Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.
If your organization has a company Web server that serves anonymous requests to either the Internet or your intranet, then you essentially have a target. And it's only a matter of time before some black hat hits it.
Microsoft Internet Information Services (IIS) Web server is a popular server on a popular platform, and it has many published vulnerabilities. These servers are valuable targets, and organizations spend a lot of admin time and a lot of company money hardening, detecting, and protecting these assets from black hats and script kiddies.
However, it's not necessary to spend thousands of dollars on intrusion detection for these types of machines. Attacks to these public servers use a variety of exploits, but in the end, they all focus on accessing a small handful of programs. You just have to know what to look for.
The most common exploits culminate in accessing the following programs. These are the main programs that black hats generally need access to perform their mischief.
Now, let's look at how you can stop intruders from accessing these programs as well as log their attempts.
The first step is to search your hard drive for these files. (You'll find multiple locations for each one.) Then, follow these steps:
Repeat these actions for every instance of each program.
There is one exception. During a buffer overflow attack, it's the system account that actually accesses Cmd.exe. So, you'll also need to audit the system account for object access to complete your detection and protection scheme.
If the Web server is a stand-alone server, you'll need to enable object auditing. Follow these steps:
If the Web server is part of the domain, you must enable object auditing within a Domain Group Policy Object (GPO).
Intruders must have access to programs on your network to work their magic. By denying them this access and logging their occurrences, you can increase the security level of your organization's Web server and your network at no cost to the company.