IIS Security the hard way... Locking down Microsoft IIS is challenging, to say the least.
There are significant security improvements in each version going from IIS 4.0 on Windows NT 4.0, to IIS 5.0 on Windows 2000, and finally IIS 6.0 on Windows Server 2003. In spite of this, securing IIS is a tedious process because it requires significant manual configuration.
- The most important change you can make is moving the Inetpub directory off the system drive. By default, the Inetpub directory is created on the system drive leaving the system vulnerable to directory traversal attacks.
Before making any changes, back up the IIS Metabase, and all the content in the Inetpub directory. Download this script to move the IIS sites to the D: drive. Feel free to modify and edit the file as needed; the comments in the file should allow you to make changes as needed. Once the Inetpub directory has been moved, delete the original directory from C:\Inetpub.
- After moving the Inetpub directory, lock down the permissions on the D:\ drive. By default, the Everyone group is assigned Full Control permissions to the root of the drive. Remove the permissions for the Everyone group, assign the following permissions:
- Administrators (local group) - Full Control
- Authenticated Users (local group) - List Folder Contents
- Backup Operators (local group) - Change
- System - Full Control
- Move the IIS log files off the system drive by editing the Master properties for the WWW, FTP, SMTP, and NNTP services to write the logs to a drive other than the system drive. The default behavior of IIS writes the log files to %systemroot%\system32\LogFiles\. This could cause problems by consuming drive space on the system drive, which is why the logs should be written to another volume.
- Stop and disable the default website, default FTP site, and default SMTP site (as needed). These should only be enabled if specifically configured to run if required. At the very least, change the configuration on each to run on a specific IP instead of the default Any setting.
- In addition to disabling the default website, the content in the site directories should be deleted and remove any references to the iisstart.htm page from the Documents tab on the default web site.
- Disable Parent Paths in the root properties of the server.
Microsoft has tried to make system changes easier with two tools, the IIS Lockdown tool and URLScan. Both are really handy and critical for running IIS 4.0 or 5.0. Some of the functionality has been integrated into IIS 6.0 so IIS Lockdown is unnecessary for Windows Server 2003 systems.
The IIS Lockdown tool removes components of IIS that are enabled by default and have known vulnerabilities. If you do not need any of that functionality, running IIS Lockdown and removing those components goes a long way toward securing the server. The IIS Lockdown tool also changes the security ACL's on files in the winnt and the inetpub directories to enhance security.
IIS Lockdown, do not run a web server without it! Pay special attention to the specifics of the type of server you are going to be running. Each IIS Lockdown template is different and choosing the wrong template can disable critical functionality.
- Download the IIS Lockdown Tool for IIS 4.0 through 5.1.
- Microsoft KB article on using the IIS Lockdown tools KB ID 325864 which includes links to configuring IIS Lockdown for specific roles such as Exchange front-end server or Share Point Portal Server.
URL Scan is a powerful and little understood tool that parses inbound web requests to the server, rejecting any requests that violate its configured settings. URL Scan intercepts requests before they are ever passed to IIS, so malicious URL requests can be blocked without IIS ever seeing them. There are a variety of malicious applications and scripts that scan the Internet looking for vulnerable hosts running IIS. These apps and scripts will send a load of requests with malicious URL's to the IIS server, trying to compromise the box or at least determine that the server will respond to those requests. URL Scan blocks those requests from reaching IIS, effectively shutting the malicious probe down.
- Download URL Scan 2.5 to update the version that is included in the IIS Lockdown.
- Change the default Logging Directory in the urlscan.ini to a non-system drive, perhaps the same directory with the IIS logs.
- Modify the urlscan.ini to allow applications as needed. Some applications like Exchange require changes to the default URL Scan configuration.
Microsoft Baseline Security Analyzer
The Microsoft Baseline Security Analyzer is a free vulnerability assessment tool provided by Microsoft. The MBSA is available for download from Microsoft.
The most important thing to do for any public-facing web server, is keeping the system up-to-date with the latest patches for IIS, Windows, MDAC, XML, and so on. Use the MBSA to keep track of the patches applied to the server, and what patches require updating.
- Continuing Education
- Mobile Websites
- Faculty Information
- Search Engine Optimization (SEO)
- IT Services
Our rave reviews:
"ESX, Inc.'s customer service is incredible - when we need something, we don't need it a month from now - we need it now. And we get it. Improvements are made immediately; they are open to new ideas, move quickly, and have unbelievable response time."
American Business Media
"ESX, Inc. took the time to understand what our needs were. The final thing that sold me were the glowing client references. They were just spectacular!"
"ESX, Inc., with its renowned expertise in serving education and non-profit communities, offered HACU the software and support to better, and most cost-efficiently serve our fast-growing community of members and partners."
Senior Vice President and COO
Hispanic Association of Colleges and Universities
American Business Media
"The do-it-yourself function of the Website Management System definitely has made it easier to make immediate changes to our website, that would have taken several days to be completed by a webmaster."
The International Air Cargo Association
"The greatest asset of Association Catalyst is the promise of customization and flexibility. ESX promised the resources, both human and intellectually, that made our decision an easy one. And, they delivered on their promise."
North Carolina Dental Society