Microsoft

Securing your IIS 4.0 server

By now, you probably know that IIS and Windows NT are popular hacker targets. What can you do to increase security on your IIS server? In this Daily Drill Down, Troy Thompson gives you a few suggestions.


Do you use Internet Information Server 4.0 on your Windows NT Server? As you’re probably aware, IIS 4.0 is a very popular target for hackers. There are several things to consider, including physical security and software security. From installing patches to making registry changes, you can take many steps to shore up your IIS server. In this Daily Drill Down, we’ll look at Microsoft’s Internet Information Server (IIS) and discuss some things you can do to secure it.

Gathering server information
If you don’t already have a detailed description of your Internet server, you should do that first. Simply get a binder and write down the information that is pertinent to your server using the following items as a guideline:
  • Model number
  • Serial number
  • Cost
  • Manufacturer
  • Date received
  • System option
  • Date set up
  • Problem/solution

This information will also help you plan for life-cycle replacement, aid with insurance claims, help you determine the total cost of ADP, and ensure that your equipment isn’t walking away. Any time you install a hot fix, service pack, etc., you need to document it in this binder. It will serve as a history of the work that has been performed on the server. You should document all problems thoroughly, including Event Viewer ID numbers, along with the solution to each problem, in case it reoccurs in the future.

Establishing a security policy
You should have a security policy in place and be familiar with it. A good security policy will describe physical, operational, or other factors external to the system that affect its security. It should address threats and vulnerabilities to your system and the countermeasures needed to overcome them. The IIS4 Resource Kit has a very helpful chapter devoted to security.

Saving and restoring the registry
Since this Daily Drill Down discusses making changes in the registry, it is also prudent to discuss saving and restoring the registry. To save a registry subtree as a text file, first start the Registry Editor. Select the key that you want to save as a text file. On the Registry menu, choose Save Subtree As. Complete the Save As dialog box and then click Save. This will save the contents of a registry key as a text file, which includes all of the key’s descendent keys and all of the value entries assigned to its descendent keys.

If you need to restore a registry key, select the predefined key in which you want to restore the hive. On the Registry menu, choose Restore. When the Restore Key dialog box appears, in the Look In field select the drive, folder, or network computer and folder on which the hive is located. Next, select the correct filename for the hive and click Open. A restored hive overwrites an existing registry key and becomes a permanent part of your configuration.

Applying Hot Fixes and Service Packs
Microsoft works constantly to fix problems that crop up in its programs. You should make sure that you keep up-to-date on all the Service Packs and Hot Fixes available for IIS. Also make sure that you keep your NT Server up-to-date.

Basic Windows NT 4.0 security settings
Because IIS runs on top of Windows NT, you need to perform some basic steps to increase NT’s security. If NT isn’t secure, IIS isn’t secure. Some Windows NT settings that you want to check include:
  • Format Hard Disk(s) As NTFS. This setting provides extra security features. A drive that is formatted as FAT16 has no security. If your drive is currently formatted as FAT, you can use the Convert.exe utility to convert the drive to NTFS.
  • Set Permissions. When your drive is formatted as NTFS, you should set the Access Control List (ACL) permissions for the folders for added security.
  • Turn Off 8.3 Name Generation. NTFS can auto-generate 8.3 names for backward compatibility with 16-bit applications, which is not a good thing for IIS. Sixteen-bit applications should not be used on a secure Web server, so it is best to turn this name generation off using the Registry Editor. Your server’s performance will also benefit. Open the Registry Editor (Start | Run | Regedt32). Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem and change the NtfsDisable8dot3NameCreation value to 1.
  • Install IIS On A Member Server. By installing IIS on a member server, you will minimize any possible exposure of domain user accounts.
  • Remove All Net Shares. From the command prompt, type Net Share to display all shares. You should delete all shares using the Net Share /d syntax. To prevent administrative shares such as C$, D$, and ADMIN$, you have to edit the registry. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\LanmanServer\Parameters and change the setting for AutoShareServer to 0.
  • Hide Last Logon Name. Hide the last logon user name by modifying the registry. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon and change the DontDisplayLastUserName value to 1.
  • Display A Legal Notice. To display a banner that states the purpose of the computer use and requires the user to acknowledge it before continuing, do the following: In the registry, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon and change the LegalNoticeCaption to the text you want to specify.
  • Password Length. It’s a good idea to make passwords at least eight characters long, containing at least one capital letter and a minimum of two numbers.
  • Remove Shutdown. You should remove the Shutdown button from the Logon dialog box. To do this, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon in the registry and change the ShutdownWithoutLogon value to 0.
  • Rename The Administrator Account. It’s a good practice to rename the administrator account to a name that does not draw attention. You can create a new Administrator account that will have no access or privileges to the network. This adds an extra step for a would-be hacker to get into your system. You should monitor the new Administrator account to see if there are unauthorized attempts to access it.
  • Restrict Anonymous Network Access. Allow only those who authenticate on your network to have access to it. You can lock down the Anonymous Access by editing the registry. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA and change the RestrictAnonymous value to 1. If you need anonymous access enabled on your site, remember that when someone accesses your site anonymously, the user is in the context of a Windows NT account called IUSR_machinename. You can also limit the access that this account has to objects using NTFS permissions.
  • Remove The Everyone Access. You should change the Access The Computer From The Network right in User Manager For Domains from Everyone to Authenticated Users. This will prevent those who do not have a valid account in the domain or on the local computer from accessing shares on the server.
  • Disable IP Routing. When routing is enabled, there’s a risk that data may pass between your intranet and the Internet. From the TCP/IP Properties sheet in the Network applet, choose Routing and clear the Enable IP Forwarding check box.
  • Critical Files. Most critical files are placed in the systemroot directory. These files can have access permissions added to them so that only administrators have rights to them. You can go a step further and actually move these files to a separate directory. Some of the files you may consider tightening control over are:
  • Arp.exe
  • At.exe
  • Cacls.exe
  • Cmd.exe
  • Debug.exe
  • Ipconfig.exe
  • Nbtstat.exe
  • Net.exe
  • Netstat.exe
  • Nslookup.exe
  • Ping.exe
  • Rdisk.exe
  • Regedit.exe
  • Regedt32.exe
  • Synchronize Server Times. In order to investigate security breaches or intrusion, the times on the servers should be synchronized. This will ensure that events that are written to log files are easy to compare. You can use the Net Time command to do this.

Internet Information Server 4.0 settings
Once you have secured your Windows NT Server, you need to look at securing the specifics of IIS. There are many different settings you can modify to increase IIS security. You can check:
  • Internet services
  • Setting permissions
  • Authentication
  • Logging
  • RDS support
  • Parent paths
  • Command shell

Let’s look at each of these in detail.

Internet services
You need to minimize the number of services that run on your IIS. Each service that is running can have a vulnerability that would allow someone to exploit it. All unneeded services should be disabled or stopped and set to manual. IIS requires the following services in order to run:
  • Event Log
  • IIS Admin Service
  • License Logging Service
  • MSDTC
  • Protected Storage
  • Remote Procedure Call (RPC) Service
  • Windows NT Server or Windows NT Workstation
  • Windows NTLM Security Support Provider
  • World Wide Web Publishing Service

Setting permissions
Setting the Access Control Level on the IIS is essential. The user Everyone will get Full Control over newly created files and folders in many instances. It is a good idea to remove the Full Control permission and assign the Read permission. This should prevent anyone with malicious intent from deleting files or folders. The Administrators group and System user should have Full Control.

Authentication
Authentication allows you to determine who has and who should not have access to your site. There are several authentication methods that can be used with IIS. It is important that you make your authentication strong enough to prevent unauthorized use but not so strong as to make it a barrier to information for those who need it. The authentication methods are outlined below:
  • Anonymous: Allows anyone to view the content on your site.
  • Basic: This type of authentication requires a user ID and password. It is not very secure, however, because the ID and password are sent as clear text or base64-encoded. This method is appropriate for some applications and is probably the most widely used authentication method.
  • NTLM: This method of authentication is also known as NT Challenge/Response. It is the most secure of the three basic authentication methods supported by IIS. Only Internet Explorer clients support NTLM, however.
  • NTFS: Although this is not a form of authentication, it does allow you to specify permissions at the file level, based on user or NT group.

Anonymous, Basic, and NTLM can all be set through the same IIS dialog box using the Microsoft Management Console (MMC).

Logging
Enabling logging on your IIS is essential if you want to see whether your server is being attacked. There are three different formats: IIS log format, the National Center for Supercomputing Applications (NCSA) common format, and W3C Extended Logging. To enable logging, open the IIS in the MMC. Right-click the site and choose Properties | Web Site | Enable Logging. You’ll see the screen shown in Figure A.

Figure A
You can enable logging on your IIS server.


You will then have to set the following properties:
  • Client IP Address
  • User Name
  • Method
  • URI Stem
  • HTTP Status
  • User Agent
  • Server IP Address
  • Server Port

In addition to the IIS logging information, you can also rely on your Windows NT logs. They can supply you with information such as access violations, low disk space, errors with hardware or services, etc. Depending on the events that you audit, your log files can contain a wealth of knowledge.

Be careful not to audit everything, or you may be overwhelmed with needless information. The information in the IIS log will be more comprehensive with regard to the IIS function than the Windows NT logs, but you should use both.

RDS support
Remote Data Services (RDS) is part of the Data Access Components installed by default with Windows NT 4.0 Option Pack and IIS 4.0. RDS allows Web clients to issue client-based SQL queries to OLE DB data sources hosted on the Web server. A malicious user may be able to gain access to ODBC data when connecting to your IIS with Microsoft Remote Data Services installed. Because the RDS Datafactory allows data access requests by default, it can be exploited to allow unauthorized Internet clients to access OLE DB datasources available to the server.

The Remote Data Services can open your system up to attacks, so it’s important that it be configured properly. You can restrict its access or remove it completely.

You can remove RDS functionality by editing the registry (Start | Run | Regedt32) on the IIS. When editing the registry, it’s vital that you make only the changes necessary. Additional changes or deletions can yield unexpected results. Also, as mentioned earlier, you should make a backup of the registry before making any changes. Remove the following registry keys and any subkeys:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \W3SVC\Parameters\ADCLaunch\RDSServer.DataFactory
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \W3SVC\Parameters\ADCLaunch\AdvancedDataFactory
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services W3SVC\Parameters\ADCLaunch\VbBusObj.VbBusObjCls

If you do not want to remove the RDS functionality, you can tighten security by removing all nonessential ODBC drivers, especially the Microsoft Text Driver. You should also apply NTFS permissions to restrict access to only those you trust.

Script mappings
By default, IIS supports common filename extensions, such as .htm, .shtm, and .asp. If you do not support a particular extension, you should remove the mappings for it through the Internet Service Manager. Right-click your Web server and choose Properties | Master Properties | WWW service | Edit | HomeDirectory | Application Configuration. When you do, you’ll see the screen shown in Figure B.

Figure B
You can control application extensions here.


Parent paths
You should disable parent paths because they allow the use of “..” in calls to MapPath. This option is enabled by default. To disable it, right-click the Web server and select Properties. Go to Home Directory | Configuration | App Options and uncheck Enable Parent Paths.

Command shell
The #exec command can be used to call commands from your Web server from within an HTML page. This is disabled by default, but it is important to make sure that it has not been enabled.

To do this, you must inspect a registry entry. Open the Registry Editor (Start | Run | Regedt32) and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters; make sure that SSIEnableCmdDirective is set to 0.

Conclusion
Internet Information Servers have probably been exploited more than any other type of server due to the growth of the Web. It is essential that you secure your server, both physically and virtually, to prevent unauthorized access to your network. In this Daily Drill Down, I’ve shown you some things you can do to increase security on your IIS server.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Editor's Picks