Summary


Chapter 9 covers a number of recommended hardening procedures. Here's a recap:

  • Secure the physical and network perimeter.

  • Prevent booting from anything but the primary hard drive.

  • Password-protect BIOS from changes.

  • Install and correctly configure a perimeter firewall.

  • Patch hardware, BIOS, drivers, and so on before installing the OS or IIS.

  • Install the OS.

  • Don't install to a domain or Active Directory unless needed.

  • Configure secure remote administration.

  • Install RDP (if used) to a high, non-default port.

  • Install IIS in a minimal configuration and then run the patch update.

  • Harden the OS by removing unneeded software and services.

  • Require strong passwords.

  • Enable account lockouts.

  • Rename the Administrator and Guest accounts.

  • Remove the Everyone and Power Users groups from "Access this computer from the network" user right.

  • Remove the Backup Operators group from "Access this computer from the network" user right, unless remote backup is done.

  • Change the Unsigned Driver behavior from Warn to Don't Allow.

  • Enable Message Text for Interactive Logon (just to defeat any brute-force logon tools).

  • Disable Logon caching.

  • Enable the "Do not allow the anonymous access of SAM accounts and shares" option (although this may disable some remote management tools).

  • Enable the "Do not allow the storage of credentials or Passports for network authentication" option.

  • Enable the "Do not store Lan Man hash value on next password change" option.

  • Change LM Authentication Level to NTLMv2, and refuse LM and NTLM (unless you need down-level clients to authenticate using Integrated Windows authentication).

  • Enable the "Clear virtual memory page" file option (although this will cause long shutdown and bootup times, so measure use against availability concerns).

  • Remove Posix as an optional Windows subsystem.

  • Restrict CD-ROM and floppy drive use to local logged-on users only.

  • Deny the Log On Locally right to all members of the IIS_IUSRS group.

  • Enable the "Interactive Logon: Do not display user info" option.

  • Remove DFS$ and COMCFG from file shares that allow anonymous logon.

  • Disable File and Printer sharing.

  • Install additional IIS features and modules as needed.

  • Minimize Protocol Listeners, components, handlers, handler permissions, authentication methods, providers, scripts, ISAPI filters, applications, MIME types, and other unneeded IIS content.

  • Use Feature Delegation to restrict the number of admins and what each admin can do.

  • Strengthen NTFS permissions.

  • Design IIS directory structure to support strong security.

  • Configure URL Request Filtering.

  • Configure Web site(s) to use only the IP addresses they should be listening on.

  • Add additional application pools as necessary to segregate unrelated Web sites and content.

  • Create custom web pool identity and anonymous accounts as desired to further harden IIS.

  • Remove unnecessary files, including temp files, scripts, and so on.

  • Empty the Recycle Bin and reboot the server.

  • Install only security-reviewed applications.

  • Conduct vulnerability tests against the web server to test settings and configuration.



Windows Vista Security. Securing Vista Against Malicious Attacks
Windows Vista Security. Securing Vista Against Malicious Attacks
ISBN: 470101555
EAN: N/A
Year: 2004
Pages: 163

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net