Locking Down IIS


For Web applications using IIS, ensure that Windows is secured by following the fundamental lockdown principles and both the Windows client lockdown and Windows server lockdown steps. The following sections apply to both IIS and ASP.NET.

Disable Unnecessary Internet Services

A full IIS installation might include SMTP (for mail), the FTP service, Microsoft FrontPage server extensions, MSMQ (Microsoft Message Queuing), NNTP (Network News Transfer Protocol), and the World Wide Web publishing service (for hosting Web sites). Each of these services increases the attack surface of your server. You’d be very wise to disable the services that aren’t in use. The IIS Lockdown tool will disable services based on the server role you choose.

Disable Unnecessary Script Maps

IIS script maps enable support for certain scripting files such as .ASP, .ASPX, and .IDQ. You should enable support only for script files your application actually uses. For example, .IDQ files are used for remote administration of Index Server. Unless you actually need this functionality, you should disable it. The IIS Lockdown tool can detect unnecessary script maps and will disable them.

Remove Samples

The sample sites that ship with IIS should be removed because they aren’t needed by your application or IIS and they increase the attack surface of the server. In addition, if the server was upgraded from Windows NT 4.0, it might have the IISadmpwd sample installed. You should remove this sample—it allows users to change their passwords via a Web page. The IIS Lockdown tool will detect all but the IISadmpwd sample; MBSA will detect the IISadmpwd sample.

Enable IIS Logging

IIS has the capability to log every page request it receives. Logging can be enabled on a site-by-site basis, and it’s useful for determining who is accessing your site. For information on enabling logging, see the Microsoft article at http://support.microsoft.com/default.aspx?scid=KB;en-us;300390.

Restrict IUSR_<computername>

It’s a good idea to restrict what anonymous users can do because they haven’t been authenticated, and this is where most intruders start. When an anonymous user accesses a Web page, IIS uses the IUSR_<computername> account to access resources the page refers to. You should limit what this account can do, such as removing the ability to run executables. The IIS Lockdown tool will disable IUSER_<computername> from running executables and writing to any Web site directories. If IIS has to access a SQL server, you might consider using a low-privileged domain account for IIS anonymous access. Doing so means it will be authenticated with Windows integrated security when using the named- pipes protocol to access SQL Server.

Install URLScan

As discussed earlier in this chapter, URLScan should be installed and run on every Web server. The IIS Lockdown tool includes an option for installing URLScan. URLScan is discussed in more detail in Chapter 13.




Security for Microsoft Visual Basic  .NET
Security for Microsoft Visual Basic .NET
ISBN: 735619190
EAN: N/A
Year: 2003
Pages: 168

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net