Export (0) Print
Expand All

Internet Information Server 4 Baseline Security Checklist

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

The following article outlines some of the steps you should take to improve the security of a computer running Windows NT Server 4.0 and Microsoft Internet Information Server 4 on the Internet.

Note: This article does not take into consideration firewalls or proxy servers. It also assumes that the company has a security policy in place.

Important: The purpose of this article is to give instructions for configuring a baseline level of security on servers running
Microsoft IIS 4. Additional advanced settings are provided in the complete IIS 4 security checklist on the Microsoft TechNet Security Web site.

On This Page

Internet Information Server 4 Settings
Microsoft Internet Information Server 4 Security Checklist Details

Internet Information Server 4 Settings

 

iecl01

Step

 

iecl01

Secure Windows NT 4.0

 

iecl01

Run the IIS Lockdown Tool

 

iecl01

Customize UrlScan configuration

 

iecl01

Install minimal Internet services required

 

iecl01

Set appropriate authentication methods

 

iecl01

Set appropriate virtual directory permissions and partition Web application space

 

iecl01

Set appropriate IIS Log file ACLs

 

iecl01

Enable logging

 

iecl01

Set up Secure Sockets Layer

 

iecl01

Disable or remove all sample applications

 

iecl01

Remove the IISADMPWD virtual directory

 

iecl01

Remove unused script mappings

 

iecl01

Disable RDS support

Microsoft Internet Information Server 4 Security Checklist Details

Secure Windows NT 4.0

Refer to the Windows NT 4.0 Workstation Baseline Security Checklist or the Windows NT 4.0 Server Baseline Security Checklist for information on about securing the base platform on which IIS will be hosted.

Run the IIS Lockdown Tool

The IIS Lockdown Tool is a configurable utility that asks you to specify the application role played by your IIS server. It will then remove any functionality that is not required for the particular Web server role. Use the IIS Lockdown Tool to improve the security of file permissions and script mappings, remove sample applications, and disable unused services. You should thoroughly test any changes before implementing them in a production environment.

Customize UrlScan Configuration

The IIS Lockdown Tool installs UrlScan. UrlScan is an ISAPI filter that screens and analyzes requests IIS receives them. When properly configured, UrlScan is effective at reducing the exposure to potential Internet attacks. The default configuration of UrlScan offers significant improvement over the default configuration of IIS, IIS; however, Microsoft recommends further refining the UrlScan configuration to more closely restrict Web requests while still allowing your application to function. Ideally, only requests for file extensions used by your application will be allowed. You should thoroughly test any changes before implementing them in a production environment.

Install minimal Internet services required

It is generally considered good practice to reduce the number of entry points into a server; for Windows NT, this means reducing the number of services. The IIS Lockdown Tools provides the option to disable unused IIS-related services; however, you should manually disable other unused services. You should use the Service Configuration Manager to stop and disable unneeded services. The following services must be running for IIS to run properly:

  • Event Log

  • License Logging Service

  • Windows NTLM Security Support Provider

  • Remote Procedure Call (RPC) Service

  • Windows NT Server or Windows NT Workstation

  • IIS Admin Service

  • MSDTC

  • World Wide Web Publishing Service

  • Protected Storage

Set appropriate authentication methods

These methods are application specific, but you need to make sure you use 'strong enough' authentication for your application. The following is a list of the authentication schemes supported by IIS 4 in increasing trust:

  • Anonymous

  • Basic

  • Windows NT Challenge/Response

  • Client Certificates

Refer to Microsoft Knowledge Base article 229694 for further details, instructions on about verifying browsers that can communicate with the chosen authentication method.

Set appropriate virtual directory permissions and partition Web application space

The IIS Lockdown tool improves file permissions ; however, you should further refine these permissions for your specific application. Some rules of thumb apply:

These settings are also application-dependent, but some rules-of-thumb apply:

File Type

ACL

CGI etc .EXE, .DLL, .CMD, .PL

Everyone (X)
Administrators (Full Control)
System (Full Control)

Script Files .ASP etc

Everyone (X)
Administrators (Full Control)
System (Full Control)

Include Files .INC, .SHTML, .SHTM

Everyone (X)
Administrators (Full Control)
System (Full Control)

Static Content .HTML, .GIF, .JPEG

Everyone (R)
Administrators (Full Control)
System (Full Control)

Rather than setting ACLs on each file, you are better off creating should create new directories for each type of file, setting ACLs on the directory, and allowing the ACLs to inherit to the files. For example, a directory structure might look like this:

C:\inetpub\wwwroot\myserver\static (.html)

C:\inetpub\wwwroot\myserver\include (.inc)

C:\inetpub\wwwroot\myserver\script (.asp)

C:\inetpub\wwwroot\myserver\executable (.dll)

C:\inetpub\wwwroot\myserver\images (.gif, .jpeg)

Real ACL inheritance is a feature of Windows NT 4 Service Pack 4 with the Security Configuration Editor installed.

Also be aware that two directories need special attention:

C:\inetpub\ftproot (FTP server)

C:\inetpub\mailroot (SMTP server)

The ACLs on both these directories are Everyone (Full Control) and should be overridden with something tighter, depending on your level of functionality. Place the folder on a different volume than the IIS server if you are going to support Everyone (Write).

Verify that folder that allow scripts, executables, or both to run should have NTFS permissions restricted to prevent untrusted users from adding files. Microsoft suggests the following ACLs for all such folders:

  • Administrators (Full Control)

  • System (Full Control)

  • Everyone (Read)

Set appropriate IIS Log file ACLs

Make sure the ACLs on the IIS-generated log files (%systemroot%\system32\LogFiles) are:

  • Administrators (Full Control)

  • System (Full Control)

  • Everyone (Read Write Create)

This is to help prevent malicious users from deleting the files to cover their tracks.

Enable logging

Logging is paramount when you want to see whether your server is being attacked. You should use W3C Extended Logging format by following this procedure:

  1. Load the Internet Information Services tool.

  2. Right-click the site in question, and then choose Properties.

  3. Click the Web Site tab.

  4. Check the Enable Logging check box.

    Choose W3C Extended Log File Format from the Active Log Format drop-down list, and then set the following properties:

    • Client IP Address

    • User Name

    • Method

    • URI Stem

    • HTTP Status

    • Win32 Error

    • User Agent

    • Server IP Address

    • Server Port

Usage reporting applications are dependant on the structure of the log files, so verify that these applications are configured correctly to handle the additional properties.

Set up Secure Sockets Layer

SSL/TLS can be used to secure data as it's transferred from the client to the Web server. SSL/TLS is used mainly when passwords or credit cards are to be transferred across the Internet. However, using SSL/TLS is slow in processor-intensive, especially during the initial handshake, so keep pages that use SSL/TLS to a minimum and minimize the amount of content.

Remove the IISADMPWD virtual directory

This directory allows you to reset Windows NT passwords; it is designed primarily for intranet scenarios. The directory should be removed if you don't use an intranet or if you connect the server to the Web. Refer to Microsoft Knowledge Base article 184619 for more information about this functionality.

Remove unused script mappings

IIS is preconfigured to support common filename extensions such as .asp and .shtm. When IIS receives a request for a file of one of these types, the call is handled by a DLL. The IIS Lockdown Tool removes unneeded script mappings; however, your application may allow you to further refine the configuration. If you don't use some of these extensions or functionality, you should remove the mappings by following this procedure:

  1. Open Internet Services Manager.

  2. Right-click the Web server, and choose Properties.

  3. Click Master Properties

  4. Select WWW Service, click Edit, click HomeDirectory, and then click Configuration

Remove these references:

If you don't use

Remove this entry

Web-based Password Reset

.htr

Index Server

.ida

Internet Database Connector
(new Web sites don't use this; they use ADO from Active Server Pages)

.idc

Server-side includes

.shtm, .stm, .shtml

Disable RDS support

This is an extremely important setting.

When incorrectly configured, Remote Data Services can make a server vulnerable to denial of service and arbitrary code execution attacks. You should either remove the capability or restrict its usage using ACLs. Refer to Microsoft Knowledge Base articles MS98-004, MS99-025, and 184375 for more information.

Also, check your IIS logs regularly for signs of attack; the signature looks something like:

1999-10-24 20:38:12 - POST /msadc/msadcs.dll ...

You can automate the searching process by using command:

find /i "msadcs" logfile.log

© 2001 Microsoft Corporation. All rights reserved.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft