Microsoft Internet Information Server 4.0 Security Checklist

Last Updated: 24-Jul-2001

This table outlines some of the steps you should take to secure a Windows NT 4.0 Server running Microsoft Internet Information Server 4.0 on the Internet. Note, this document does not take into consideration firewalls or proxy servers. It also assumes the company has a security policy in place.

IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

Please email secure@microsoft.com, if you find any problems or have any comments.

Thanks!

Step 1: General Information

Step 2: Background Work

Step 3: Windows NT 4.0 Settings

Step 4: Internet Information Server 4.0 Settings

Step 5: Install Scanner/Intrusion Software

Regularly run a security scanner on your Web server, such as software from one of the companies listed.

Step 6: Update the Emergency Repair Disk

You should regularly update the ERD by running the RDISK tool.

Microsoft Internet Information Server 4.0 Security Checklist Further Details

Read your Corporate Security Policy

Having a security policy is paramount. You need ready answers to questions like:

• How do we react to a break in?

• Where are the backups stored?

• Who is allowed to access the server?

Good sources of policy information may be found at SANS Institute, Baseline Software,

Inc. and Practical Unix & Internet Security.

Read the IIS4 Resource Kit Security Chapter

The IIS4 Resource Kit security chapter covers many aspects of Windows NT and IIS security.

Subscribe to the Microsoft Security Notification Service

IMPORTANT: You MUST keep on top of new security issues as they arise.

You can stay abreast of Microsoft-related security issues and fixes here. You will notice of security issues by email.

Latest Service Pack and Hot-fixes applied

Currently Windows NT 4.0 SP6a is the latest Service Pack and is recommended for secure IIS4 sites. Review the latest Microsoft Security News.

You should also consider placing a 'favorites shortcut' to the Microsoft Security Advisor Program. To do so, follow these steps:

• Open Internet Explorer on your desktop

• Navigate to https://www.microsoft.com/technet/security/default.mspx

• Select Favorites on the menu, then choose Add to Favorites

• Check 'Make Available Offline'

• Select Customize | Next | Yes (links to other pages) | '2' links deep

• Next | Select 'I would like to create a new schedule' | use the defaults | finish

• OK

• Select Favorites on the menu, then choose Organize Favorites

• Select Properties | Download | uncheck 'Follow links outside of this page's Web site'

• OK

• Close

If you now click on the Favorites icon in the toolbar, you can drag the 'Microsoft Security Advisory Program' link to your desktop. A small red mark will appear on the icon when there is new security news.

Hard disk(s) formatted to NTFS

Because NTFS supports Access Control Lists you can set security policy in Windows NT rather then spread around applications. If you are using FAT you can convert to NTFS using the CONVERT.EXE tool.

Set NTFS ACLs

There are many references to what the appropriate ACLs should be, such as the IIS4 Resource Kit and Windows NT Security Guidelines - a study for NSA Research by Trusted Systems Services Inc.

Turn off NTFS 8.3 Name Generation

NTFS can auto-generate 8.3 names for backward compatibility with 16-bit applications. As 16-bit apps should not be used on a secure web server 8.3 name generation can be safely turned off. Also note, there is a performance benefit to setting this. To turn off 8.3 name generation set the following registry entry:

Set Domain controller type

Generally you should set the IIS server to be a standalone server as this will minimize any possible exposure of domain user accounts.

OS/2 and POSIX subsystems removed

Remove these subsystems by performing the following registry actions:

Then delete the \winnt\system32\os2 directory and all subdirectories. The changes will take effect on the next reboot.

Remove All Net Shares

Run Net Share from the command-line and make sure you delete all of them using Net Share /d. You should also prevent all administrative shares (C$, D$, ADMIN$) by setting the following in the Registry:

System boot time set to zero seconds

Go to Control Panel | System | Startup/Shutdown and set "Show list for" to zero.

Hide last logon user name

Set the following in the Registry to hide the name of the last user that logged on:

Display a legal notice before logon

Set the following in the Registry to display legal information about the use of this computer:

An excellent resource for login banner wording can be found at the CIAC Web site.

Set password length

Set to at least nine characters. This makes it much harder to guess than eight characters or less owing to the way Windows NT creates the hash of the password. Also, use punctuation and other non-alphabetic characters in the first 7 characters.

Remove Shutdown button from logon dialog

Set the following value in the Registry to remove the shutdown option at logon:

Check user accounts, group membership and privileges

Minimize the number of users and groups on the server and keep group membership small. There should be only the most trusted accounts listed in the Administrators and Domain Admins groups. Also, be wary of the privileges given to users and groups beyond the default. You can access privilege information by opening User Manager | Policies | User Rights. A complete list of recommended user rights is detailed in the IIS4 Resource Kit.

Note, three particularly powerful rights are:

• Debug privilege

• Act as part of operating system

• Backup privilege

Scrutinize accounts with these rights.

Run SYSKEY Utility

SYSKEY, a tool introduced in Windows NT4, SP3 provides an extra safeguard for the SAM database. Refer to 143475 for further details.

Rename Administrator account

While this is an example of "security through obscurity", it's an extra step a hacker must make to determine the admin account. Consider adding a 'fake' administrator to help detect account attacks. Give this 'Administrator' no rights and carefully audit its use.

Note:

nbtstat -a 

or

nbtstat -A 

may be used to determine the real administrator account if they are currently logged on.

Allow network-only lockout for the Administrator account

Normally, the Administrator account cannot be locked out if an attacker attempts to guess the password. However, a tool in the Windows NT Resource Kit called PASSPROP supports this option. If you run the following command the Administrator account will be locked out if an attacker attempts a brute force or dictionary attack but the administrator can still logon locally at the server:

passprop /adminlockout 

Set a very strong password for Admin account

Make sure the admin account has a very difficult to guess password and change it frequently. Click here for more info.

Prevent unauthenticated access to the registry

The Registry Editor supports remote access to the Windows NT registry. To restrict network access to the registry, use the Registry Editor to create the following registry Key

The security permissions (ACLs) set on this key define which users or groups can connect to the system for remote registry access.

Restrict Anonymous Network Access

Windows NT has a feature that allows non-authenticated users to enumerate users on a Windows NT domain. If you do not want this functionality, set the following in the Registry:

ACL and Monitor Critical Registry Keys

The following registry entries should be tightly ACL'd and monitored as they can be used to launch trojan programs:

The default ACLs should be:

• Administrators (Full Control)

• SYSTEM (Full Control)

• Creator Owner (Full Owner)

• Everyone (R)

Change "Access this computer from the network" from Everyone to Authenticated Users

This only allows users having an account in the domain or on the machine to access shares on the server. You can perform this by opening User Manager | Policies | User Rights, then choosing "Access this computer from network", remove Everyone from the list and add Authenticated Users to the list.

Unbind NetBIOS from TCP/IP

Unbinding NetBIOS from TCP/IP will prevent a user from accessing machine information using tools like NBTSTAT.

Disable IP Routing

If routing is enabled, you run the risk of passing data between the intranet and Internet. To disable routing, open the Control Panel | Network | Protocols | TCP/IP Protocol | Properties | Routing and clear the Enable IP Forwarding check box.

Audit for Success/Failed Logon/Logoff

Open User Manager | Policies | Audit | Audit these Events.

Set Overwrite interval for Audit log

Open Event Viewer | Log | Log Settings, and set a maximum size and "Overwrite Events Older than" for all three logs. If you are going to overwrite logs after only a few days and your log maximum size is small then you need to check the logs more frequently.

Configure TCP/IP Filtering

Configure TCP/IP filtering by specifying which ports are allowable on each network card. Go to Control Panel | Network | Protocols | TCP/IP | Advanced | Enable Security | Configure. Now set the following options:

• Permit only TCP ports 80 and 443 (if you have SSL)

• Permit no UDP ports

• Permit only IP Protocol 6 (TCP)

Move and ACL Critical Files

Place all commonly used administrative tools in a special directory out of %systemroot% and ACL them so that only administrators have full access to these files. For example create a directory called \CommonTools and place the following files in there:

Synchronize Times

If you have multiple Web servers you should make sure the times are synchronized. This will aid you when you need to evaluate multiple audit logs in the case of any intrusion detection. The simplest way is to use the NET TIME command and nominate one server as having the base time.

Install minimal Internet services required

It is generally considered good practice to reduce the number of entry points into a server, for Windows NT this means reducing the number of services. You should stop and disable unneeded services using the Service Configuration Manager. The following services must be running to use IIS:

• Event Log

• License Logging Service

• Windows NTLM Security Support Provider

• Remote Procedure Call (RPC) Service

• Windows NT Server or Windows NT Workstation

• IIS Admin Service

• MSDTC

• World Wide Web Publishing Service

• Protected Storage

Set appropriate authentication methods

These are application specific but you need to make sure you use 'strong enough' authentication for your application. The following lists the authentication schemes supported by IIS4 in increasing trust:

• Anonymous

• Basic

• Windows NT Challenge/Response

• Client Certificates

Refer to 229694 for further details.

Set appropriate virtual directory permissions/Web application space

This is also application dependant, but the following rules-of-thumb apply:

Rather than setting ACLs on each file, you are better off setting new directories for each type of file and setting ACLs on the dir and allow the ACLs to inherit to the files. For example a directory structure may look like this:

c:\inetpub\wwwroot\myserver\static (.html) 
c:\inetpub\wwwroot\myserver\include (.inc) 
c:\inetpub\wwwroot\myserver\script (.asp) 
c:\inetpub\wwwroot\myserver\executable (.dll) 
c:\inetpub\wwwroot\myserver\images (.gif, .jpeg) 

Real ACL inheritance is a feature of Windows NT4 SP4 with the Security Config Editor installed.

Also be aware that two directories need special attention:

c:\inetpub\ftproot (FTP server) 
c:\inetpub\mailroot (SMTP server) 

They are both Everyone (Full Control) and should be overridden with something tighter depending on your level of functionality. Place the folder on a different volume to the IIS server if you are going to support Everyone (Write).

Set appropriate IIS log file ACLs

Make sure the ACLs on the IIS-generated log files (%systemroot%\system32\LogFiles) are:

• Administrators (Full Control)

• System (Full Control)

• Everyone (Read Write Create)

This is to help prevent malicious users deleting the files to cover their tracks.

Logging enabled

Logging is paramount when you want to see if your server is being attacked. You should use W3C Extended Logging format by Loading the IIS MMC tool | Right-click on site in question | Properties | Web Site | Enable Logging (W3C Extended Log), then set the following properties:

• Client IP Address

• User Name

• Method

• URI Stem

• HTTP Status

• Win32 Error

• User Agent

• Server IP Address

• Server Port

Set IP Address/DNS Address restrictions

This is not a common option to set, but if you wish to restrict your Web sites to certain users then this is one option. Note, if you enter DNS names then IIS has to do a lookup, which can be time consuming.

Executable content validated for trustworthiness

It is difficult to know whether executable content can be trusted or not. One small test is use the DumpBin tool to see if the executable calls certain APIs. DumpBin is included with many Win32 developer tools. For example, use the following syntax if you wish to see if a file called MyISAPI.DLL calls RevertToSelf():

dumpbin /imports MyISAPI.DLL | find "RevertToSelf" 

If no result appears on screen then MyISAPI.DLL does not call RevertToSelf() directly. It may call the API through LoadLibrary() in which case you could search for this too.

Set up Secure Sockets Layer

SSL/TLS can be used to secure data as it's transferred from the client to the web server. SSL/TLS is used mainly when passwords or credit cards are to be transferred across the Internet. However, using SSL/TLS is slow, especially during the initial handshake, so keep pages that use SSL/TLS to a minimum and keep the content minimal.

Migrate new Root Certificates to IIS

If you are using SP4 or later you do not need to use the IISCA tool. Instead you can use the new certificate UI. Refer to 194788 for further details.

Remove non-Trusted Root Certificates

In a public key infrastructure trust is determined by the root certifying authority (CA) certificates you have enabled. If you trust certificates issued by a CA then you must have that root CA certificate loaded in the operating system. You need to do the following to implement who you trust when using IIS:

• Determine who you trust. Write the CA's names down.

• Disable or remove the root CA certificates of those you don't trust. By implication, if you don't know the name of a CA then you cannot trust them.

How you achieve the second bullet point depends on what version of IIS, IE and Windows NT4 you are using:

IIS4+ IE4 + Windows NT 4 + SP4 or better

In this scenario, all root CA certificates are handled by schannel.dll, which stores its data in the registry. You will see a series of registry keys under the following "CertificationAuthorities" key, one for each preinstalled CA. Each CA key has an "Enabled" entry under it, set to 0x1 if the CA is trusted and 0x0 if the CA is not trusted.

Note: you should not delete these registry entries, as Schannel will notice that they're missing and recreate them.

IIS4 + IE5 + Windows NT 4 + SP4 or better

For this scenario you need to perform the steps noted above and modify trusted roots in IE5:

• Open IE5

• Select Tools | Internet Options

• Click on the Content tab

• Click on the Certificates button

• Click on the Trusted Root Certification Authorities tab

• Remove any untrusted roots

Regardless of which route you take, you will need to stop and start IIS:

• net stop iisadmin /y

• net start w3svc

Index Server only indexing documentation

Check what documents you are indexing, make sure you are not indexing confidential source code!

Lock down Microsoft Certificate Server ASP Enrollment pages

By default the installed ASP pages for Certificate Server are not secured. You should either remove the pages or set very limited ACLs on the pages. They are located in the %systemroot%/certsrv directory. You should set the ACLs to:

• Administrators (Full Control)

• Certificate Issuers (Full Control)

• SYSTEM (Full Control)

then add trusted certificate operators to the Certificate Issuers group.

Disable or remove all sample applications

Samples are just that, samples, they are not installed by default and should never be installed on a production server. This includes documentation (the SDK docs include sample code), the Exploration Air sample site and others. Here are the default locations for some of the samples:

Disable or remove unneeded COM Components

Some COM components are not required for most applications and should be removed. Most notably consider disabling the File System Object component, however, this will also remove the Dictionary object. Be aware that some programs may require components you are disabling. For example, Site Server 3.0 uses the File System Object. The following will disable the File System Object:

regsvr32 scrrun.dll /u 

Remove the IISADMPWD virtual directory

This directory allows you to reset Windows NT passwords, it is designed primarily for intranet scenarios. It should be removed if this feature is not required or if the server is on the Web. Refer to 184619 for more info about this functionality.

Remove Unused Script Mappings

IIS is preconfigured to support common filename extensions such as .ASP and .SHTM. When IIS receives a request for a file of one of these types the call is handled by a DLL. If you don't use some of these extensions or functionality you should remove the mappings by open Internet Services Manager then right-clicking the Web server | Properties | Master Properties | WWW Service | Edit | HomeDirectory | Configuration and remove these references:

Disable RDS support

This is an extremely important setting

When incorrectly configured Remote Data Services can make a server vulnerable to denial of service and arbitrary code execution attacks. You should either remove the capability or restrict it's usage using ACLs. Refer to MS98-004, MS99-025 and 184375 for more info.

Also, check your IIS logs regularly for signs of attack, the signature to look for is something like:

1999-10-24 20:38:12 - POST /msadc/msadcs.dll ... 

You can automate the searching process by using commend:

find /i "msadcs" logfile.log 

Check <FORM> input in your ASP code

Many sites use input from a user to call other code or build SQL statements directly. In other words they are treating the input as valid, well formed, non-malicious input. This should not be so, there are a number of attacks, most notably on Unix where user input was treated incorrectly as valid input and the user gained access to the server or caused damage. You should always check all user input before passing it onto another process or method call which may use an external resource such as the file system or a database.

There is an important rule you should follow; determine what is valid, and disallow all other input. The following regular expression shows how to query for a form element, name, A-Za-z0-9, between 1 and 32 characters in length, and reject all other input.

var reg = /^[A-Za-z0-9]{1,32}$/;

if (reg.test(Request.form("name")) > 0) {
// Cool! Input is valid
} else {
// Not Cool! Input is invalid

The VBScript and JScript pattern syntax is the same as that in Perl 5.0. Refer to the v5 scripting engine documentation at https://msdn.microsoft.com/library/default.asp?url=/nhp/default.asp?contentid=28001169 for further detail and https://msdn.microsoft.com/workshop/languages/clinic/scripting051099.asp for examples.

Disable Parent Paths

Parent Paths allows you to use '..' in calls to MapPath and the like. By default this option is enabled and should be disabled. To disable this option go to the root of the Web site in question, right click select Properties | Home Directory | Configuration | App Options and uncheck Enable Parent Paths.

Disable calling the command shell with #exec

The command can be used to call arbitrary commands at the Web server from within an HTML page. IIS disables this by default. You can double-check this by making sure the following is set to zero or is missing:

Disable IP Address in Content-Location

The Content-Location header may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server. Refer to 218180 for further information about disabling this option.

THE INFORMATION PROVIDED IN THIS CHECKLIST IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.