IIS Web Server Hardening

Document Sample
IIS Web Server Hardening Powered By Docstoc
					403_Ent_DMZ_AC.qxd   10/25/06   12:04 PM       Page A:183

                                                                      Appendix C

                       IIS Web
                       Server Hardening

                                Solutions in this chapter:

                                           ■     Understanding Common Vulnerabilities
                                                 with Microsoft IIS Web Server
                                           ■     Patching and Securing the OS
                                           ■     Hardening the IIS Application
                                           ■     Monitoring the Web Server
                                                 for Secure Operation

403_Ent_DMZ_AC.qxd    10/25/06    12:04 PM   Page A:184

  A:184 Appendix C • IIS Web Server Hardening

         As security professionals, we understand that every operating system, application, and service
         has potential security vulnerabilities.Throughout this book, we have examined many ways to
         minimize security risk through proper design, secure configuration, and intelligent moni-
         toring. We have learned that blocking services to people who would do our systems harm is
         a good first step in preventing security incidents.Yet to provide business functionality and
         information to our customers, there must be exposed services and applications. Web servers
         are most often the systems chosen to convey our information.
               For that reason, we have included two appendixes to review the methods by which we
         can secure the most prevalent Web server applications used today: Microsoft IIS and Apache
         Web Server. In this and the following appendix, we discuss some of the common vulnerabil-
         ities of these applications, the steps you’ll use to secure the Web servers, and the way you can
         monitor your successful secure implementation.
               This appendix is written specifically for Windows 2003 Server and IIS 6.0.

                After finishing the recommended steps in this appendix, be sure to make a full
                backup of the server before placing it into the production environment. Should
                you have trouble in the future, you can always rely on a secure baseline backup
                for quick reinstallation of the Web server.

         Understanding Common Vulnerabilities
         Within Microsoft IIS Web Server
         As with all software, there are four general types of vulnerability associated with Microsoft
         IIS Web Server. These types include the following:
                ■    Poor application configuration
                ■    Unsecured Web-based code
                ■    Inherent IIS security flaws
                ■    Foundational Microsoft OS vulnerabilities

         We’ll investigate these four types in detail in the remaining sections of this appendix.
403_Ent_DMZ_AC.qxd   10/25/06    12:04 PM    Page A:185

                                                                    IIS Web Server Hardening • Appendix C          A:185

             Poor Application Configuration
             The easiest to prevent yet most frequent vulnerabilities are those stemming from poor con-
             figuration of the application itself. Many default settings within the IIS server require modi-
             fication for secure operation, as we’ll discuss in subsequent sections of this appendix.
             Furthermore, because many configuration options exist within the IIS server, it can be easy
             to make configuration errors that expose the application to attack.

             Unsecured Web-Based Code
             The second manner in which vulnerabilities are exposed is via poorly implemented code on
             the IIS server. Often Web developers are far more concerned with business functionality
             than the security of their code. For instance, poorly written dynamic Web pages can be easy
             DoS targets for attackers, should coded limitations be absent from back-end database queries.
             Simply publishing confidential or potentially harmful information without authentication
             can provide enemies with ammunition for attack. For these reasons, you must review and
             understand not only the IIS application but the information and functionality being deliv-
             ered via the system.

             Inherent IIS Security Flaws
             A third pathway for vulnerability is within the application code itself. Occasionally, IIS secu-
             rity flaws are discovered and announced by Microsoft or by various security groups.
             Fortunately, Microsoft is relatively quick to respond and distribute patches in response to
             such events. For this reason, it is critical that you remain vigilant in your attention to security
             newsgroups and to Microsoft’s security advisory site at

             Foundational Microsoft OS Vulnerabilities
             Another source of vulnerability within Microsoft’s IIS Web Server occurs as a result of foun-
             dational security flaws in the Microsoft operating system. Because the Microsoft OS and
             applications are tightly integrated, security problems in the OS can be used to exploit appli-
             cations such as IIS.This brings us to our next section, in which we discuss the merits of
             patching and securing the Microsoft OS.

             Patching and Securing the OS
             As we discussed in the previous section and in Chapter 2, code deficiencies could exist in the
             Microsoft OS that can lead to OS and application vulnerabilities. It is therefore imperative
             that you fully patch newly deployed Microsoft OSs and remain current with all released func-
             tional and security patches. At regular intervals, thoroughly review the published vulnerabili-
             ties at and monitor security newsgroups

403_Ent_DMZ_AC.qxd       10/25/06   12:04 PM    Page A:186

  A:186 Appendix C • IIS Web Server Hardening

         for 0-day exploits. It might be a good idea to subscribe to security-related updates at

         Patching the Microsoft Operating System
         Microsoft provides a full suite of tools designed to help you remain current of its released
         software updates at One such tool
         that Microsoft provides is the Microsoft Baseline Security Analyzer (MBSA), which can
         automate the retrieval and installation of patches.The software and additional information
         about MBSA are available at
              As the security administrator, you should reserve predetermined time periods for main-
         tenance windows during episodes of low customer activity. However, the discovery of serious
         OS vulnerabilities may necessitate emergency downtime while patches are applied.

         Configuring a Secure Operating System
         You should complete several tasks immediately after a new installation of the Windows OS,
         because several vulnerabilities related to default configuration exist in the OS. First, we’ll
         ensure that the user accounts on the new server are configured properly.The tasks associated
         with account security are as follows:
              ■      Delete or disable all unnecessary accounts. Windows 2003 automatically dis-
                     ables the Guest account, but other accounts for applications, users, or remote sup-
                     port could exist and should be removed.This includes the IUSR_MACHINE
                     and/or ASP.NET accounts if they are not necessary.
              ■      Reconfigure the Administrator account. Alter the Administrator account
                     name from the default to provide extra security during brute-force password
                     attacks. Configure a strong password for this account using:
                     ■     At least eight alphanumeric (digits, punctuation, and letters) characters
                     ■     Upper- and lowercase
                     ■     Words and terms not found in a dictionary
              ■      Enable account lockout for administrative logins. Use the passprop com-
                     mand-line tool available in the Windows 2000 Server Resource Kit to automati-
                     cally lock the Administrative account after a specified number of login failures.
              ■      Enforce strong password and login policies. Like the administrative account,
                     required user accounts on the server should adhere to good policy. Using the Local
                     (or Domain) Security Policy manager, configure the NSA-recommended policies
                     shown in Table C.1.
              ■      Configure appropriate audit policies. Without proper auditing configura-
                     tions, you’ll have little in your logs to help diagnose potential security problems.
403_Ent_DMZ_AC.qxd       10/25/06   12:04 PM   Page A:187

                                                                    IIS Web Server Hardening • Appendix C        A:187

                          Several auditing policies should be configured so that critical events are captured
                          for later use.Table A2 lists some NSA-recommended settings to be configured via
                          the Local (or Domain) Security Policy manager.
                     ■    Define logging parameters. Configure Windows logging parameters to prop-
                          erly capture event data for a long period of time. So that you don’t lose important
                          forensic data, set the maximum log size to a high value as your disk space permits.
                     ■    Configure appropriates file system attributes. The IIS server should have
                          NTFS file systems so that you can adequately secure your content.The Everyone
                          group should have restricted access to content and server binaries. Configure
                          access to directories and files for only those user and group accounts that
                          require it.
                     ■    Disable remote registry access. In Windows Server 2003, members of the
                          Administrators and Backup operators groups have access to the registry, but you
                          might want to consider restricting all remote access.To change the default settings,
                          use regedit.exe and navigate to HKLM\SYSTEM\CurrentControlSet\
                          Control\SecurePipeServers\winreg. From there, choose Permissions from
                          the Security menu and modify the registry settings.

             Table C.1 NSA-Recommended Password and Login Policies
             Policy Attribute                                       Recommended Configuration
             Enforce password history                               24
             Maximum password age                                   42 days
             Minimum password age                                   2
             Minimum password length                                8
             Password must meet complexity requirements             Enabled
             Store passwords using reversible encryption            Disabled
             Interactive Logon: Do not display last                 Enabled
             user name

             Table C.2 NSA-Recommended Settings for Audit Policies
             Audit Attribute                                     Recommended Configuration
             Audit   account logon events                        Success,   Failure
             Audit   account management                          Success,   Failure
             Audit   directory service access                    Success,   Failure
             Audit   logon events                                Success,   Failure

403_Ent_DMZ_AC.qxd   10/25/06    12:04 PM    Page A:188

  A:188 Appendix C • IIS Web Server Hardening

         Table C.2 continued NSA-Recommended Settings for Audit Policies
         Audit Attribute                                   Recommended Configuration
         Audit   object access                             Success, Failure
         Audit   policy change                             Success
         Audit   privilege use                             Failure
         Audit   process tracking                          No auditing
         Audit   system events                             Success

         Configuring Windows Firewall
         Once you have patched the OS and implemented good policies, you’ll need to install
         antivirus software and implement host-based firewall services using third-party tools or
         Microsoft’s imbedded firewall capabilities.To install antivirus software properly, refer to your
         selected antivirus vendor’s installation documentation. Follow these steps to successfully
         implement Microsoft Firewall on your Windows 2003 IIS server:
              1. From the Control Panel, select Windows Firewall.The Windows Firewall
                 window appears, as shown in Figure C.1.

         Figure C.1 The Windows Firewall Window

              2. Click the On radio button to turn the Windows Firewall services on.
              3. Click to uncheck the box beside Don’t allow exceptions, to allow access to
                 your server.
403_Ent_DMZ_AC.qxd     10/25/06   12:04 PM   Page A:189

                                                               IIS Web Server Hardening • Appendix C   A:189

                     4. Select the Exceptions tab and click Add a Port to modify the TCP ports per-
                        mitted to your server.The Add a Port window appears, as shown in Figure C.2.

             Figure C.2 The Add a Port Window

                     5. Use the radio buttons to select TCP or UDP.
                     6. Use the Name and Port number fields to permit only the necessary services to
                        your server.Table C.3 shows a recommended configuration.

             Table C.3 Recommended Configuration
             Name:                 TCP Port
             HTTP                  80
             HTTPS                 443

                     Other services could be required to properly run and/or manage your IIS Web
                     site. For instance, you might need to enable DNS, SNMP, or Remote
                     Management protocols in your Windows Firewall configurations for full system

403_Ent_DMZ_AC.qxd   10/25/06   12:04 PM    Page A:190

  A:190 Appendix C • IIS Web Server Hardening

              7. Click OK to apply the filters.
              8. Continue to click OK until you exit the Windows Firewall window.

             Now that we’ve fully patched the OS and configured Windows Firewall, let’s continue
         and disable vulnerable OS services.

         Disabling Vulnerable Services
         The default Microsoft OS and IIS server are installed with several services you should disable
         because they pose potential vulnerabilities. Let’s examine the OS first, since many of the IIS
         services vulnerabilities are solved with the IISLockdown tool, which we’ll examine in the
         next section.
              One of the first steps you should take is to identify unnecessary protocols and services
         within the IP stack on the server. For instance, does your server need Client for Microsoft
         Windows or File and Print Sharing for Windows? If not, these services should be uninstalled
         from the OS.The two services associated with Client and File and Print Sharing for Windows
         are NetBIOS and SMB.To disable NetBIOS over TCP/IP, use the following procedure:
              1. From the desktop, right-click My Computer and select Manage.
              2. Select Device Manager from System Tools.
              3. Right-click Device Manager and click Show hidden devices from the View
              4. Right-click NetBios over Tcpip and click Disable from the Plug and Play
                 Drivers menu.

         To disable SMB, use the following procedure:
              1. Right-click My Network Places and select Properties.
              2. Right-click Local Area Connection and select Properties.
              3. Click Client for Microsoft Networks and click Uninstall.
              4. Click File and Printer Sharing for Microsoft Networks and click Uninstall.
              5. Click OK to exit the Local Area Connection box.

              Use caution when disabling services. Before doing so, determine the dependen-
              cies of your system software and the underlying Microsoft services. Failure to
              understand what services you require to operate could result in loss of critical
              functionality. It might be prudent to test your configuration in a lab environ-
              ment before disabling services on a production server.
403_Ent_DMZ_AC.qxd       10/25/06   12:04 PM   Page A:191

                                                                  IIS Web Server Hardening • Appendix C        A:191

                 Next, consider the services than run within the Microsoft OS itself. On a Web server,
             you might not need to run some of the following services that are enabled by default:
                     ■    Browser
                     ■    Alerter
                     ■    Messenger
                     ■    Netlogon (required only for domain controllers)
                     ■    Spooler
                     ■    Simple TCP/IP Services

                  Should you determine that these services are not necessary, disable them using the
             Services MMC snap-in available in the Administrative Tools programs group. In Windows
             Server 2003, the Telnet service is disabled by default. However, you should verify that this
             service is truly disabled, since it is often enabled by administrators.
                  Often, SNMP is used to monitor the performance and availability of IIS servers.
             Although this is good operations management practice, you must ensure that SNMP is con-
             figured in a secure manner. Check that the SNMP RO and R strings are not set to Public
             and Private, respectively. Also, you might want to restrict SNMP access to the server using
             TCP/IP filtering on UDP ports 161 and 162.
                  Finally, verify that unnecessary third-party software, such as chat programs, peer-to-peer
             file sharing programs, or e-mail client software, is not loaded on the server.This will reduce
             security risks while ensuring that your server does not waste cycles on needless programs.

             Hardening the IIS Application
             Microsoft has made significant improvements in the default security configuration of the IIS
             6.0 Web Server. In previous versions such as IIS 5.0, administrators were required to make
             many configuration changes or risk exposure to security threats. Even with the advent of
             better initial security in version 6.0, you must take several steps to securely deploy your IIS
             server.This appendix deals exclusively with IIS 6.0, but you should be aware of two useful
             tools in the event that you maintain previous versions of IIS.
                  Microsoft makes IISLockdown and URLScan tools available to automate the process of
             securing your Web server. Both tools’ functionalities are included in the 6.0 release of IIS but
             should be used against all 5.0 or earlier IIS versions. Using secure templates based on the
             type of role you intend for your Web server, IISLockdown applies rules to either disable or
             secure various IIS features. URLScan is an ISAPI filter that is installed when you use
             IISLockdown; it accepts or rejects potentially malicious page requests based on criteria set
             forth in rules.
                  Fortunately, IISLockdown and URLScan functionality is included in IIS 6.0, greatly
             reducing the security configurations required when you’re building a server.There are, how-
             ever, several tasks to complete on installation and configuration of the version 6.0 server to
             increase security.
403_Ent_DMZ_AC.qxd    10/25/06    12:04 PM    Page A:192

  A:192 Appendix C • IIS Web Server Hardening

         IIS Installation Options and Basic Services Setup
         When initially installing IIS 6.0, be sure that the following services are not installed unless
         you require their use:
               ■     FTP Server
               ■     NNTP Service
               ■     SMTP Service
               ■     Internet Service Manager
               ■     Microsoft FrontPage Server Extensions
               ■     Visual InterDev Remote Support

              By default, the services are not installed in IIS 6.0, because the components expose the
         IIS server to security vulnerabilities. For instance, FTP, NNTP, and SMTP are all services
         provided by the IIS server, but they might not be necessary in your environment. Disabling
         these services reduces your exposure to customers and therefore reduces the potential of a
         security breech.
              After installation, you might want to consider deleting the default site that is installed on
         the IIS server. This is recommended by Microsoft and is good practice because it reduces
         the amount of security configuration tasks you would otherwise need to perform.

         Virtual Directories, Script
         Mappings, and ISAPI Filters
         When configuring your site within the IIS server, be sure to locate the Web root on non-
         system NTFS volumes to prevent directory traversal attacks on the system. Also make sure
         the use of Parent Paths (using ../../, for example) is disabled, which is default for IIS 6.0.
         Ensure that dangerous virtual directories such as ISSamples, IISAdmin, IISHelp, and Scripts
         are removed and that Remote Data Services (RDS) is disabled to further secure your IIS
              Each site within your IIS server configuration should also be securely configured
         without directory browsing and should not permit script source access, to secure your code.
              Proper Web page permissions are a critical part of maintaining IIS Web sites. Failure to
         apply restrictions provides potentially dangerous functionality to customers. Microsoft rec-
         ommends that the permissions shown in Table C.4 be used on all Web content.
403_Ent_DMZ_AC.qxd     10/25/06   12:04 PM   Page A:193

                                                                   IIS Web Server Hardening • Appendix C         A:193

             Table C.4 Microsoft-Recommended Permissions
             Type of Permission                           Where to Apply
             Read permission                              Restrict read permission on include directories
             Write and execute permission                 Restrict write and execute permissions on vir-
                                                          tual directories that allow anonymous access
             Script source access permission              Configure script source access permissions
                                                          only on folders that allow content authoring
             Write permission                             Configure write permissions only on folders
                                                          that allow content authoring; grant write
                                                          access only to content authors

                 Once you’ve set the proper permissions on your Web page directories, you’ll need to
             consider script-mapping settings within the IIS server. Script mapping associates various
             functional DLLs with page file extensions such as .asp, .shtml, and so on. As general practice,
             you should map any unused file extensions to the 404.dll, which prohibits access to the page
             and DLL. Doing so reduces exposure to potential extension vulnerabilities and prohibits
             download of server resources by clients.
                 Also, evaluate the ISAPI applications shown in the Master Properties of the WWW
             Service. Delete extensions that are not required for your site operation, because historically
             these filters have been extensively exploited.To examine your ISAPI filters, use the following
                     1. Open the Internet Services Manager from the Administrative Tools
                        programs group.
                     2. Select your computer and click Properties. ISAPI filters apply to the entire IIS
                        machine, not just individual Web sites.
                     3. Click the Edit button.
                     4. Click the ISAPI Filters tab to view your ISAPI configuration.
                     5. To remove an ISAPI filter, highlight the filter you want to delete and click

                 Now that our application is more secure, let’s look at the IIS logging configuration to
             ensure that we’re able to monitor the server properly.

             There are many reasons to configure logging on your IIS server. Whether helping you see
             top page hits, hours of typical high-volume traffic, or simply understanding who’s using your
             system, logging plays an important part in any installation. More important, logging can pro-
             vide a near-real-time and historic forensic toolkit during or after security events. In this sec-
             tion, we examine some logging configuration best practices.

403_Ent_DMZ_AC.qxd    10/25/06   12:04 PM    Page A:194

  A:194 Appendix C • IIS Web Server Hardening

             Begin by changing the default location for your IIS logs. Use a nonsystem location and
         an NTFS volume.To secure the logs, permit Full Control for Administrators and System, and
         allow Backup Operators to Read the files. Deny all other access.
             Because we secured the Microsoft OS in previous sections of this appendix, we don’t
         need to revisit the particular auditing configurations you’ll need to ensure you’re logging the
         proper information on your server. In general, however, you should log all failed login
         attempts and all failed actions within the OS. Additionally, you should audit all access to the
         Metabase.bin file located in the \WINNT\System32\inetsrv directory, because it contains
         your IIS configuration.

                It is good practice to archive your system and IIS log files to backup location.
                This prevents loss of critical forensic data due to accidental deletion or malicious

              Finally, configure IIS W3C Extended Log File Format logging.To do so, from your Web
         site Properties box, click the Web Site tab and select W3C Extended Log File Format.
         You might also want to configure Extended Properties such as URI Stem and URI
         Query for additional auditing information.

         Monitoring the Server
         for Secure Operation
         Even with the best defenses and secure configurations, breeches in your systems and applica-
         tions can occur.Therefore, you cannot simply set up a hardened Microsoft IIS Web server
         and walk away thinking that everything will be just fine. Robust and comprehensive moni-
         toring is perhaps the most important part of securely operating servers and applications on
         the Internet.
              Throughout this book, we have discussed myriad techniques to ensure your IT security.
         You must leverage all these secure DMZ functions in your job. With regard to Microsoft IIS,
         there are several things to consider that will help you identify and react to potential threats.
              Your primary source of data will be through IIS and Microsoft OS audit logs. Even with
         small Web sites, however, sifting through this information can be a challenge. One of the first
         things to consider is integrating your IIS logs with other tools to help organize and identify
         the potential incident “needles” in your log file “haystack.” Many open source and commer-
         cial products are available to aid you in securing your site. For instance, Microsoft makes a
         Log Parser, among other utilities, available through the IIS 6.0 Resource Kit found at
403_Ent_DMZ_AC.qxd   10/25/06   12:04 PM   Page A:195

                                                               IIS Web Server Hardening • Appendix C      A:195

             ADE629C89499&displaylang=en.This tool can be used with SQL Server to facilitate better
             organization of the log file data.
                  SNMP polling and graphing constitute another methodology commonly employed for
             secure monitoring. Often it is extremely difficult to gauge the severity or magnitude of an
             event without visualization of data from logs or SNMP counters. One tool you can consider
             using is MRTG to graph SNMP information that could help identify a security problem.
             The SecurityFocus Web site at provides an excellent
             primer on installing and configuring MRTG to monitor IIS 6.0 Web sites.
                  You may consider other commercial SNMP-based solutions, especially for enterprise-
             scale deployments.These tools help expedite monitoring deployment and usually include
             enhanced functionality to automatically alert you when important thresholds, such as Web
             site concurrent connections, are crossed.

403_Ent_DMZ_AC.qxd   10/25/06   12:04 PM   Page A:196

Shared By: