Installing and Securing IIS

Installing IIS 5 opens a server up to a range of security risks. Fortunately, security risks can be minimized using the procedures discussed in the following sections.

Installing and Uninstalling IIS

Install IIS only when needed and remove it when it's no longer in use. To install or uninstall IIS, follow these steps:

1. Launch the Windows Components Wizard by opening Add/Remove Programs in Control Panel and clicking Add/Remove Windows Components.
2. When the wizard opens, select or clear the Internet Information Services (IIS) check box.
3. Click Details to display a list of additional components, as shown in Figure 28-1. Clear the check boxes next to any unneeded services, such as the NNTP Service and File Transfer Protocol (FTP) Server (unless you need these, of course). Click OK when you're done.

   

   Figure 28-1. Customizing which components of IIS to install.

   Do not install IIS on a domain controller. Doing so exposes Active Directory information to an inappropriate level of risk. Small businesses with only a single server might feel there is no other choice, but a second server is desirable for a variety of reasons including redundancy.

4. Click Next to install or uninstall IIS.

Securing IIS

Out of the box, the default settings for IIS provide an unacceptably low level of security. However, once properly secured, IIS can withstand quite a barrage of attacks.

The following sections walk you through securing IIS for production use on your network or as an Internet Web server (if you're testing or learning IIS on a private network, you might want to get comfortable with IIS before securing it).

Users who took precautions similar to those described here were safe from the NIMDA and Code Red viruses even before installing security fixes. A properly secured server can withstand many attacks even before patches are developed for them.

Using the IIS Lockdown Tool

The Internet Information Services Lockdown Wizard (IIS Lockdown tool) is a special tool that Microsoft created after the shipment of Windows 2000 to make it easier to secure IIS. The tool walks you through disabling unneeded features of IIS, strengthens file permissions, and installs the URLScan tool, which screens incoming Web page requests.

To use the IIS Lockdown tool to increase the security of IIS, follow these steps:

1. Download the IIS Lockdown tool (Iislockd.exe) from Microsoft's security Web site (http://www.microsoft.com/security).
2. Launch the Iislockd.exe program file and click Next in the first screen of the wizard.
3. Read the License Agreement, choose the I Agree option, and then click Next.
4. Select the server role that best matches the type of Web sites the server will be hosting (you can switch roles by running the wizard again), as shown in Figure 28-2.

   

   Figure 28-2. Selecting a server role.

5. Select the View Template Settings check box to walk through the settings, or leave it blank to accept the defaults. Click Next to move on (if you didn't select the View Template Settings check box, skip ahead to step 11).
6. Select which services you want to enable, optionally select the Remove Unselected Services check box, as shown in Figure 28-3, and then click Next (disabling services decreases the so-called attack surface area, providing hackers with fewer opportunities).

   

   Figure 28-3. Disabling unneeded services.

7. In the next screen, select the scripting types you want to disable (for maximum security you should disable all scripts that you're not actively using), and then click Next, as shown in Figure 28-4.

   

   Figure 28-4. Disabling unneeded scripting types.

8. In the Additional Security screen shown in Figure 28-5, leave the check boxes in the first section selected to remove the listed virtual directories (as these directories contain pages and scripts that can be used to compromise a server). If a Web site that you're hosting requires scripts, rename the \scripts virtual directory to make it a more concealed target.

   

   Figure 28-5. Performing additional security measures.

   If a Web site you're hosting requires a database connection using Microsoft Advanced Data Connector and Remote Data Services (MSADC), leave the MSADC check box selected.

9. Leave the Running System Utilities and Writing To Content Directories check boxes selected to explicitly deny anonymous IIS users access to system utilities such as the command prompt and the ability to overwrite Web site content (otherwise certain exploits might allow these actions).
10. Leave the Disable Web Distributed Authoring And Versioning (WebDAV) check box selected to disable WebDAV support and then click Next, unless your Web site authors need it (WebDAV makes it easier to publish and maintain version control of Web site content using Macro-media Dreamweaver, Windows Explorer, and other programs). Note that to enable WebDAV, in addition to clearing this check box, you'll need to modify URLScan's Urlscan.ini file.
11. In the URLScan screen (Figure 28-6), leave the Install URLScan Filter On The Server check box selected and then click Next to install URLScan.

    

    Figure 28-6. Installing URLScan.

    URLScan is an ISAPI filter that analyzes all incoming Web server requests and rejects inappropriate ones, based on the settings in the Urlscan.ini file (which is tailored to the server role you picked in step 4). To make further modifications to URLScan's settings (for example, to enable WebDAV), click Help in the URLScan screen for help in editing the %windir%\System32\Inetsrv\UrlScan\UrlScan.ini file.

12. Review the settings you chose and then click Next to apply them.
13. Test the functionality of the server after applying these settings. Do your Web sites still function properly, and can Webmasters still publish content to the Web sites as appropriate?

Using the Hisecweb Security Template

Microsoft provides a special security template that is designed specifically to increase the security of Windows 2000 to a level appropriate for a Web server. The hisecweb template increases the overall security of Windows 2000, in contrast to the IIS Lockdown tool, which only modifies IIS-specific security settings.

The following sections describe how to view and modify the security settings contained in the hisecweb template, as well as how to apply the template to a server (security templates are covered in greater detail in Chapter 19).

Viewing and Modifying the Hisecweb Template To review and change the hisecweb template's settings, follow these steps:

1. Obtain the hisecweb security template from Microsoft's Web site (see Microsoft Knowledge Base Article Q316347).
2. Copy the Hisecweb.inf file to the %SystemRoot%\Security\Templates folder (you might have to extract the file from the Hisecweb.exe file first).
3. Click Start, choose Run, type mmc in the Run dialog box, and then click OK.
4. From the Console menu, choose Add/Remove Snap-In. Click Add in the Standalone tab.
5. Select Security Configuration And Analysis from the list of snap-ins and then click Add, as shown in Figure 28-7.

   

   Figure 28-7. Adding security snap-ins to an MMC console.

6. Select Security Templates from the list of snap-ins, click Add, and then click Close to add the snap-ins to the console.
7. Click OK in the Add/Remove Snap-In dialog box, and the two snap-ins are added to Console Root in the console tree.
8. In the console tree, select Security Templates, then the Security\Templates folder, and finally Hisecweb (shown in Figure 28-8).

   

   Figure 28-8. The hisecweb security template.

9. Make any desired changes to the template, right-click Hisecweb in the console tree, choose Save As from the shortcut menu, and then save the modified template under a new filename (for example, mycompany_hisecweb).

Applying the Hisecweb Template To apply the hisecweb template, you need to use the Security Configuration and Analysis snap-in. To do so, use the following procedure:

1. In the MMC console (see the previous procedure), right-click Security Configuration And Analysis and choose Open Database from the shortcut menu.
2. In the Open Database dialog box, enter a name for the new configuration (for example, mycompany_hisecweb.sdb), and then click Open (this creates a new file for the settings).
3. In the Import Template dialog box, select Hisecweb.inf (or the customized version), and then click Open.
4. Right-click Security Configuration And Analysis from the console tree and choose Analyze Computer Now from the shortcut menu. Click OK when prompted for a log file location. The template is then compared to the computer's current settings, and the differences are displayed in tree format.
5. Review the settings (as shown in Figure 28-9), and when ready, right-click Security Configuration And Analysis and choose Configure Computer to apply the security settings to the computer.

   

   Figure 28-9. Comparing an applied template to the current security settings.

6. To verify the settings, click Start, choose Run, type gpedit.msc in the Run dialog box, and then click OK.
7. Use the Group Policy Editor to verify that the desired security settings are in effect.

Change the Home Directory Location

Past security exploits (such as the Unicode exploit) have permitted hackers to navigate up to the root directory of the drive storing the \Inetpub folder (where Web site content is stored), and then open other folders on the drive (such as the \Winnt folder) and run programs. Although this bug has been fixed, changing the location of the \Inetpub folder to a different drive (preferably one dedicated to IIS) can block future exploits from performing this same trick (IIS 6, which is included with the Microsoft Windows .NET Server family, automatically prompts you to save the \Inetpub folder to a different drive).

To change the location of the home directory, use the following procedure:

1. Launch Internet Information Services from the Administrative Tools folder on the Programs menu.
2. Connect to the desired Web server, right-click Default Web Site in the console tree, and choose Properties from the shortcut menu.
3. Click the Home Directory tab, and then enter a new location for Web site content in the Local Path box, as shown in Figure 28-10. This location should be on a different drive than the Windows system directory.

Figure 28-10. Changing the home directory location.

Keeping Up on the Latest Patches

Although you can avoid many attacks by properly securing IIS, it's still vital that you keep the Web server up-to-date with the latest service pack and security updates. More so than with any other type of server, a Web server needs to have the latest security updates.

To this end, use the following recommendations:

• Sign up with the Microsoft Security Update service, which is a free service that notifies you through e-mail when new security updates are available. To do so, submit a blank e-mail to microsoft_security-subscribe-request@announce.microsoft.com. You'll receive an e-mail with instructions on adding yourself to the service.
• Stay current with the latest service pack that has been adequately tested (don't fall more than one behind if possible; this is more crucial for Web servers).
• Install the latest security roll-up (a bundled package of security updates).
• Evaluate, test, and selectively deploy relevant security fixes as they become available.
• Use Hfnetchk.exe to check on the patch status of your Web servers. This tool is discussed in Chapter 25.

Miscellaneous Security Procedures

There are a number of additional security measures necessary to secure a Windows 2000 Web server, as described next:

• Monitor log files Keep a close eye on log files, looking for attacks.
• Apply IPSec policies Use IPSec policies to block all protocols and ports other than those that you are currently using (see Chapter 19).
• Eliminate FAT Use NTFS for all disk partitions, and follow the security recommendations listed in Chapter 19.
• Check Microsoft's Security Web site (http://www.microsoft.com/security) Check this site for additional security recommendations, patches, and tools.