A snapshot view that shows the attributes of a secure Web server allows you to quickly and easily compare settings with your own Web server. The settings shown in Table 16.4 are based on Web servers that host Web sites that have proven to be very resilient to attack and demonstrate sound security practices. By following the proceeding steps you can generate an identically configured server, with regard to security.
Component | Characteristics |
---|---|
Patches and Updates | Latest service packs and patches are applied for Windows, IIS, and the .NET Framework. Services Unnecessary services are disabled. NNTP, SMTP, and FTP are disabled unless you require them. WebDAV is disabled or secured if used. Service accounts run with least privilege. ASP.NET Session State service is disabled if not required. |
Protocols | The NetBIOS and SMB protocols are not enabled on the server. The TCP stack has been hardened . |
Accounts | Unused accounts are removed. Guest account is disabled. The default administrator account is renamed and has a strong password. Default anonymous account (IUSR_Machine) is disabled. Custom anonymous account is used for anonymous access. Strong password policies are enforced. Remote logons are restricted. Null sessions (anonymous logons) are disabled. Approval if required for account delegation. Shared accounts are not used. Membership of local administrators group is restricted ( ideally to two members ). Administrators are required to log on interactively (or a secure remote administration solution is implemented). |
Files and Directories | Everyone group has no rights to system, Web, or tools directories. Anonymous account has no access to Web site content directories and system utilities. Tools, utilities, and SDKs are removed or secured. Sample files are removed. Unnecessary DSNs are removed. |
Shares | Unused shares are removed from the server. Access to required shares is secured (shares are not enabled to "Everyone" unless necessary.) Administration shares (C$ and Admin$) are removed if not required. |
Ports | All ports except 80 and 443 (SSL) are blocked, especially vulnerable ports 135 “139 and 445. |
Registry | Remote administration of the registry is prevented. SAM has been secured (stand-alone servers only). |
Auditing and Logging | Login failures are logged. Object access failures by the Everyone group are logged. Log files are relocated from %systemroot%\system32\LogFiles and secured with ACLs: Administrators and System have full control. IIS logging is enabled. Log files are regularly archived for offline analysis. Access to the metabase.bin file is audited . IIS is configured for W3C Extended Log File Format Auditing. |
IIS | |
Sites and Virtual Directories | Web roots and virtual directories are located on separate volumes from the system volume. Parent Paths setting is disabled. Dangerous virtual directories are removed (IIS Samples, MSADC, IISHelp, Scripts, and IISAdmin). RDS is removed or secured. Web permissions restrict inappropriate access. Include directories restrict Read Web permissions. Folders with Anonymous access restrict Write and Execute Web permissions. Secured folders that allow content authoring allow Script Source Access Web permissions while all other folders do not. FPSE is removed if not required. |
Script Mappings | Unused script-mappings are mapped to 404.dll: .idq, .htw , .ida , .shtml , .shtm , .stm , idc, .htr , .printer. Note The 404.dll is installed when you run the IIS Lockdown tool. |
ISAPI Filters | Unused ISAPI filters are removed. |
IIS Metabase | Access to IIS Metabase is restricted with NTFS permissions. Banner information is restricted; the content location in HTTP response headers is hidden. |
Machine.config | |
HttpForbiddenHandler | Protected resources are mapped to System.Web.HttpForbiddenHandler |
Remoting | .NET Remoting is disabled. <httpHandlers> <add verb="*" path="*.rem" type="System.Web.HttpForbiddenHandler"/> <add verb="*" path="*.soap " type="System.Web.HttpForbiddenHandler"/></httpHandlers> |
trace | Trace information and detailed error information is not returned to the client: <trace enabled="false"> |
compilation | Debug compiles are disabled <compilation debug="false"/> |
customErrors | Error details are not returned to the client: <customErrors mode="On" /> A generic error page writes errors to the Event Log. |
sessionState | Session State is disabled if not needed: <sessionState mode="Off" /> |
Code Access Security | |
Code Access Security | Code Access Security is enabled for the machine. caspol -s On |
LocalIntranet_Zone | Local intranet zone has no permissions: PermissionSet= Nothing |
Internet_Zone | Internet zone has no permissions: PermissionSet= Nothing |