IIS 5.0 Baseline Security Checklist

On This Page

Introduction
Internet Information Services 5 Settings
Microsoft Internet Information Services 5 Security Checklist Details
Harden Metabase Permissions
Harden ASP.NET Configuration

Introduction

This document lists some recommendations and best practices to improve the security of a server on the Web running Internet Information Services (IIS) 5.

Important: The purpose of this article is to give instructions for configuring a baseline level of security on IIS 5 servers. Additional advanced settings are provided in the complete IIS 5 security checklist on the Microsoft TechNet Security Web site.

Internet Information Services 5 Settings

Microsoft Internet Information Services 5 Security Checklist Details

Secure Windows 2000

Refer to the Windows 2000 Server Baseline Security Checklist for information about securing the base platform on which IIS will be hosted.

Run the IIS Lockdown Tool

The IIS Lockdown Tool is a configurable utility that asks you to specify the application role played by your IIS server. It will then remove any functionality that is not required for the particular Web server role. You should thoroughly test any changes before implementing them in a production environment.

Customize UrlScan Configuration

The IIS Lockdown Tool installs UrlScan. UrlScan is an ISAPI filter that screens and analyzes requests IIS receives them. When properly configured, UrlScan is effective at reducing the exposure to potential Internet attacks. The default configuration of UrlScan offers significant improvement over the default configuration of IIS, IIS; however, Microsoft recommends further refining the UrlScan configuration to more closely restrict Web requests while still allowing your application to function. Ideally, only requests for file extensions used by your application will be allowed. You should thoroughly test any changes before implementing them in a production environment.

Set appropriate ACLs on virtual directories

The IIS Lockdown tool improves file permissions; however, you should further refine these permissions for your specific application. Although this procedure is somewhat application-dependent, Some rules of thumb apply:

Recommended default ACLs by file type.

Rather than setting ACLs on each file, you are better off creating new directories for each file type, setting ACLs on the directory, and allowing the ACLs to inherit to the files. For example, a directory structure might look like this:

• C:\inetpub\wwwroot\myserver\static (.html)

• C:\inetpub\wwwroot\myserver\include (.inc)

• C:\inetpub\wwwroot\myserver\script (.asp)

• C:\inetpub\wwwroot\myserver\executable (.dll)

• C:\inetpub\wwwroot\myserver\images (.gif, .jpeg)

Also, be aware that two directories need special attention:

• C:\inetpub\ftproot (FTP server)

• C:\inetpub\mailroot (SMTP server)

The ACLs on both these directories are Everyone (Full Control) and should be overridden with something tighter, depending on your level of functionality. Place the folder on a different volume than the IIS server if you're going to support Everyone (Write), or use Windows 2000 disk quotas to limit the amount data that can be written to these directories.

Set appropriate IIS Log file ACLs

Make sure the ACLs on the IIS-generated log files (%systemroot%\system32\LogFiles) are:

• Administrators (Full Control)

• System (Full Control)

• Everyone (RWC)

This is to help prevent malicious users from deleting the files to cover their tracks.

Enable logging

Logging is paramount when you want to determine whether your server is being attacked. You should use W3C Extended Logging format by following this procedure:

1. Load the Internet Information Services tool.

2. Right-click the site in question, and choose Properties from the context menu.

3. Click the Web Site tab.

4. Check the Enable Logging check box.

5. Choose W3C Extended Log File Format from the Active Log Format drop-down list.

6. Click Properties.

   Click the Extended Properties tab, and set the following properties:

   • Client IP Address

   • User Name

   • Method

   • URI Stem

   • HTTP Status

   • Win32 Status

   • User Agent

   • Server IP Address

   • Server Port

The latter two properties are useful only if you host multiple Web servers on a single computer. The Win32 Status property is useful for debugging purposes. When you examine the log, look out for error 5, which means access denied. You can find out what other Win32 errors mean by entering net helpmsg err on the command line, where err is the error number you are interested in.

Disable or remove all sample applications

Samples are just that, samples; they are not installed by default and should never be installed on a production server. Note that some samples install so that they can be accessed only from https://localhost, or 127.0.0.1; however, they should still be removed.

The following table lists the default locations for some of the samples.

Sample files included with Internet Information Services 5.

Remove the IISADMPWD virtual directory

This directory allows you to reset Windows NT and Windows 2000 passwords. It is designed primarily for intranet scenarios and is not installed as part of IIS 5. However, i but it is not removed when an IIS 4 server is upgraded to IIS 5. It should be removed if you don't use an intranet or if you connect the server to the Web. Refer to Microsoft Knowledge Base article 184619 for more information about this functionality.

Remove unused script mappings

IIS is preconfigured to support common filename extensions such as .asp and .shtm files. When IIS receives a request for a file of one of these types, the call is handled by a DLL. The IIS Lockdown Tool removes unneeded script mappings; however, your application may allow you to further refine the configuration. If you don't use some of these extensions or functionality, you should remove the mappings by following this procedure:

1. Open Internet Services Manager.

2. Right-click the Web server, and choose Properties.

3. Click Master Properties

4. Select WWW Service, click Edit, click HomeDirectory, and then click Configuration

Remove these references:

Note: Internet Printing can be configured through Group Policy as well as via the Internet Services Manager. If there is a conflict between the Group Policy settings and those in the Internet Service Manager, the Group Policy settings take precedence. If you remove Internet Printing via the Internet Services Manager, be sure to verify that it won't be re-enabled by either local or domain group policies. (The default Group Policy neither enables nor disables Internet Printing.) In the MMC Group Policy snap-in, click Computer Configuration, click Administrative Templates, click Printing, and then click Web-based Printing.

Note: Unless you have a mission-critical reason to use the .htr functionality, you should remove the .htr extension.

Harden Metabase Permissions

Security and other IIS configuration settings are maintained in the IIS Metabase file. The default file permissions could allow an attacker to directly edit the Metabase file. The NTFS permissions on the IIS Metabase file (and the backup Metabase file) should be hardened to ensure that attackers cannot modify the IIS configuration in any way. Microsoft recommends removing all file permissions to the Metabase, and granting Full Control to only Administrators and SYSTEM.

Harden ASP.NET Configuration

If the .NET Framework has been installed on the system, download and install the latest version of the .NET Framework and any service packs. Review the configuration of the .NET Framework, and ASP.NET in particular, to ensure ASP.NET does not increase your vulnerability to attack.

© 2001 Microsoft Corporation. All rights reserved.

Download

IIS Lockdown Tool
285 KB