of the listed deny access user rights, you will need to log on locally to correct the mistake. Also, you may have renamed the built-in Administrator account in accordance with the recommendation in Chapter 4, "The Member Server Baseline Policy." When you add the Administrator account to any user rights, ensure that the renamed account is specified.

Table 9.10 Manually Added User Rights Assignments

Member server defaultLegacy ClientEnterprise ClientSpecialized Security – Limited Functionality

Deny access to this computer from the network

Built-in Administrator; Support_388945a0;

Guest; all NON-Operating System service accounts

Built-in Administrator; Support_388945a0;

Guest; all NON-Operating System service accounts

Built-in Administrator; Support_388945a0;

Guest; all NON-Operating System service accounts

Important: “All non-operating system service accounts” includes service accounts that are used for specific applications across an enterprise, but does NOT include LOCAL SYSTEM, LOCAL SERVICE or the NETWORK SERVICE accounts (the built-in accounts that the operating system uses).

Securing Well-Known Accounts

Windows Server 2003 has a number of built-in user accounts that cannot be deleted but can be renamed. Two of the most well-known built-in accounts in Windows Server 2003 are Guest and Administrator.

By default, the Guest account is disabled on member servers and domain controllers. This configuration should not be changed. Many variations of malicious code use the built-in Administrator account in an initial attempt to compromise a server. Therefore, you should rename the built-in Administrator account and alter its description to help prevent compromise of remote servers by attackers who try to use this well-known account.

The value of this configuration change has diminished over the past few years since the release of attack tools that specify the security identifier (SID) of the built-in Administrator account to determine its true name and then break into the server. A SID is the value that uniquely identifies each user, group, computer account, and logon session on a network. It is not possible to change the SID of this built-in account. However, your operations groups can easily monitor attempted attacks against this Administrator account if you rename it with a unique name.

To secure well known accounts on IIS servers

  • Rename the Administrator and Guest accounts, and change their passwords to long and complex values on every domain and server.
  • Use different names and passwords on each server. If the same account names and passwords are used on all domains and servers, an attacker who gains access to one member server will be able to gain access to all others.
  • Change the account descriptions to something other than the defaults to help prevent easy identification of the accounts.
  • Record any changes you make in a secure location.

Note: You can rename the built-in administrator account through Group Policy. This setting was not implemented in any of the security templates that are provided with this guide because every organization should choose a unique name for this account. However, you can configure the Accounts: Rename administrator account setting to rename administrator accounts in the three environments that are defined in this guide. This policy setting is a part of the Security Options settings of a GPO.

Securing Service Accounts

Never configure a service to run under the security context of a domain account unless it is unavoidable. If the server is physically compromised, domain account passwords could be easily obtained by dumping LSA secrets. For more information about how to secure service accounts, see The Services and Service Accounts Security Planning Guide at http://go.microsoft.com/fwlink/?LinkId=41311.

Creating the Policy Using SCW

To deploy the necessary security settings, you must use both the Security Configuration Wizard (SCW) and the security templates that are included with the downloadable version of this guide to create a server policy.

When you create your own policy, be sure to skip the "Registry Settings" and “Audit Policy” sections. These settings are provided by the security templates for your chosen environment. This approach is necessary to ensure that the policy elements that are provided by the templates take precedence over those that would be configured by SCW.

You should use a new installation of the operating system to begin your configuration work, which helps ensure that there are no legacy settings or software from previous configurations. If possible, you should use on hardware that is similar to the hardware that is used in your deployment to help ensure as much compatibility as possible. The new installation is called a reference computer.

To create the IIS server policy

  1. Create a new installation of Windows Server 2003 with SP1 on a new reference computer.
  2. Install the Security Configuration Wizard component on the computer through Control Panel, Add/Remove Programs, Add/Remove Windows Components.
  3. Join the computer to the domain, which will apply all security settings from parent OUs.
  4. Install and configure only the mandatory applications that will be on every server that shares this role. Examples include role-specific services, software and management agents, tape backup agents, and antivirus or antispyware utilities.
  5. Launch the SCW GUI, select Create new policy, and point it to the reference computer.
  6. Ensure that the detected server roles are appropriate for your environment—for example the Application server and Web server roles.
  7. Ensure that the detected client features are appropriate for your environment.
  8. Ensure that the detected administrative options are appropriate for your environment.
  9. Ensure that any additional services that are required by your baseline, such as backup agents or antivirus software, are detected.
  10. Decide how to handle unspecified services in your environment. For extra security, you may wish to configure this policy setting to Disable. You should test this configuration before you deploy it to your production network because it may cause problems if your production servers run additional services that are not duplicated on your reference computer.
  11. Ensure the Skip this section checkbox is unchecked in the "Network Security" section, and then click Next. The appropriate ports and applications identified earlier are configured as exceptions for Windows Firewall.
  12. In the "Registry Settings" section, click the Skip this section checkbox and then click Next. These policy settings are imported from the supplied INF file.
  13. In the "Audit Policy" section, click the Skip this section checkbox and then click Next. These policy settings are imported from the supplied INF file.
  14. Include the appropriate security template (for example, EC-IIS Server.inf).
  15. Save the policy with an appropriate name (for example, IIS Server.xml).

Note: The MSBP disables several other IIS-related services, including FTP, SMTP, and NNTP. The Web Server policy must be modified if any of these services are to be enabled on IIS servers in any of the three environments that are defined in this guide.

Test the Policy Using SCW

After you create and save the policy, Microsoft strongly recommends that you deploy it to your test environment. Ideally, your test servers will have the same hardware and software configuration as your production servers. This approach will allow you to find and fix potential problems, such as the presence of unexpected services that are required by specific hardware devices.

Two options are available to test the policy. You can use the native SCW deployment facilities, or deploy the policies through a GPO.

When you start to author your policies, you should consider using the native SCW deployment facilities. You can use SCW to push a policy to a single server at a time, or use Scwcmd to push the policy to a group of servers. The native deployment method allows you to easily roll back deployed policies from within SCW. This capability can be very useful when you make multiple changes to your policies during the test process.

The policy is tested to ensure that the application of this policy to the target servers will not adversely affect their critical functions. After you apply the configuration changes, you should begin to verify the core functionality of the computer. For example, if the server is configured as a certification authority (CA), ensure that clients can request and obtain certificates, download a certificate revocation list, and so on.

When you are confident in your policy configurations, you can use Scwcmd as shown in the following procedure to convert the policies to GPOs.

For more details about how to test SCW policies, see the Deployment Guide for the Security Configuration Wizard at http://technet2.microsoft.com/WindowsServer/en/Library/5254f8cd-143e-4559-a299-9c723b3669461033.mspx and the Security Configuration Wizard Documentation at http://go.microsoft.com/fwlink/?linkid=43450.

Convert and Deploy the Policy

After you thoroughly test the policy, complete the following steps to convert it into a GPO and deploy it:

  1. At the command prompt, type the following command:
    scwcmd transform /p:<PathToPolicy.xml> /g:<GPODisplayName>
    and then press ENTER. For example:Note: The line has been split into multiple lines for readability. However, while trying it out on a system you must enter it as one line without breaks.
    scwcmd transform /p:"C:\Windows\Security\msscw\Policies\
    IIS Server.xml" /g:"IIS Policy"
    Note: The information to be entered at the command prompt shows on more than one line here because of display limitations. This information should all be entered on one line.
  2. Use the Group Policy Management Console to link the newly created GPO to the appropriate OU.

Note that if the SCW security policy file contains Windows Firewall settings, Windows Firewall must be active on the local computer for this procedure to complete successfully. To verify that Windows Firewall is active, open Control Panel and then double-click Windows Firewall.

You should now perform a final test to ensure that the GPO applies the desired settings. To complete this procedure, confirm that the appropriate settings were made and that functionality is not affected.

Summary

This chapter explained the policy settings that can be used to harden IIS servers that run Windows Server 2003 with SP1 in the three environments that are defined in this guide. Most of the settings are applied through a Group Policy object (GPO) that was designed to complement the MSBP. GPOs can be linked to the appropriate organizational units (OUs) that contain the IIS servers to provide additional security.

Some of the settings that were discussed cannot be applied through Group Policy. For these settings, manual configuration details were provided.

More Information

The following links provide additional information about topics that relate to hardening IIS–based Web servers that run Windows Server 2003 with SP1.

  • For information about how to enable logging in IIS, see the Microsoft Knowledge Base article "How to enable logging in Internet Information Services (IIS)" at http://support.microsoft.com/?kbid=313437.
  • Additional information about logging is available on the Enable Logging (IIS 6.0) page at www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/d29207e8-5274-4f4b-9a00-9433b73252d6.mspx.
  • For information about how to log site activity, see the Logging Site Activity (IIS 6.0) page at www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/ab7e4070-e185-4110-b2b1-1bcac4b168e0.mspx.
  • For information about extended logging, see the Customizing W3C Extended Logging (IIS 6.0) page at www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/96af216b-e2c0-428e-9880-95cbd85d90a1.mspx.
  • For information about centralized binary logging, see the Centralized Binary Logging in IIS 6.0 (IIS 6.0) page on Microsoft.com at www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/b9cdc076-403d-463e-9a36-5a14811d34c7.mspx.
  • For information about remote logging, see the Remote Logging (IIS 6.0) page at www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/a6347ae3-39d1-4434-97c9-5756e5862c61.mspx.
  • For additional information about IIS 6.0, see the Internet Information Services page at www.microsoft.com/WindowsServer2003/iis/default.mspx.

This accelerator is part of a larger series of tools and guidance from Solution Accelerators.

Download

Get the Windows Server 2003 Security Guide

Solution Accelerator Notifications

Sign up to stay informed

Feedback

Send us your comments or suggestions

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft