Microsoft's Web server offering, Internet Information Services (IIS), may be simple to install and manage, but it's been plagued by security problems for many years. Fortunately, administrators with basic technical skills can easily secure IIS by using the following techniques and tools.
Patch and update IIS and the Windows server
The first thing you should do is make sure that IIS and your Windows server have all the latest service packs and bug fixes installed. Microsoft has taken a lot of heat for bugs in its software, and much of that heat is deserved. But updating patches for IIS and Windows is your responsibility. Keep in mind that most viruses attack known vulnerabilities in software, and that there was a patch available for many of those vulnerabilities weeks or months before the virus appeared.
The quickest way to update an IIS server is from the Windows Update site accessed from the IIS machine. Windows Update will scan your system and display a list of critical and recommended updates. Install at minimum the critical updates.
Next, configure Automatic Updates in the Control Panel (or System Properties | Automatic Updates). I set it to alert me when new updates are available, but you can also elect to have the updates install themselves without intervention.
Finally, sign up for Microsoft's security alert newsletter, which will inform you of important security patches and information via e-mail.
Use the IIS Lockdown Tool and URLScan
Once you have a patched server, you can turn your attention to securing IIS. Worms like Code Red and Nimda exploited holes in the default configuration of IIS. Although Microsoft must take a good bit of blame for these security holes, equal blame must fall on lazy or uninformed IIS administrators. Microsoft has made it so easy to secure IIS that there really is no excuse for not doing it.
You can download Microsoft's IIS Lockdown Tool, which walks you through several screens to help you secure the basic configuration of IIS. The tool will display a list of common uses for IIS, and you can inspect the lockdown settings yourself. The tool disables unused script mappings, which were the root cause of both the Nimda and Code Red worms. It is important to note that neither Nimda nor Code Red could compromise an IIS machine that had its script mappings disabled—even without any patches installed. The Lockdown Tool also removes unused applications and directories and explicitly denies the anonymous IIS user account access to critical system files.
The Lockdown Tool also installs an ISAPI filter called URLScan. Without getting into too much detail, this ISAPI filter runs before each Web request is processed by IIS. It looks for common hack attempts that involve sending malformed request URLs to the server. If it sees a malicious URL, it drops the request. You can alter the pattern-matching settings used by URLScan if you want, but you shouldn't need to.
When you've worked your way through the Lockdown Wizard, these and other changes are made for you. Once the lockdown is complete, you can view a log of the changes the tool made (Figure A). If you run into problems after the lockdown, you can rerun the tool and reverse any changes the tool made.
Use the Security Configuration And Management Tool
Once IIS is secure, it would be prudent to turn your attention to Windows itself. Simply installing the latest Windows patches is not sufficient. You need to change numerous OS settings to create a secure and hardened Web server. Microsoft has provided two excellent tools to help with this process: the Security Configuration And Management Tool and the Baseline Security Analyzer. Let's look at the Security Configuration And Management Tool first.
To view the Security Configuration And Management Tool in Windows 2000, go to the Start menu, choose Run, and type mmc. This opens an empty management console. Next, choose File | Add/Remove Snap-In | Add and select Security Configuration And Analysis from the list.
Now, download and install the Secure Web Server (HiSecWeb ) security template, then follow the on-screen instructions in the Security Configuration And Analysis tool to create a system settings database. Right-click on Security Configuration And Analysis in the management console and choose Analyze Computer Now. The tool compares your current system settings against the recommended system settings for a secure Web server. The results are shown in a window similar to Figure B.
You can look through the results, but they may not make much sense to you if you aren't a dedicated server administrator. After you have analyzed the system and viewed the results, right-click on Security Configuration And Analysis in the management console and choose Configure Computer Now to apply the settings and secure the system. Be aware that one of the changes is to force strong passwords for most accounts, along with frequent password changes. This is an excellent idea, especially for a public Web server, but you'll need to keep up with it.
Use the Baseline Security Analyzer
Another free security tool provided by Microsoft is the Baseline Security Analyzer. This powerful tool scans your computer and ensures that everything is up to date. In a clever use of new technology, the tool pulls down an XML stream that includes a current list of every patch and security exploit.
You can use this tool to scan not only the Web server, but also any Windows computers on your network. Once the scan is finished, the tool displays a security report that lists any problems it found (Figure C). Just click on any issue in the report to view a detailed description, along with the solution.
Now, stay up to date
All of this can be a bit of a chore the first time you secure the system, but the good news is that once you go through this process, your system will stay secure as long as you keep up with the patches, which is pretty easy with Automatic Updates. I would also recommend running the Baseline Security Analyzer on a scheduled basis to confirm that everything is up to date.
IIS has a mixed reputation in the world of Web servers. Enthusiasts trumpet the ease of administration it provides, while others deride it for its security holes and its wide-open default configuration. The reality is that in its unpatched default configuration, IIS is a system just waiting to be compromised. However, Microsoft has come a long way since IIS 5.0 was released.
It is now nearly effortless to keep up to date with the latest patches through Automatic Updates. It takes just a few minutes to run the Lockdown Tool and secure IIS against the large majority of exploits. The Security Configuration and Analysis console makes short work of securing the operating system. And the Baseline Security Analyzer offers a fast way to scan your server and ensure that everything is up to date and secured.
Many of these tools now ship with IIS 6 and Windows Server 2003, which also includes IIS installed in a totally locked-down default configuration. With just a bit of education and effort, IIS 5 on Windows 2000 (and even IIS 4 on Windows NT 4.0) can be transformed from a liability into a secure and reliable Web serving platform.