SMS 2003 IIS Hardening Checklist
This checklist is based on the Securing Your Web Server checklist published by Microsoft at https://go.microsoft.com/fwlink/?LinkId=62379 but includes comments specific to SMS. Before implementing this checklist, test it thoroughly in your lab environment.
Patches and Updates
Check |
Description |
SMS notes |
|---|---|---|
□ |
MBSA is run on a regular interval to check for latest operating system and components updates. |
You can also run SMS Software Updates to keep operating systems and components up-to-date. |
□ |
The latest updates and patches are applied for Microsoft® Windows® operating systems, IIS, and the Microsoft .NET Framework. (These are tested on development servers prior to deployment on the production servers.) |
|
□ |
Subscribe to the Microsoft Security Notification Service. |
|
IISLockdown
Check |
Description |
SMS notes |
|---|---|---|
□ |
IISLockdown has been run on the server. |
SMS Toolkit 1 has the IISLockdown template for SMS. |
□ |
URLScan is installed and configured. |
SMS Toolkit 1 has Urlscan template for SMS. |
Services
Check |
Description |
SMS notes |
|---|---|---|
□ |
Unnecessary Windows services are disabled. |
|
□ |
Services are running with least-privileged accounts. |
|
□ |
FTP, SMTP, and NNTP services are disabled if they are not required. |
None of these services is required by SMS. |
□ |
Telnet service is disabled. |
Telnet is not required by SMS. |
□ |
ASP.NET state service is disabled and is not used by your applications. |
SMS reporting points require ASP.NET. Other SMS site systems do not require it. |
Protocols
Check |
Description |
SMS notes |
|---|---|---|
□ |
WebDAV is disabled if not used by the application OR it is secured if it is required. For more information, see Microsoft Knowledge Base article 323470, "How To: Create a Secure WebDAV Publishing Directory." |
BITS-enabled distribution points require WebDAV. The virtual directory used by the distribution point conforms to the Knowledge Base article mentioned. |
□ |
TCP/IP stack is hardened using the steps in https://msdn.microsoft.com/library/en-us/secmod/html/secmod109.asp?frame=true |
|
□ |
NetBIOS and SMB are disabled (closes ports 137, 138, 139, and 445). |
Do not disable these ports since SMS uses them to communicate. |
Accounts
Check |
Description |
SMS notes |
|---|---|---|
□ |
Unused accounts are removed from the server. |
|
□ |
Windows Guest account is disabled. |
|
□ |
Administrator account is renamed and has a strong password. |
|
□ |
IUSR_MACHINE account is disabled if it is not used by the application. |
Do not disable the IUSR_MACHINE account on SMS management points. |
□ |
IWAM_MACHINE account is disabled if it is not used by the application. |
Do not disable the IWAM_MACHINE account on SMS management points. |
□ |
If your applications require anonymous access, a custom least-privileged anonymous account is created. |
See notes at the end of this checklist about anonymous access. |
□ |
The anonymous account does not have write access to Web content directories and cannot execute command-line tools. |
See notes at the end of this checklist about anonymous access |
□ |
ASP.NET process account is configured for least privilege. (This applies only if you are not using the default ASP.NET account, which is a least-privileged account.) |
|
□ |
Strong account and password policies are enforced for the server. |
|
□ |
Remote logons are restricted. (The "Access this computer from the network" user-right is removed from the Everyone group.) |
The SMS Service account (standard security) or site server computer account (advanced security) requires remote logon rights to the site systems. |
□ |
Accounts are not shared among administrators. |
|
□ |
Null sessions (anonymous logons) are disabled. |
See notes at the end of this checklist about anonymous access. |
□ |
Approval is required for account delegation. |
|
□ |
Users and administrators do not share accounts. |
|
□ |
No more than two accounts exist in the Administrators group. |
|
□ |
Administrators are required to log on locally, otherwise the remote administration solution is secure. |
|
Files and Directories
Check |
Description |
SMS notes |
|---|---|---|
□ |
Files and directories are contained on NTFS volumes. |
|
□ |
Web site content is located on a non-system NTFS volume. |
All site systems require NTFS volumes. Do not change the default IIS directories on an installed SMS site system. If you need to change the Web site content to a non-system volume, remove the SMS site system role, change the IIS defaults, then add the SMS site system role to the computer running IIS. |
□ |
Log files are located on a non-system NTFS volume, not on the same volume where the Web site content resides. |
|
□ |
The Everyone group is restricted (no access to \WINNT\system32 or Web directories). |
|
□ |
Web site root directory has deny write ACE for anonymous Internet accounts. |
See notes at the end of this checklist about anonymous access |
□ |
Content directories have deny write ACE for anonymous Internet accounts. |
See notes at the end of this checklist about anonymous access. |
□ |
Remote IIS administration application is removed (\WINNT\System32\Inetsrv\IISAdmin). |
|
□ |
Resource kit tools, utilities, and SDKs are removed. |
|
□ |
Sample applications are removed (\WINNT\Help\IISHelp, \Inetpub\IISSamples). |
|
Shares
Check |
Description |
SMS notes |
|---|---|---|
□ |
All unnecessary shares are removed (including default administration shares). |
SMS requires the administrative shared folders. |
□ |
Access to required shares is restricted (the Everyone group does not have access). |
|
□ |
Administrative shares (C$ and Admin$) are removed if they are not required (SMS and Microsoft Operations Manager (MOM) require these shares). |
These shared folders are required by SMS. Do not remove them. |
Ports
Check |
Description |
SMS notes |
|---|---|---|
□ |
Internet-facing interfaces are restricted to port 80 (and 443 if SSL is used). |
|
□ |
Intranet traffic is encrypted (for example, with SSL) or restricted if you do not have a secure data center infrastructure. |
Do not enable SSL on the Internet Information Services (IIS) components for SMS site systems. SMS site components are not configured to use HTTPS. |
Registry
Check |
Description |
SMS notes |
|---|---|---|
□ |
Remote registry access is restricted. |
|
□ |
SAM is secured (HKLM\System\CurrentControlSet\Control\LSA\NoLMHash). This applies only to standalone servers. |
Standalone servers are not supported as SMS site systems. |
Auditing and Logging
Check |
Description |
SMS notes |
|---|---|---|
□ |
Failed logon attempts are audited. |
|
□ |
IIS log files are relocated and secured. |
|
□ |
Log files are configured with an appropriate size depending on the application security requirement. |
|
□ |
Log files are regularly archived and analyzed. |
|
□ |
Access to the Metabase.bin file is audited. |
|
□ |
IIS is configured for W3C Extended log file format auditing. |
|
Sites and Virtual Directories
Check |
Description |
SMS notes |
|---|---|---|
□ |
Web sites are located on a non-system partition. |
|
□ |
"Parent paths" setting is disabled. |
|
□ |
Potentially dangerous virtual directories, including IISSamples, IISAdmin, IISHelp, and Scripts are removed. |
These virtual directories are not used by SMS. |
□ |
MSADC virtual directory (RDS) is removed or secured. |
This virtual directory is not used by SMS. |
□ |
Include directories do not have Read Web permission. |
|
□ |
Virtual directories that allow anonymous access restrict Write and Execute Web permissions for the Anonymous account. |
See notes at the end of this checklist about anonymous access |
□ |
There is script source access only on folders that support content authoring. |
|
□ |
There is write access only on folders that support content authoring and these folder are configured for authentication (and SSL encryption, if required). |
|
□ |
Microsoft FrontPage Server Extensions (FPSE) is removed if not used. If it is used, it is updated and access to FPSE is restricted. |
SMS does not require FPSE. |
Script Mappings
Check |
Description |
SMS notes |
|---|---|---|
□ |
Extensions not used by the application are mapped to 404.dll (.idq, .htw, .ida, .shtml, .shtm, .stm, idc, .htr, .printer). |
Do not change these mappings for BITS-enabled distribution points. |
□ |
Unnecessary ASP.NET file type extensions are mapped to "HttpForbiddenHandler" in Machine.config. |
Do not change these mappings for BITS-enabled distribution points. |
ISAPI Filters
Check |
Description |
SMS notes |
|---|---|---|
□ |
Unnecessary or unused ISAPI filters are removed from the server. |
|
IIS Metabase
Check |
Description |
SMS notes |
|---|---|---|
□ |
Access to the metabase is restricted by using NTFS permissions (%systemroot%\system32\inetsrv\metabase.bin). |
|
□ |
IIS banner information is restricted (IP address in content location disabled). |
|
Server Certificates
Check |
Description |
SMS notes |
|---|---|---|
□ |
Certificate date ranges are valid. |
Does not apply. SMS maintains it's own certificate infrastructure for validating management points to clients. |
□ |
Certificates are used for their intended purpose (for example, the server certificate is not used for e-mail). |
Does not apply. SMS maintains its own certificate infrastructure for validating management points to clients. |
□ |
The certificate's public key is valid, all the way to a trusted root authority. |
Does not apply. SMS maintains its own certificate infrastructure for validating management points to clients. |
□ |
The certificate has not been revoked. |
Does not apply. SMS maintains its own certificate infrastructure for validating management points to clients. |
Machine.config
Check |
Description |
SMS notes |
|---|---|---|
□ |
Protected resources are mapped to HttpForbiddenHandler. |
|
□ |
Unused HttpModules are removed. |
|
□ |
Tracing is disabled. <trace enable="false"/> |
|
□ |
Debug compiles are turned off.<compilation debug="false" explicit="true" defaultLanguage="vb"> |
|
Code Access Security
Check |
Description |
SMS notes |
|---|---|---|
□ |
Code access security is enabled on the server. |
|
□ |
All permissions have been removed from the local intranet zone. |
|
□ |
All permissions have been removed from the Internet zone. |
|
Other Check Points
Check |
Description |
SMS notes |
|---|---|---|
□ |
IISLockdown tool has been run on the server. |
You must use the SMS IISLockd.ini from SMS Toolkit 1; otherwise, your site systems might become inoperable. If your site system is running Microsoft® Windows® Server 2003 and IIS 6.0, the IIS Lockdown feature is integrated into IIS, but you should still run URLScan 2.5 to apply the UrlScan_SMS.ini file. |
□ |
HTTP requests are filtered. UrlScan is installed and configured. |
You must use the UrlScan_SMS.ini file from SMS Toolkit 1; otherwise, your site systems might become inoperable. |
□ |
Remote administration of the server is secured and configured for encryption, low session time-outs, and account lockouts. |
|
Dos and Don'ts
Do use a dedicated computer as a Web server.
Do physically protect the Web server computer in a secure machine room.
Do configure a separate anonymous user account for each application, if you host multiple Web applications.
Do not install the IIS server on a domain controller.
Do not connect an IIS Server to the Internet until it is fully hardened.
Do not allow anyone to locally log on to the computer, except for the administrator.
Notes on SMS requirements for anonymous access
SMS requires anonymous access to the management point virtual directories. Do not change the permissions on the SMS virtual directories ccm_incoming, ccm_outgoing, ccm_system and sms_mp.
BITS-enabled distribution points create one virtual directory for SMSPKGx. Depending on the domain conditions, it is possible to disable anonymous access on the virtual directories created for BITS-enabled distribution points.
If the distribution points and Advanced Clients are in an Active Directory® domain, anonymous access can be removed from the distribution point virtual directory if both of the following conditions are met:
The user accounts that are accessing the package have NTFS permissions on the package directory. The NTFS permissions required depend on the package, but are usually Read Only.
The account used by the SMS Distribution Manager service must have Full Control NTFS permissions on the package directory. Distribution Manager uses the SMS Service account (standard security) or the computer account (advanced security).
If the distribution points and Advanced Clients are in a Microsoft Windows NT® 4.0 domain, anonymous access can be removed from the distribution point virtual directory if the following conditions are met:
The user accounts that are accessing the package have NTFS permissions on the package directory. The NTFS required permissions depend on the package, but are usually Read Only.
An Advanced Client Network Access account has been created and configured.
The account used by the SMS Distribution Manager service must have Full Control NTFS permissions on the package directory. Distribution Manager uses the SMS Service account (standard security) or the computer account (advanced security).