Step 2. IISLockdown

Previous page
Table of content
Next page

The IISLockdown tool helps you to automate certain security steps. IISLockdown greatly reduces the vulnerability of a Windows 2000 Web server. It allows you to pick a specific type of server role, and then use custom templates to improve security for that particular server. The templates either disable or secure various features. In addition, IISLockdown installs the URLScan ISAPI filter. URLScan allows Web site administrators to restrict the kind of HTTP requests that the server can process, based on a set of rules that the administrator controls. By blocking specific HTTP requests , the URLScan filter prevents potentially harmful requests from reaching the server and causing damage.

During this step, you:

  • Install and run IISLockdown .

  • Install and configure URLScan .

Install and Run IISLockdown

IISLockdown is available as an Internet download from the Microsoft Web site at http://download.microsoft.com/download/iis50/Utility/2.1/NT45XP/EN-US/iislockd.exe .

Save IISlockd.exe in a local folder. IISlockd.exe is the IISLockdown wizard and not an installation program. You can reverse any changes made by IISLockdown by running IISlockd.exe a second time.

If you are locking down a Windows 2000-based computer that hosts ASP.NET pages, select the Dynamic Web server template when the IISLockdown tool prompts you. When you select Dynamic Web server, IISLockdown does the following:

  • It disables the following insecure Internet services:

    • File Transfer Protocol (FTP)

    • E-mail service (SMTP)

    • News service (NNTP)

  • It disables script mappings by mapping the following file extensions to the 404.dll:

    • Index Server

    • Web Interface (.idq, .htw, .ida)

    • Server-side include files (.shtml, .shtm, .stm)

    • Internet Data Connector (.idc)

    • .HTR scripting (.htr), Internet printing (.printer)

  • It removes the following virtual directories: IIS Samples, MSADC, IISHelp, Scripts, and IISAdmin.

  • It restricts anonymous access to system utilities as well as the ability to write to Web content directories using Web permissions.

  • It disables Web Distributed Authoring and Versioning (WebDAV).

  • It installs the URLScan ISAPI filter.

    Note  

    If you are not using classic ASP, do not use the static Web server template. This template removes basic functionality that ASP.NET pages need, such as support for the POST command.

Log Files

IISLockdown creates two reports that list the changes it has applied:

  • %windir%\system32\inetsrv\oblt-rep.log. This contains high-level information.

  • %windir%\system32\inetsrv\oblt-log.log. This contains low-level details such as which program files are configured with a deny access control entry (ACE) to prevent anonymous Internet user accounts from accessing them. This log file is also used to support the IISLockdown Undo Changes feature.

Web Anonymous Users and Web Application Groups

IISLockdown creates the Web Anonymous Users group and the Web Application group. The Web Anonymous Users group contains the IUSR_MACHINE account. The Web Application group contains the IWAM_MACHINE account. Permissions are assigned to system tools and content directories based on these groups and not directly to the IUSR and IWAM accounts. You can review specific permissions by viewing the IISLockdown log, %windir%\system32\inetsrv\oblt-log.log.

The 404.dll

IISLockdown installs the 404.dll, to which you can map file extensions that must not be run by the client. For more information, see "Step 12. Script Mappings."

URLScan

  • If you install the URLScan ISAPI filter as part of IISLockdown, URLScan settings are integrated with the server role you select when running IISLockdown. For example, if you select a static Web server, URLScan blocks the POST command.

Reversing IISLockdown Changes

To reverse the changes that IISLockdown performs , run IISLockd.exe a second time. This does not remove the URLScan ISAPI filter. For more information, see "Removing URLScan" in the next topic.

More Information

See the following articles for more information about the IISLockdown tool:

  • For more information on running IISLockdown, see "How To: Use IISLockdown.exe" in the "How To" section of this guide.

  • For information on troubleshooting IISLockdown, see Microsoft Knowledge Base article 325864, "How To: Install and Use the IIS Lockdown Wizard." (The most common problem is receiving unexpected "404 File Not Found" error messages after running IISLockdown.)

  • For information on automating IISLockdown, see Microsoft Knowledge Base article 310725, "How To: Run the IIS Lockdown Wizard Unattended in IIS."

Install and Configure URLScan

URLScan is installed when you run IISLockdown, although you can download it and install it separately.

 Task   To install URLScan without running IISLockdown

  1. Download IISlockd.exe from http://download.microsoft.com/download/iis50/Utility/2.1/NT45XP/EN-US/iislockd.exe .

  2. Run the following command to extract the URLScan setup:

    i islockd.exe /q /c

URLScan blocks requests that contain unsafe characters (for example, characters that have been used to exploit vulnerabilities, such as ".." used for directory traversal). URLScan logs requests that contain these characters in the %windir%\system32\inetsrv\urlscan directory.

You configure URLScan using settings in the .ini file %windir%\system32\inetsrv\urlscan\urlscan.ini.

In addition to blocking malicious requests, you can use URLScan to defend your server against denial of service attacks before the requests reach ASP.NET. To do this, set limits in the MaxAllowedContentLength , MaxUrl , and MaxQueryString arguments in the URLScan.ini file. For more information, see "How To: Use URLScan" in the "How To" section of this guide.

Reversing URLScan Changes

There is no automatic operation to remove URLScan. If you have problems with URLScan, you can either remove it from IIS or you can analyze the problem by logging requests that are rejected. To do this, use the option RejectResponseUrl=/~* in the URLScan .ini file.

For more information about how to remove ISAPI filters, see "Step 13. ISAPI Filters," later in this chapter.

More Information

See the following articles for more information about the URLScan tool:

  • For information on running URLScan, see "How To: Use URLScan" in the "How To" section of this guide.

  • For information about URLScan configuration and the URLScan.ini file settings, see Microsoft Knowledge Base article 326444, "How To: Configure the URLScan Tool."



Previous page
Table of content
Next page
Improving Web Application Security. Threats and Countermeasures
Improving Web Application Security: Threats and Countermeasures
ISBN: 0735618429
EAN: 2147483647
Year: 2003
Pages: 613
Authors: Microsoft Corporation
BUY ON AMAZON
Lotus Notes and Domino 6 Development (2nd Edition)
Kanban Made Simple: Demystifying and Applying Toyotas Legendary Manufacturing Process
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
Special Edition Using FileMaker 8
Python Standard Library (Nutshell Handbooks) with
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy