Docstoc

SN

Document Sample
SN Powered By Docstoc
					                                                  Confidential                                                    Section
Toh Kok Yew                                                                                             Initial
                       Checklist for Internet Information Services
kytoh@yahoo.com                                                                                         Date


S/N                                                ICQ                                             Findings       Conclusion*             WP Ref
 A      Internet Information Services Installation (Common to IIS4 & IIS5)
 1      Ascertain that the ISS is installed with the latest patch or hotfixes.
        Determine the usage of IIS:

        - Will the server be accessed from the Internet?
        - Will the server be accessed from an Intranet?
        - Does the server permit anonymous or authenticated user access (or both)?
        - Is Secure Socket Layer (SSL) connection be supported? If so, which version does it
  2       support?
        - Will the server be used only for web access via HTTP?
        - Does the server support FTP services?
        - Are there specific users that will need to copy, open, delete, and write files on your
          server?
        - How many web sites will this server host?
        - Is there content sharing for separate websites?
  3     Determine that the IIS server is placed in a physically secure location.
  4     Ascertain that the server has its own domain and it has no trust links to other domains.
        Ascertain that IIS is installed as a standalone system.

        If IIS is installed on a domain controller and the web server is attacked, the entire
  5
        server and sensitive domain information may be at risk. Also, the added overhead of
        being a domain controller will also slow down the server’s ability to provide web
        services efficiently.
        Determine that no application software or development tools are installed on the
  6
        server.
        Ascertain that the server is partitioned so that published content of each supported
        service (WWW, FTP or SMTP) is located on a separate partition.
  7
        This will prevent attempts to traverse up the directory tree beyond the published
        content root.
        For IIS4
  8
        Determined that IIS4 and the OS are not installed on the same partition.



*(S) – Satisfactory (NS) – Not Satisfactory
D:\Docstoc\Working\pdf\f8c81cfb-9649-4206-9e83-a5b76e6d8b5e.doc                                                       Created on 09/01/2003 22:25:00
                                                                                   Page 1 of 12
                                                  Confidential                                                     Section
Toh Kok Yew                                                                                              Initial
                       Checklist for Internet Information Services
kytoh@yahoo.com                                                                                          Date


S/N                                               ICQ                                               Findings       Conclusion*             WP Ref
       Note: IIS5 is integrated into the NT / W2K system functionality
  9    Ascertain that audit and IIS logging facilities are turned on to track information.
       Ascertain that all protocol stacks are removed, except TCP/IP. (Unless user’s Intranet
 10
       requires another protocol stack.)
       Ascertain that IP routing is disabled.

       IIS4:

 11    Control Panel->Network->Protocols->TCP/IP->Properties->Routing->Enable IP
       Forwarding (The checkbox must not be checked.)

       (Note: IP routing is disabled by default for IIS5.However, it is better to confirm that it
       is disabled.)
       Ascertain that the following services are disabled:

        -   Alerter
        -   ClipBook Server
        -   DHCP Client
        -   Messager
        -   Net Logon
        -   Network DDE & Network DDE DSDM
        -   Spooler
        -   FTP Publishing Service (unless FTP services are not required for the server.)
 12     -   RPC Locator (only required if there is remote administration.)
        -   TCP/IP NetBIOS Helper

        Addition services to be disabled (applicable only to IIS4):

        -   Network Monitor Agent
        -   Simple TCP/IP Services
        -   NetBIOS Interface
        -   WINS Client (TCP/IP)
        -   NWLink NetBIOS
        -   NWLink IPX/SPX Compatible Transport (not required unless the server do not


*(S) – Satisfactory (NS) – Not Satisfactory
D:\Docstoc\Working\pdf\f8c81cfb-9649-4206-9e83-a5b76e6d8b5e.doc                                                        Created on 09/01/2003 22:25:00
                                                                                   Page 2 of 12
                                                  Confidential                                                   Section
Toh Kok Yew                                                                                            Initial
                       Checklist for Internet Information Services
kytoh@yahoo.com                                                                                        Date


S/N                                             ICQ                                               Findings       Conclusion*             WP Ref
          have TCP/IP or another transport)
        - Server Manager (This service is required to run User Manager.)

        Addition services to be disabled (applicable only to IIS5):

        -  Distributed File System
        -  Distributed Link Tracking Systems Client
        -  IPSEC Policy Agent
        -  Licensing Logging Service
        -  Logical Disk Manager Administrator Service
        -  Remote Registry Service
        -  Removal Storage
        -  RunAS Service
        -  Server Service (Must be started if server will run the SMTP or NNTP service of
           IIS, for administration purposes.)
        - Task Scheduler
        - Telephony
        - Windows Installer
        - Windows Time
        - Workstation Service
        - Computer Browser
        Ascertain that the default account – IUSR_computername, is given the least amount of
        privileges as possible.
 13
        Note: Check that the option to ‘User Cannot Change Password’ and ‘Password Never
        Expires’ are selected.
        Ascertain that the default account is set to logon locally and all access to the server
        from the network is denied.
 14
        Note: For IIS5, ascertain it does not allow logon as a batch service.
 15     Determine that if anonymous access is prohibited.
        If there are several web sites, ascertain that local admin groups and required accounts
 16
        be created for each web site.
 17     Determine that a local group for WebUsers is created and that it includes only the


*(S) – Satisfactory (NS) – Not Satisfactory
D:\Docstoc\Working\pdf\f8c81cfb-9649-4206-9e83-a5b76e6d8b5e.doc                                                      Created on 09/01/2003 22:25:00
                                                                                  Page 3 of 12
                                                  Confidential                                                     Section
Toh Kok Yew                                                                                              Initial
                       Checklist for Internet Information Services
kytoh@yahoo.com                                                                                          Date


S/N                                               ICQ                                               Findings       Conclusion*             WP Ref
        required user accounts, including the default account.
        Ascertain that these following accounts are removed:

        - Everyone
        - Guests
 18
        - Guest

        Note: These group and user accounts are often used by malicious users to gain access
        to systems.
 19     Ascertain that the file system is NTFS.
        Ascertain that all directories that contain “samples” and any scripts used to execute the
 20
        “samples” are moved or deleted.
        Ascertain that the following directories are deleted or relocated:

       -    \InetPub\ASPSamp (applicable only to IIS4)
       -    \InetPub\iissamples
       -    \InetPub\scripts\tools (applicable only to IIS4)
       -    \InetPub\scripts\samples (applicable only to IIS4)
 21    -    \InetPub\wwwroot\samples (applicable only to IIS4)
       -    \InetPub\AdminScripts
       -    \Program Files\Common Files\System\msdac\Samples (applicable only to IIS4)

        However, if there is a requirement to maintain the sites for training or other permitted
        purposes, have NTFS permissions set to only allow access to authorised users, i.e.
        systems administrators or web administrators.
        For IIS4

        Determine the following:

 22        Type of   Example               Data           NTFS File Permissions        IIS4
           Data      Directories           Examples                                    Permiss
                                                                                       ions
           Static    \wwwroot\images       HTML,          Administrators (Full         Read
           Content   \wwwroot\home         images,        Control)


*(S) – Satisfactory (NS) – Not Satisfactory
D:\Docstoc\Working\pdf\f8c81cfb-9649-4206-9e83-a5b76e6d8b5e.doc                                                        Created on 09/01/2003 22:25:00
                                                                                   Page 4 of 12
                                                  Confidential                                                     Section
Toh Kok Yew                                                                                              Initial
                       Checklist for Internet Information Services
kytoh@yahoo.com                                                                                          Date


S/N                                             ICQ                                                 Findings       Conclusion*             WP Ref
                     \wwwroot\ftpfiles     FTP             System (Full Control)
                                           downloads,      WebAdmins (Read,
                                           etc             Write, Delete)
                                                           Authenticated Users
                                                           (Read)
                                                           Anonymous (Read)
         FTP         /ftproot/dropbox      Directory       Administrators (Full          Write
         Uploads                           used as a       Control)
         (if                               place for       WebAdmins or
         required)                         users to        FTPAdmins (Read,
                                           store           Write, Delete)
                                           documents       Specified Users (Write)
                                           for review
                                           prior to the
                                           Admin
                                           making
                                           them
                                           available to
                                           everyone
         Scripts     \wwwroot\scripts      .asp            Administrators (Full          Script
         Files                                             Control)
                                                           System (Full Control)
                                                           WebAdmins (Read,
                                                           Write, Execute, Delete)
                                                           Anonymous (Execute)
         Other       \wwwroot\executa      .exe, .dll,     Administrators (Full          Execute
         Executab    bles                  .cmd, .pl,      Control)
         le and      \wwwroot\include      .inc, .shtml,   System (Full Control)
         Include                           .shtm           WebAdmins (Read,
         Files                                             Write, Execute, Delete)
                                                           Authenticated Users
                                                           (Read)
                                                           Anonymous (Execute)
         Metabas     \WINNT\system3        MetaBase.b      Administrators (Full          N/A


*(S) – Satisfactory (NS) – Not Satisfactory
D:\Docstoc\Working\pdf\f8c81cfb-9649-4206-9e83-a5b76e6d8b5e.doc                                                        Created on 09/01/2003 22:25:00
                                                                                     Page 5 of 12
                                                  Confidential                                                    Section
Toh Kok Yew                                                                                             Initial
                       Checklist for Internet Information Services
kytoh@yahoo.com                                                                                         Date


S/N                                              ICQ                                               Findings       Conclusion*             WP Ref
         e           2\inetsrv             in             Control)
                                                          System (Full Control)
        For IIS5

        Determine the following:

         Type of     Example               Data           NTFS File Permissions         IIS4
         Data        Directories           Examples                                     Permiss
                                                                                        ions
         Static      \Inetpub\wwwroot      HTML,          Administrators (Full          Read
         Content     \images               images,        Control)
                     \Inetpub\wwwroot      FTP            System (Full Control)
                     \home                 downloads,     WebAdmins (Read,
                     \Inetpub\wwwroot      etc            Write, Execute, Delete)
                     \ftpfiles                            Authenticated Users
                                                          (Read)
                                                          Anonymous (Read)
         FTP         \Inetpub/ftproot/dr   Directory      Administrators (Full          Write
 23
         Uploads     opbox                 used as a      Control)
         (if                               place for      WebAdmins or
         required)                         users to       FTPAdmins (Read,
                                           store          Write, Execute, Delete)
                                           documents      Specified Users (Write)
                                           for review
                                           prior to the
                                           Admin
                                           making
                                           them
                                           available to
                                           everyone
         Scripts     \Inetpub\wwwroot      .asp           Administrators (Full          Scripts
         Files       \scripts                             Control)                      only
                                                          System (Full Control)
                                                          WebAdmins (Read,


*(S) – Satisfactory (NS) – Not Satisfactory
D:\Docstoc\Working\pdf\f8c81cfb-9649-4206-9e83-a5b76e6d8b5e.doc                                                       Created on 09/01/2003 22:25:00
                                                                                    Page 6 of 12
                                                  Confidential                                                  Section
Toh Kok Yew                                                                                           Initial
                       Checklist for Internet Information Services
kytoh@yahoo.com                                                                                       Date


S/N                                               ICQ                                            Findings       Conclusion*             WP Ref
                                                           Write, Execute, Delete)
                                                           Authenticated Users:
                                                           special access (Execute)
                                                           Anonymous: special
                                                           access (Execute)
           Other      \WebScripts\exec     .exe, .dll,     Administrators (Full       Scripts
           Executab   utables              .cmd, .pl,      Control)                   only or
           le and     \WebScript\includ    .inc, .shtml,   System (Full Control)      Scripts
           Include    e                    .shtm           WebAdmins (Read,           and
           Files                                           Write, Execute, Delete)    Executa
                                                           Authenticated Users:       bles**
                                                           special access (Execute)
                                                           Anonymous: special         **
                                                           access (Execute)           (Depen
                                                                                      ding on
                                                                                      necessit
                                                                                      y.)
           Metabas    \WINNT\system3       MetaBase.b   Administrators (Full          N/A
           e          2\inetsrv            in           Control)
                                                        System (Full Control)
 B      Services Installation and Administration – WWW Properties
        Determine that local accounts of persons to administer site(s) or domain group(s) are
        included in the ‘Operator’ tab.

        The following are some functions that can be performed by Web Operators.
        NOTE: When selecting members, make sure individuals are knowledgeable and
        trustworthy to minimize compromise on your system’s security.
  1
       •    Manage web content expiration dates and times
       •    Administer web content (modify, add, delete)
       •    Enable Logging
       •    Change default web documents
       •    Set Web Server access permissions



*(S) – Satisfactory (NS) – Not Satisfactory
D:\Docstoc\Working\pdf\f8c81cfb-9649-4206-9e83-a5b76e6d8b5e.doc                                                     Created on 09/01/2003 22:25:00
                                                                                  Page 7 of 12
                                                  Confidential                                                   Section
Toh Kok Yew                                                                                            Initial
                       Checklist for Internet Information Services
kytoh@yahoo.com                                                                                        Date


S/N                                         ICQ                                                   Findings       Conclusion*             WP Ref
        Only members of the Windows 2000 Administrators group can perform the following
        tasks related to IIS:

       •   Change application isolation
       •   Create virtual directories or alter their paths
       •   Change the Anonymous Username and Password
       •   Alter the identification or configuration of a web site

        Note: Connection timeout = 500 seconds
        Determine the following are configured in ‘Home Directory’ tab:

       a. Access Permission
          - Uncheck Script Source Access. (Applicable only to IIS5)
          - Disable ‘Directory Browsing’ option.

        b. Application Settings
           - Enable session state and timeout. (Session State = 20 minutes, CGI scripts
             timeout = 900 seconds and ASP scripts = 50 seconds)
           - Disable (uncheck) ‘Enable Parent Paths’ option

        c. Process Options – Enable ‘Write unsuccessful client requests to event log’.
  2
       d. Documents Properties – Enable ‘Default Document’.

       e. Directory Security
          - If using basic authentication: implement SSL
          - If any site hosted by this server will not allow anonymous access, disable
            (uncheck) ‘Anonymous’ access, under Authentication methods and select
            appropriate authentication method.
          - Set any IP / domain name restrictions that will be utilised to protect the site(s)

        f. Server Extensions
           - Disable authoring on web site(s)
           - If authoring is necessary, select ‘Don’t inherit security setting’ and enable ‘Log


*(S) – Satisfactory (NS) – Not Satisfactory
D:\Docstoc\Working\pdf\f8c81cfb-9649-4206-9e83-a5b76e6d8b5e.doc                                                      Created on 09/01/2003 22:25:00
                                                                                   Page 8 of 12
                                                   Confidential                                                   Section
Toh Kok Yew                                                                                             Initial
                       Checklist for Internet Information Services
kytoh@yahoo.com                                                                                         Date


S/N                                                ICQ                                             Findings       Conclusion*             WP Ref
           authoring actions’, ‘Require SSL’ for authoring and manage permission manually.
 C      Services Installation and Administration – FTP Properties
        Ascertain that uploading of files is prohibited. However, if it is necessary, determine
  1
        that a ‘drop box’ directory with write permission was created.
  2     Determine that all download directories are granted with read-only permission.
        Determine that the following configurations are set for ‘FTP Site’ tab:

  3     - Determine the number of connections open. Evaluate the necessity.
        - Ascertain that the timeout is set appropriately. (600 seconds is reasonable)
        - Ascertain that logging is enabled.
        Determine that the ‘Security Account’ tab is set to enable:
  4
        - Allow Anonymous Connections
        - Allow only anonymous connections
        Ascertain that a welcome (warning) message is set at the ‘Message Property Dialog
  5
        Box’.
        Determine that the ‘Home Directory Property Dialog’ box is configured as follows:
  6
        - Log all visits
        - Read-only granted to ‘ftproot’ directory
 7      Ascertain that a set of IP / domain name is restricted at the ‘Directory Security’ tab.
 D      Services Installation and Administration – SMTP Properties
        If Transport Layer Security (TLS) is selected, determine that:

       -   Communications are set to ‘Require secure channel’ and ‘Require 128-bit
           encryption’.
  1
       -   A set of IP / domain name is restricted.
       -   ‘Only the list below’ and not allow any exceptions.

        Note: These are all options belonging to SMTP properties.
        Ascertain that appropriate authentication is set to include 128-bit encryption (if
  2
        possible).
        Services Installation and Administration – NNTP Properties (Applicable for IIS5
 E
        only)


*(S) – Satisfactory (NS) – Not Satisfactory
D:\Docstoc\Working\pdf\f8c81cfb-9649-4206-9e83-a5b76e6d8b5e.doc                                                       Created on 09/01/2003 22:25:00
                                                                                    Page 9 of 12
                                                    Confidential                                                        Section
Toh Kok Yew                                                                                                   Initial
                        Checklist for Internet Information Services
kytoh@yahoo.com                                                                                               Date


S/N                                                 ICQ                                                  Findings       Conclusion*             WP Ref
        If it is being used outside of a security perimeter, e.g. firewall, ascertain that it does not
  1
        allow anonymous access.
        Ascertain that:
  2
       - ‘Allow servers to pull news articles from this server’ is disabled
       - ‘Allow control messages’ is disabled
 3     Determine that a ‘NNTPAdmins’ group with operator privileges is set up.
 F     Additional Security Services
 1     Ascertain that the IIS Log Files directory is moved and renamed.
       Ascertain that the Full Access control be granted only to SYSTEM and
  2
       Administrators.
       Determine that Write, Delete, Change Permissions, and Take ownership are being
       logged for auditing purposes. The following should be recorded as well:

       -  Multiple failed commands
       -  Attempts to upload files to directories configured for executable content
  3
       -  Attempts to access non published .bat or .cmd files and subvert their purpose
       -  Attempts to send .bat or .cmd commands to directories configured for executable
          content
       - Excessive requests from a single IP address, attempting to cause a denial of service
          attack
       Remove all unnecessary script mappings. Below are some references with their
       corresponding uses:

                         Extension                                    Use
         .htr                                      Web-based password resets
         .idc                                      Internet Database Connector
  4
         .stm,.shtm,.shtml                         Server-side Includes
         .printer                                  Internet Printing
         .cer                                      Represents a certificate
         .cdx                                      Active Channel Definition File
         .asa                                      Active Server Application
         .htw, ida, .idq                           Index Server
  5     Determine that IPSec is implemented. (Applicably to IIS5 only.)

*(S) – Satisfactory (NS) – Not Satisfactory
D:\Docstoc\Working\pdf\f8c81cfb-9649-4206-9e83-a5b76e6d8b5e.doc                                                             Created on 09/01/2003 22:25:00
                                                                                      Page 10 of 12
                                                  Confidential                                                  Section
Toh Kok Yew                                                                                           Initial
                       Checklist for Internet Information Services
kytoh@yahoo.com                                                                                       Date


S/N                                               ICQ                                            Findings       Conclusion*             WP Ref
 6      Ascertain that all sample pages, directories, and sites are removed.
        Ascertain that ACL and auditing on operating system directories and files are
        implemented. The following table shows the recommended files and directories:

                Directory                        Files                       Notes
         %systemdrive% (i.e. C:\)                                  Apply to directory only,
                                                                   NOT ALL FILES and
                                                                   SUBDIRECTORIES
         %systemroot% (i.e.                                        Apply to directory only,
         C:\WINNT)                                                 NOT ALL FILES and
                                                                   SUBDIRECTORIES
         %systemroot%\                 Explorer.exe,               Apply to these files.
                                       Regedit.exe, Poledit.exe,
                                       Taskman.exe
         %systemroot%\system                                       Apply to directory only,
                                                                   NOT ALL FILES and
                                                                   SUBDIRECTORIES
  7      %systemroot%\debug                                        Apply to directory only,
                                                                   NOT ALL FILES and
                                                                   SUBDIRECTORIES
         %systemroot%\installer                                    Apply to directory only,
                                                                   NOT ALL FILES and
                                                                   SUBDIRECTORIES
         %systemroot%\repair                                       Apply to directory only,
                                                                   NOT ALL FILES and
                                                                   SUBDIRECTORIES
         %systemroot%\security                                     Apply to directory only,
                                                                   NOT ALL FILES and
                                                                   SUBDIRECTORIES
         %systemroot%\system32                                     Apply to directory only,
                                                                   NOT ALL FILES and
                                                                   SUBDIRECTORIES
         %systemroot%\system32         at.exe, cacls.exe,          Apply to these files.
                                       cmd.exe, cscript.exe,


*(S) – Satisfactory (NS) – Not Satisfactory
D:\Docstoc\Working\pdf\f8c81cfb-9649-4206-9e83-a5b76e6d8b5e.doc                                                     Created on 09/01/2003 22:25:00
                                                                                 Page 11 of 12
                                                  Confidential                                                  Section
Toh Kok Yew                                                                                           Initial
                       Checklist for Internet Information Services
kytoh@yahoo.com                                                                                       Date


S/N                                                ICQ                                           Findings       Conclusion*             WP Ref
                                       debug.exe, edlin.exe,
                                       finger.exe, ftp.exe,
                                       nbstat.exe, net.exe,
                                       net1.exe, netsh.exe,
                                       rcp.exe, regedt32.exe,
                                       regini.exe, regsvr32.exe,
                                       rexec.exe, rsh.exe,
                                       runas.exe, runonce.exe,
                                       srvmgr.exe,
                                       sysedit.exe, telnet.exe,
                                       tftp.exe, tracert.exe,
                                       usrmgr.exe, wscript.exe,
                                       xcopy.exe
         %systemroot%\system32\                                    Apply to directory only,
         dllcache                                                  NOT ALL FILES and
                                                                   SUBDIRECTORIES
         %systemroot%\system32\                                    Apply to directory only,
         drivers                                                   NOT ALL FILES and
                                                                   SUBDIRECTORIES
         %systemroot%\system32\                                    Apply to directory only,
         inetsrv                                                   NOT ALL FILES and
                                                                   SUBDIRECTORIES
         %systemroot%\system32\        iissync.exe                 Apply to these files.
         inetsrv
         %systemroot%\system32\                                    Apply to directory only,
         os2                                                       NOT ALL FILES and
                                                                   SUBDIRECTORIES
         %systemroot%\temp                                         Apply to directory only,
                                                                   NOT ALL FILES and
                                                                   SUBDIRECTORIES




*(S) – Satisfactory (NS) – Not Satisfactory
D:\Docstoc\Working\pdf\f8c81cfb-9649-4206-9e83-a5b76e6d8b5e.doc                                                     Created on 09/01/2003 22:25:00
                                                                                 Page 12 of 12

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:7
posted:6/10/2012
language:
pages:12