IIS 5.0 Baseline Security CHECKLIST
On this Page
IntroductionInternet Information Services 5 SettingsMicrosoft Internet Information Services 5 Security Checklist DetailsHarden Metabase PermissionsHarden ASP.NET Configuration Introduction This document lists some recommendations and best practices to improve the security of a server on the Web running Internet Information Services (IIS) 5. Important: The purpose of this article is to give instructions for configuring a baseline level of security on IIS 5 servers. Additional advanced settings are provided in the complete IIS 5 security checklist on the Microsoft TechNet Security Web site.
Top of page
Internet Information Services 5 Settings
Step Secure Windows 2000 Run the IIS Lockdown Tool Customize UrlScan configuration Set appropriate ACLs on virtual directories Set appropriate IIS Log file ACLs Enable logging Disable or remove all sample applications Remove the IISADMPWD virtual directory Remove unused script mappings Harden metabase permissions Harden ASP.NET configuration
Top of page
Microsoft Internet Information Services 5 Security Checklist Details Secure Windows 2000 Refer to the Windows 2000 Server Baseline Security Checklist for information about securing the base platform on which IIS will be hosted. Run the IIS Lockdown Tool The IIS Lockdown Tool is a configurable utility that asks you to specify the application role played by your IIS server. It will then remove any functionality that is not required for the particular Web server role. You should thoroughly test any changes before implementing them in a production environment. Customize UrlScan Configuration The IIS Lockdown Tool installs .. UrlScan UrlScan is an ISAPI filter that screens and analyzes requests IIS receives them When properly configured, UrlScan is effective at reducing the exposure to potential Internet attacks The default configuration of UrlScan offers significant improvement over the default configuration of IIS, IIS;. however Microsoft Recommends Further Refining The Urlscan Configurat ion to more closely restrict Web requests while still allowing your application to function. Ideally, only requests for file extensions used by your application will be allowed. You should thoroughly test any changes before implementing them in a production environment. Set appropriate ACLs on virtual directories . The IIS Lockdown tool improves file permissions; however, you should further refine these permissions for your specific application Although this procedure is somewhat application-dependent, Some rules of thumb apply:
File TypeAccess Control Lists CGI (.exe, .dll, .cmd, .pl) Everyone (X) Administrators (Full Control) System (Full Control) Script files (.asp) Everyone (X) Administrators (Full Control) System (Full CONTROL) Include Files (.inc, .shtm, .shtml) Everyone (X) Administrators (Full Control) STATIC Content (.txt, .gif, .jpg, .html) Eveleone (R) Administrators (Full Control) System (Full Control) Recommended default ACLs by file type. Rather than setting ACLs on each file, you are better off creating new directories for each file type, setting ACLs on the directory, and allowing the ACLs to inherit to the files. For Example, A Directory Structure Might Look Like this:
• c: / inetpub / wwwroot / myserver / static (.html) • c: / inetpub / wwwroot / myserver / include (.inc) • c: / inetpub / wwwroot / myServer / Script (.asp) • C: / inetpub / wwwroot / myserver / executable (.dll) • C: / inetpub / wwwroot / myserver / images (.gif, .jpeg) Also, Be aware That Two Directories NEED Special Atterth:
• C: / inetpub / ftproot (FTP server) • C: / inetpub / mailroot (SMTP server) The ACLs on both these directories are Everyone (Full Control) and should be overridden with something tighter, depending on your level of functionality Place. the folder on a different volume than the IIS server if you're going to support Everyone (Write), or use Windows 2000 disk quotas to limit the amount data that can be written to these directories. Set appropriate IIS Log file ACLs Make sure the Acls on the IIS-generated log file (% systemroot% / system32 / logfiles) Are:
• Administrators (Full Control) • System (Full Control) • Everyone (RWC) This is to help prevent malicious users from deleting the files to cover their tracks. Enable logging Logging is paramount when you want to determine whether your server is being attacked. You should use W3C Extended Logging format by following this procedure:.... 1 Load the Internet Information Services tool 2. Right-click the site in question, and choose Properties from the context menu 3. Click the Web Site tab 4. Check The Enable Logging Check Box. 5. Choose W3C Extended Log File Format from The Active Log Format Drop-Down List. 6. Click Properties. Click The Extended Properties Tab, and Set The Following Properties:
• Client IP Address • User Name • Method • URI Stem • HTTP Status • Win32 Status • User Agent • Server IP Address • Server Port The latter two properties are useful only if you host multiple Web servers on a single computer. The Win32 Status property is useful for debugging purposes. When you examine the log, look out for error 5, which means access denied. you can find out what other Win32 errors mean by entering net helpmsg err on the command line, where err is the error number you are . interested in Disable or remove all sample applications Samples are just that, samples; they are not installed by default and should never be installed on a production server Note that some samples install so that they can be accessed only from http:. // localhost .
SampleVirtual DirectoryLocation IIS Samples / IISSamples c: / inetpub / iissamples IIS Documentation / IISHelp c: / winnt / help / iishelp Data Access / MSADC c: / program files / common files / system / msadcSample files included with Internet Information Services 5. Remove the IISADMPWD virtual directory This directory allows you to reset Windows NT and Windows 2000 passwords. It is designed primarily for intranet scenarios and is not installed as part of IIS 5. However, i but it is not removed when an IIS 4 server is upgraded to IIS 5. It should be removed if you do not use an intranet or if you connect the server to the Web. Refer to Microsoft Knowledge Base article 184619 for more information about this functionality. Remove unused script mappings IIS is preconfigured to support common filename extensions Such as .shtm Files. When IIS Receives A Request for a file of one of these Types, The call is handled by a dll. The IIS Lockdown Tool Removes Unnected Script mappings; however Tion May Allow You to Further Refine The Configuration. If You Don't Functionality, You Should Remove The Mappings by Following this Procedure:
.. 1. Open Internet Services Manager 2. Right-click the Web server, and choose Properties 3. Click Master Properties 4. Select WWW Service, click Edit, click HomeDirectory, and then click Configuration Remove these references:
If you don't use ... remove this entry: Web-based Password Reset .htr Internet Database Connector (All IIS 5 Web Sites Should Use Ado or Similar Technology) .idc Server-Side Includes .stm, .shtm, and. SHTML Internet Printing .printer Index Server .htw, .ida and .idq
Note: Internet Printing can be configured through Group Policy as well as via the Internet Services Manager If there is a conflict between the Group Policy settings and those in the Internet Service Manager, the Group Policy settings take precedence If you remove Internet Printing via.. the Internet Services Manager, be sure to verify that it will not be re-enabled by either local or domain group policies. (The default Group Policy neither enables nor disables Internet Printing.) in the MMC Group Policy snap-in, click Computer Configuration, click Administrative Templates, click Printing, and then click Web-based Printing Note:. Unless you have a mission-critical reason to use the .htr functionality, you should remove the .htr extension.Top of page
Harden Metabase Permissions Security and other IIS configuration settings are maintained in the IIS Metabase file. The default file permissions could allow an attacker to directly edit the Metabase file. The NTFS permissions on the IIS Metabase file (and the backup Metabase file) should be hardened TO Ensure That Attackers CANNOT Modify The IIS Configuration in Any Way. Microsoft Recommends Removing All File Permissions to the Metabase, And Granting Full Control To Only Administrators and System.
Top of page
Harden ASP.NET Configuration If the .NET Framework has been installed on the system, download and install the latest version of the .NET Framework and any service packs. Review the configuration of the .NET Framework, and ASP.NET in particular, to Ensure ASP.NET Does Not Increase Your Vulnerability To Attack. © 2001 Microsoft Corporation. All Rights Reserved.
