403_Ent_DMZ_AC.qxd 10/25/06 12:04 PM Page A:183
Solutions in this chapter:
■ Understanding Common Vulnerabilities
with Microsoft IIS Web Server
■ Patching and Securing the OS
■ Hardening the IIS Application
■ Monitoring the Web Server
for Secure Operation
403_Ent_DMZ_AC.qxd 10/25/06 12:04 PM Page A:184
A:184 Appendix C • IIS Web Server Hardening
As security professionals, we understand that every operating system, application, and service
has potential security vulnerabilities.Throughout this book, we have examined many ways to
minimize security risk through proper design, secure conﬁguration, and intelligent moni-
toring. We have learned that blocking services to people who would do our systems harm is
a good ﬁrst step in preventing security incidents.Yet to provide business functionality and
information to our customers, there must be exposed services and applications. Web servers
are most often the systems chosen to convey our information.
For that reason, we have included two appendixes to review the methods by which we
can secure the most prevalent Web server applications used today: Microsoft IIS and Apache
Web Server. In this and the following appendix, we discuss some of the common vulnerabil-
ities of these applications, the steps you’ll use to secure the Web servers, and the way you can
monitor your successful secure implementation.
This appendix is written speciﬁcally for Windows 2003 Server and IIS 6.0.
After ﬁnishing the recommended steps in this appendix, be sure to make a full
backup of the server before placing it into the production environment. Should
you have trouble in the future, you can always rely on a secure baseline backup
for quick reinstallation of the Web server.
Understanding Common Vulnerabilities
Within Microsoft IIS Web Server
As with all software, there are four general types of vulnerability associated with Microsoft
IIS Web Server. These types include the following:
■ Poor application conﬁguration
■ Unsecured Web-based code
■ Inherent IIS security ﬂaws
■ Foundational Microsoft OS vulnerabilities
We’ll investigate these four types in detail in the remaining sections of this appendix.
403_Ent_DMZ_AC.qxd 10/25/06 12:04 PM Page A:185
IIS Web Server Hardening • Appendix C A:185
Poor Application Conﬁguration
The easiest to prevent yet most frequent vulnerabilities are those stemming from poor con-
ﬁguration of the application itself. Many default settings within the IIS server require modi-
ﬁcation for secure operation, as we’ll discuss in subsequent sections of this appendix.
Furthermore, because many conﬁguration options exist within the IIS server, it can be easy
to make conﬁguration errors that expose the application to attack.
Unsecured Web-Based Code
The second manner in which vulnerabilities are exposed is via poorly implemented code on
the IIS server. Often Web developers are far more concerned with business functionality
than the security of their code. For instance, poorly written dynamic Web pages can be easy
DoS targets for attackers, should coded limitations be absent from back-end database queries.
Simply publishing conﬁdential or potentially harmful information without authentication
can provide enemies with ammunition for attack. For these reasons, you must review and
understand not only the IIS application but the information and functionality being deliv-
ered via the system.
Inherent IIS Security Flaws
A third pathway for vulnerability is within the application code itself. Occasionally, IIS secu-
rity ﬂaws are discovered and announced by Microsoft or by various security groups.
Fortunately, Microsoft is relatively quick to respond and distribute patches in response to
such events. For this reason, it is critical that you remain vigilant in your attention to security
newsgroups and to Microsoft’s security advisory site at www.microsoft.com/technet/secu-
Foundational Microsoft OS Vulnerabilities
Another source of vulnerability within Microsoft’s IIS Web Server occurs as a result of foun-
dational security ﬂaws in the Microsoft operating system. Because the Microsoft OS and
applications are tightly integrated, security problems in the OS can be used to exploit appli-
cations such as IIS.This brings us to our next section, in which we discuss the merits of
patching and securing the Microsoft OS.
Patching and Securing the OS
As we discussed in the previous section and in Chapter 2, code deﬁciencies could exist in the
Microsoft OS that can lead to OS and application vulnerabilities. It is therefore imperative
that you fully patch newly deployed Microsoft OSs and remain current with all released func-
tional and security patches. At regular intervals, thoroughly review the published vulnerabili-
ties at www.microsoft.com/technet/security/default.mspx and monitor security newsgroups
403_Ent_DMZ_AC.qxd 10/25/06 12:04 PM Page A:186
A:186 Appendix C • IIS Web Server Hardening
for 0-day exploits. It might be a good idea to subscribe to security-related updates at
Patching the Microsoft Operating System
Microsoft provides a full suite of tools designed to help you remain current of its released
software updates at www.microsoft.com/technet/security/tools/default.mspx. One such tool
that Microsoft provides is the Microsoft Baseline Security Analyzer (MBSA), which can
automate the retrieval and installation of patches.The software and additional information
about MBSA are available at www.microsoft.com/technet/security/tools/mbsahome.mspx.
As the security administrator, you should reserve predetermined time periods for main-
tenance windows during episodes of low customer activity. However, the discovery of serious
OS vulnerabilities may necessitate emergency downtime while patches are applied.
Conﬁguring a Secure Operating System
You should complete several tasks immediately after a new installation of the Windows OS,
because several vulnerabilities related to default conﬁguration exist in the OS. First, we’ll
ensure that the user accounts on the new server are conﬁgured properly.The tasks associated
with account security are as follows:
■ Delete or disable all unnecessary accounts. Windows 2003 automatically dis-
ables the Guest account, but other accounts for applications, users, or remote sup-
port could exist and should be removed.This includes the IUSR_MACHINE
and/or ASP.NET accounts if they are not necessary.
■ Reconﬁgure the Administrator account. Alter the Administrator account
name from the default to provide extra security during brute-force password
attacks. Conﬁgure a strong password for this account using:
■ At least eight alphanumeric (digits, punctuation, and letters) characters
■ Upper- and lowercase
■ Words and terms not found in a dictionary
■ Enable account lockout for administrative logins. Use the passprop com-
mand-line tool available in the Windows 2000 Server Resource Kit to automati-
cally lock the Administrative account after a speciﬁed number of login failures.
■ Enforce strong password and login policies. Like the administrative account,
required user accounts on the server should adhere to good policy. Using the Local
(or Domain) Security Policy manager, conﬁgure the NSA-recommended policies
shown in Table C.1.
■ Conﬁgure appropriate audit policies. Without proper auditing conﬁgura-
tions, you’ll have little in your logs to help diagnose potential security problems.
403_Ent_DMZ_AC.qxd 10/25/06 12:04 PM Page A:187
IIS Web Server Hardening • Appendix C A:187
Several auditing policies should be conﬁgured so that critical events are captured
for later use.Table A2 lists some NSA-recommended settings to be conﬁgured via
the Local (or Domain) Security Policy manager.
■ Deﬁne logging parameters. Conﬁgure Windows logging parameters to prop-
erly capture event data for a long period of time. So that you don’t lose important
forensic data, set the maximum log size to a high value as your disk space permits.
■ Conﬁgure appropriates ﬁle system attributes. The IIS server should have
NTFS ﬁle systems so that you can adequately secure your content.The Everyone
group should have restricted access to content and server binaries. Conﬁgure
access to directories and ﬁles for only those user and group accounts that
■ Disable remote registry access. In Windows Server 2003, members of the
Administrators and Backup operators groups have access to the registry, but you
might want to consider restricting all remote access.To change the default settings,
use regedit.exe and navigate to HKLM\SYSTEM\CurrentControlSet\
Control\SecurePipeServers\winreg. From there, choose Permissions from
the Security menu and modify the registry settings.
Table C.1 NSA-Recommended Password and Login Policies
Policy Attribute Recommended Conﬁguration
Enforce password history 24
Maximum password age 42 days
Minimum password age 2
Minimum password length 8
Password must meet complexity requirements Enabled
Store passwords using reversible encryption Disabled
Interactive Logon: Do not display last Enabled
Table C.2 NSA-Recommended Settings for Audit Policies
Audit Attribute Recommended Conﬁguration
Audit account logon events Success, Failure
Audit account management Success, Failure
Audit directory service access Success, Failure
Audit logon events Success, Failure
403_Ent_DMZ_AC.qxd 10/25/06 12:04 PM Page A:188
A:188 Appendix C • IIS Web Server Hardening
Table C.2 continued NSA-Recommended Settings for Audit Policies
Audit Attribute Recommended Conﬁguration
Audit object access Success, Failure
Audit policy change Success
Audit privilege use Failure
Audit process tracking No auditing
Audit system events Success
Conﬁguring Windows Firewall
Once you have patched the OS and implemented good policies, you’ll need to install
antivirus software and implement host-based ﬁrewall services using third-party tools or
Microsoft’s imbedded ﬁrewall capabilities.To install antivirus software properly, refer to your
selected antivirus vendor’s installation documentation. Follow these steps to successfully
implement Microsoft Firewall on your Windows 2003 IIS server:
1. From the Control Panel, select Windows Firewall.The Windows Firewall
window appears, as shown in Figure C.1.
Figure C.1 The Windows Firewall Window
2. Click the On radio button to turn the Windows Firewall services on.
3. Click to uncheck the box beside Don’t allow exceptions, to allow access to
403_Ent_DMZ_AC.qxd 10/25/06 12:04 PM Page A:189
IIS Web Server Hardening • Appendix C A:189
4. Select the Exceptions tab and click Add a Port to modify the TCP ports per-
mitted to your server.The Add a Port window appears, as shown in Figure C.2.
Figure C.2 The Add a Port Window
5. Use the radio buttons to select TCP or UDP.
6. Use the Name and Port number ﬁelds to permit only the necessary services to
your server.Table C.3 shows a recommended conﬁguration.
Table C.3 Recommended Conﬁguration
Name: TCP Port
Other services could be required to properly run and/or manage your IIS Web
site. For instance, you might need to enable DNS, SNMP, or Remote
Management protocols in your Windows Firewall conﬁgurations for full system
403_Ent_DMZ_AC.qxd 10/25/06 12:04 PM Page A:190
A:190 Appendix C • IIS Web Server Hardening
7. Click OK to apply the ﬁlters.
8. Continue to click OK until you exit the Windows Firewall window.
Now that we’ve fully patched the OS and conﬁgured Windows Firewall, let’s continue
and disable vulnerable OS services.
Disabling Vulnerable Services
The default Microsoft OS and IIS server are installed with several services you should disable
because they pose potential vulnerabilities. Let’s examine the OS ﬁrst, since many of the IIS
services vulnerabilities are solved with the IISLockdown tool, which we’ll examine in the
One of the ﬁrst steps you should take is to identify unnecessary protocols and services
within the IP stack on the server. For instance, does your server need Client for Microsoft
Windows or File and Print Sharing for Windows? If not, these services should be uninstalled
from the OS.The two services associated with Client and File and Print Sharing for Windows
are NetBIOS and SMB.To disable NetBIOS over TCP/IP, use the following procedure:
1. From the desktop, right-click My Computer and select Manage.
2. Select Device Manager from System Tools.
3. Right-click Device Manager and click Show hidden devices from the View
4. Right-click NetBios over Tcpip and click Disable from the Plug and Play
To disable SMB, use the following procedure:
1. Right-click My Network Places and select Properties.
2. Right-click Local Area Connection and select Properties.
3. Click Client for Microsoft Networks and click Uninstall.
4. Click File and Printer Sharing for Microsoft Networks and click Uninstall.
5. Click OK to exit the Local Area Connection box.
Use caution when disabling services. Before doing so, determine the dependen-
cies of your system software and the underlying Microsoft services. Failure to
understand what services you require to operate could result in loss of critical
functionality. It might be prudent to test your conﬁguration in a lab environ-
ment before disabling services on a production server.
403_Ent_DMZ_AC.qxd 10/25/06 12:04 PM Page A:191
IIS Web Server Hardening • Appendix C A:191
Next, consider the services than run within the Microsoft OS itself. On a Web server,
you might not need to run some of the following services that are enabled by default:
■ Netlogon (required only for domain controllers)
■ Simple TCP/IP Services
Should you determine that these services are not necessary, disable them using the
Services MMC snap-in available in the Administrative Tools programs group. In Windows
Server 2003, the Telnet service is disabled by default. However, you should verify that this
service is truly disabled, since it is often enabled by administrators.
Often, SNMP is used to monitor the performance and availability of IIS servers.
Although this is good operations management practice, you must ensure that SNMP is con-
ﬁgured in a secure manner. Check that the SNMP RO and R strings are not set to Public
and Private, respectively. Also, you might want to restrict SNMP access to the server using
TCP/IP ﬁltering on UDP ports 161 and 162.
Finally, verify that unnecessary third-party software, such as chat programs, peer-to-peer
ﬁle sharing programs, or e-mail client software, is not loaded on the server.This will reduce
security risks while ensuring that your server does not waste cycles on needless programs.
Hardening the IIS Application
Microsoft has made signiﬁcant improvements in the default security conﬁguration of the IIS
6.0 Web Server. In previous versions such as IIS 5.0, administrators were required to make
many conﬁguration changes or risk exposure to security threats. Even with the advent of
better initial security in version 6.0, you must take several steps to securely deploy your IIS
server.This appendix deals exclusively with IIS 6.0, but you should be aware of two useful
tools in the event that you maintain previous versions of IIS.
Microsoft makes IISLockdown and URLScan tools available to automate the process of
securing your Web server. Both tools’ functionalities are included in the 6.0 release of IIS but
should be used against all 5.0 or earlier IIS versions. Using secure templates based on the
type of role you intend for your Web server, IISLockdown applies rules to either disable or
secure various IIS features. URLScan is an ISAPI ﬁlter that is installed when you use
IISLockdown; it accepts or rejects potentially malicious page requests based on criteria set
forth in rules.
Fortunately, IISLockdown and URLScan functionality is included in IIS 6.0, greatly
reducing the security conﬁgurations required when you’re building a server.There are, how-
ever, several tasks to complete on installation and conﬁguration of the version 6.0 server to
403_Ent_DMZ_AC.qxd 10/25/06 12:04 PM Page A:192
A:192 Appendix C • IIS Web Server Hardening
IIS Installation Options and Basic Services Setup
When initially installing IIS 6.0, be sure that the following services are not installed unless
you require their use:
■ FTP Server
■ NNTP Service
■ SMTP Service
■ Internet Service Manager
■ Microsoft FrontPage Server Extensions
■ Visual InterDev Remote Support
By default, the services are not installed in IIS 6.0, because the components expose the
IIS server to security vulnerabilities. For instance, FTP, NNTP, and SMTP are all services
provided by the IIS server, but they might not be necessary in your environment. Disabling
these services reduces your exposure to customers and therefore reduces the potential of a
After installation, you might want to consider deleting the default site that is installed on
the IIS server. This is recommended by Microsoft and is good practice because it reduces
the amount of security conﬁguration tasks you would otherwise need to perform.
Virtual Directories, Script
Mappings, and ISAPI Filters
When conﬁguring your site within the IIS server, be sure to locate the Web root on non-
system NTFS volumes to prevent directory traversal attacks on the system. Also make sure
the use of Parent Paths (using ../../, for example) is disabled, which is default for IIS 6.0.
Ensure that dangerous virtual directories such as ISSamples, IISAdmin, IISHelp, and Scripts
are removed and that Remote Data Services (RDS) is disabled to further secure your IIS
Each site within your IIS server conﬁguration should also be securely conﬁgured
without directory browsing and should not permit script source access, to secure your code.
Proper Web page permissions are a critical part of maintaining IIS Web sites. Failure to
apply restrictions provides potentially dangerous functionality to customers. Microsoft rec-
ommends that the permissions shown in Table C.4 be used on all Web content.
403_Ent_DMZ_AC.qxd 10/25/06 12:04 PM Page A:193
IIS Web Server Hardening • Appendix C A:193
Table C.4 Microsoft-Recommended Permissions
Type of Permission Where to Apply
Read permission Restrict read permission on include directories
Write and execute permission Restrict write and execute permissions on vir-
tual directories that allow anonymous access
Script source access permission Conﬁgure script source access permissions
only on folders that allow content authoring
Write permission Conﬁgure write permissions only on folders
that allow content authoring; grant write
access only to content authors
Once you’ve set the proper permissions on your Web page directories, you’ll need to
consider script-mapping settings within the IIS server. Script mapping associates various
functional DLLs with page ﬁle extensions such as .asp, .shtml, and so on. As general practice,
you should map any unused ﬁle extensions to the 404.dll, which prohibits access to the page
and DLL. Doing so reduces exposure to potential extension vulnerabilities and prohibits
download of server resources by clients.
Also, evaluate the ISAPI applications shown in the Master Properties of the WWW
Service. Delete extensions that are not required for your site operation, because historically
these ﬁlters have been extensively exploited.To examine your ISAPI ﬁlters, use the following
1. Open the Internet Services Manager from the Administrative Tools
2. Select your computer and click Properties. ISAPI ﬁlters apply to the entire IIS
machine, not just individual Web sites.
3. Click the Edit button.
4. Click the ISAPI Filters tab to view your ISAPI conﬁguration.
5. To remove an ISAPI ﬁlter, highlight the ﬁlter you want to delete and click
Now that our application is more secure, let’s look at the IIS logging conﬁguration to
ensure that we’re able to monitor the server properly.
There are many reasons to conﬁgure logging on your IIS server. Whether helping you see
top page hits, hours of typical high-volume trafﬁc, or simply understanding who’s using your
system, logging plays an important part in any installation. More important, logging can pro-
vide a near-real-time and historic forensic toolkit during or after security events. In this sec-
tion, we examine some logging conﬁguration best practices.
403_Ent_DMZ_AC.qxd 10/25/06 12:04 PM Page A:194
A:194 Appendix C • IIS Web Server Hardening
Begin by changing the default location for your IIS logs. Use a nonsystem location and
an NTFS volume.To secure the logs, permit Full Control for Administrators and System, and
allow Backup Operators to Read the ﬁles. Deny all other access.
Because we secured the Microsoft OS in previous sections of this appendix, we don’t
need to revisit the particular auditing conﬁgurations you’ll need to ensure you’re logging the
proper information on your server. In general, however, you should log all failed login
attempts and all failed actions within the OS. Additionally, you should audit all access to the
Metabase.bin ﬁle located in the \WINNT\System32\inetsrv directory, because it contains
your IIS conﬁguration.
It is good practice to archive your system and IIS log ﬁles to backup location.
This prevents loss of critical forensic data due to accidental deletion or malicious
Finally, conﬁgure IIS W3C Extended Log File Format logging.To do so, from your Web
site Properties box, click the Web Site tab and select W3C Extended Log File Format.
You might also want to conﬁgure Extended Properties such as URI Stem and URI
Query for additional auditing information.
Monitoring the Server
for Secure Operation
Even with the best defenses and secure conﬁgurations, breeches in your systems and applica-
tions can occur.Therefore, you cannot simply set up a hardened Microsoft IIS Web server
and walk away thinking that everything will be just ﬁne. Robust and comprehensive moni-
toring is perhaps the most important part of securely operating servers and applications on
Throughout this book, we have discussed myriad techniques to ensure your IT security.
You must leverage all these secure DMZ functions in your job. With regard to Microsoft IIS,
there are several things to consider that will help you identify and react to potential threats.
Your primary source of data will be through IIS and Microsoft OS audit logs. Even with
small Web sites, however, sifting through this information can be a challenge. One of the ﬁrst
things to consider is integrating your IIS logs with other tools to help organize and identify
the potential incident “needles” in your log ﬁle “haystack.” Many open source and commer-
cial products are available to aid you in securing your site. For instance, Microsoft makes a
Log Parser, among other utilities, available through the IIS 6.0 Resource Kit found at
403_Ent_DMZ_AC.qxd 10/25/06 12:04 PM Page A:195
IIS Web Server Hardening • Appendix C A:195
ADE629C89499&displaylang=en.This tool can be used with SQL Server to facilitate better
organization of the log ﬁle data.
SNMP polling and graphing constitute another methodology commonly employed for
secure monitoring. Often it is extremely difﬁcult to gauge the severity or magnitude of an
event without visualization of data from logs or SNMP counters. One tool you can consider
using is MRTG to graph SNMP information that could help identify a security problem.
The SecurityFocus Web site at www.securityfocus.com/infocus/1721 provides an excellent
primer on installing and conﬁguring MRTG to monitor IIS 6.0 Web sites.
You may consider other commercial SNMP-based solutions, especially for enterprise-
scale deployments.These tools help expedite monitoring deployment and usually include
enhanced functionality to automatically alert you when important thresholds, such as Web
site concurrent connections, are crossed.
403_Ent_DMZ_AC.qxd 10/25/06 12:04 PM Page A:196