Within the DMZ you must secure resources to ensure that only authorized access takes place. This lesson explores methods for securing Internet Information Server (IIS) and other services commonly located within a DMZ. In addition, the lesson discusses ways of securing data transmissions between resources located in the DMZ.
After this lesson, you will be able to
Estimated lesson time: 60 minutes
The most common network resource exposed to the Internet is the content on a Web server. Internet Information Server (IIS) 5.0 is included with Windows 2000 Server and allows an organization to host Web sites. This lesson examines the additional configuration that's required to fully secure an IIS server when it's exposed to the Internet.
Although Windows 2000 has increased the default security level from Windows NT 4.0 for computers, you should consider additional security configurations for securing an IIS server. By applying the following recommendations to your Internet-accessible Web servers, you ensure that maximum security is applied to prevent attacks against the Web servers:
Figure 14.10 Proposed folder structure to secure Web content
Table 14.7 Securing Web Content by Content Type
Content Type | Recommended DACL Settings |
---|---|
Executables (.exe, .dll, .cmd, and .pl) | Everyone (Execute) Administrators (Full Control) System (Full Control) |
Scripts (.asp) | Everyone (Execute) Administrators (Full Control) System (Full Control) |
Includes (.inc, .shtm, and .shtml) | Everyone (Execute) Administrators (Full Control) System (Full Control) |
Images (.jpg, .gif) | Everyone (Read) Administrators (Full Control) System (Full Control) |
Static content (.htm, .html) | Everyone (Read) Administrators (Full Control) System (Full Control) |
Table 14.8 Sample Files Included with IIS 5.0
Sample Name | Folder | Virtual Directory |
---|---|---|
IIS Samples | C:\Inetpub\Iissamples | \IISSamples |
IIS Documentation | C:\Winnt\help\Iishelp | \IISHelp |
Data Access | C:\Program Files\Common Files\System\Msadc | \MSADC |
NOTE
Alternatively, you can assign a negotiate policy so that computers from the private network that match the IPSec filter based on their connection attempt can still connect to the IIS server. All other connection attempts would fail as if a block policy had been applied.
IMPORTANT
IIS logging is resource intensive and can affect the performance of your IIS server. If you plan to implement logging, make sure that you enable IIS logging when testing the performance of your IIS server. Also, consider changing the IIS log storage location to move the IIS logs from the Windows 2000 boot partition where the operating system files are stored.
NOTE
NLBS allows weighting of nodes. This means that you can direct a higher percentage of the incoming traffic to the server with the most resources. For example, if your NLBS cluster is comprised of a Pentium 166 MHz server and a Pentium 933 MHz, you'd want a higher percentage of the connections to be established with the higher performance Web server.
Table 14.9 outlines the design decisions you need to make when securing an IIS server that's exposed to the Internet.
Table 14.9 Securing a Web Server
To | Do the Following |
---|---|
Track all access to the Web server | Implement auditing at the Web server and ensure that the logs are stored in a format that facilitates inspection of the log files. |
Provide the strongest security to Web-accessible data | Separate the data by content type and apply the most restrictive permissions that still allow functionality. |
Prevent an attacker from accessing unauthorized areas of the disk subsystem | Disable the use of parent paths in the Web site's property pages. |
Prevent port scans against common attacked ports | Apply an IPSec block policy to commonly attacked ports that shouldn't be available on the Web server. This prevents a port scanner from detecting the status of the port. Remove all unnecessary services from the Web server to eliminate ports from inspection. |
Detect hacking attempts | Deploy intrusion detection software to detect hacking attempts. Be aware that some normal traffic patterns may appear as hacking attempts. |
Prevent a successful attack against the Web server from compromising other data stored on the network | Don't make the Web server a member of the private network forest. Don't store confidential documents on the disk subsystem of the Web server. |
Ensure that the latest security fixes are applied to the Web server | Ensure that the latest service packs and hot fixes are applied to the Web server. Periodically connect to the Windows Update Web site (windowsupdate.microsoft.com/). |
Limit the effect of a successful hacking attempt | Configure the Web server to participate in an NLBS cluster. If one node is brought down, all incoming traffic will be redirected to the remaining servers in the cluster. |
Apply the recommended security configuration for your Web server | Use the IIS 5.0 security checklist tool. |
Configure the Web server for Market Florist as an NLBS cluster. Because all of the component servers in the cluster use an identical hardware configuration, you can configure the NLBS cluster to load balance equally between the four nodes.
To ensure consistency to public network users, you must apply any additional security configurations uniformly against all four servers. Apply the following configurations to the four Web servers:
Table 14.10 Recommended IPSec Filters for the Market Florist Web Server
Protocol | Source IP | Source Port | Target IP | Target Port | Transport Protocol | Action |
---|---|---|---|---|---|---|
HTTP | Any | Any | 192.168.7.3 | 80 | TCP | Permit |
HTTPS | Any | Any | 192.168.7.3 | 443 | TCP | Permit |
Flower Power | Any | Any | 192.168.7.3 | 6834 | UDP | Permit |
Terminal Services | Any | Any | 192.168.7.3 | 3389 | TCP | Permit |
Any | Any | Any | Any | Any | Any | Negotiate |
Within a DMZ you can expect to find several common resources. These include external FTP servers, Telnet servers, and DNS servers. Each service requires specific configuration to allow you to restrict access to these services.
NOTE
In addition, to ensure that authentication credentials aren't transmitted in plaintext, you should configure the Telnet service to accept only NTLM authentication. Additionally, if confidential data is accessed in the Telnet session, you can use IPSec to encrypt the data transmitted between the Telnet client and the Telnet server.
Table 14.11 An IPSec Filter that Allows Only Connections for HTTP, HTTPS, and Telnet
Protocol | Source IP | Source Port | Target IP | Target Port | Transport Protocol | IPSec Action |
---|---|---|---|---|---|---|
HTTP | Any | Any | 10.10.10.10 | 80 | TCP | Permit |
HTTPS | Any | Any | 10.10.10.10 | 443 | TCP | Permit |
Telnet | Any | Any | 10.10.10.10 | 23 | TCP | Permit |
Any | Any | Any | Any | Any | Any | Block |
The first two packet filters in Table 14.11 allow any IP clients connecting to the HTTP and HTTPS services on the Web server at IP address 10.10.10.10. The third packet filter allows Telnet connections to the Web server. The final packet filter blocks any other protocols from connecting to the Web server.
IMPORTANT
If you want private network computers to connect to other ports on the server, change the IPSec action to negotiate and define the encryption protocols that must be used for the connection. Only members on the private network should be able to negotiate a security association (SA) with the Web server.
In addition to securing the individual servers within the DMZ, you can also use IPSec to configure the security of transmitted data between the servers located in the DMZ. IPSec protects against an attacker's computer intercepting data transmissions between the servers located in the DMZ. You can configure an IPSec SA between two servers in the DMZ to apply Encapsulating Security Payloads (ESP) to all data transmitted between the two servers. For example, you can secure a Web front-end application and an SQL server so that IPSec encrypts data transmitted between the two servers by negotiating a SA between the two servers. This association is shown in Figure 14.11.
Figure 14.11 How IPSec SAs protect transmitted data between computers in the DMZ
Table 14.12 outlines the security configuration options that should be included to protect Internet-accessible resources.
Table 14.12 Protecting Internet-Accessible Resources
To Protect | Include the Following in Your Design |
---|---|
FTP services | Change NTFS permissions to match the allowed transactions. For example, if only FTP downloads are allowed, configure permissions to allow only the anonymous FTP account Read permissions. To prevent password interception, allow only anonymous connections. |
Telnet services | Create a local security group named TelnetClients to restrict Telnet access to authorized users. |
DNS services | If using the same namespace internally and externally, ensure that the external DNS server doesn't contain private network IP addressing. Restrict zone transfers at the external DNS server to only approved DNS servers to prevent an attacker from retrieving the entire zone data file. |
All services | If allowing only specific protocol connections, block all other protocols with an IPSec block action. This will prevent any other ports from responding to port scans or access attempts. If you require private network access to the restricted ports on a server in the DMZ, change the IPSec action to negotiate so that private network client computers can establish an IPSec SA with the server in the DMZ. |
Interaction between servers | Configure servers in the DMZ to use IPSec transport mode for data transmitted between the servers. IPSec transport mode encrypts all data exchanged between the servers and prevents unauthorized connections to the server. IPSec transport mode can pass through a firewall as long as NAT isn't performed against the data. |
Market Florist can implement additional security configuration within the DMZ to ensure the security of the services located in the DMZ. Include the following in the Market Florist security design:
Don't depend exclusively on firewalls to protect resources exposed to the Internet. When designing your security, imagine each server being exposed on the Internet without the protection of a firewall. Ensure that each server in the DMZ is properly configured so that security will be maintained even if a firewall is compromised.