Talking Shop: Analyzing the Microsoft Security Toolkit for IIS

Read about some of the critical security steps that should be taken when youre running IIS.

Microsoft recommends a series of steps to secure an Internet Information Services Web server and ensure that a machine is not vulnerable to attack. Previously, we looked at the Windows NT and Windows 2000 checklists that are part of the Microsoft Security Toolkit. The toolkit also includes a checklist for both IIS 4.0 and IIS 5.0 with specific recommendations for them.

Once an initial installation of a new Windows server or workstation running IIS is complete, or once you have assessed the current security situation of an existing system, you should look at these two checklists to see if some of the suggested actions could help you to prevent attacks. In the list below, I have highlighted some of the critical steps that should be taken.

What to do, what to do…
Here are some of the key elements of Microsoft’s IIS security suggestions:
  • Install the minimal set of IIS services. If you don’t need FTP right now, don’t install FTP. This is only one example, but it’s more important than it sounds. Every service running on a system, especially an Internet service, exposes that system in some way. Minimizing the number of services minimizes the number of breaches.
  • Use strong authentication. Do not use clear text passwords except as a last resort. IIS has better options for handling authentication, depending on your network standards.
  • Set appropriate permissions based on file types. Only administrators should have full control over .asp files on production servers. Allowing everyone this privilege is an unnecessary security risk. This is an example of how permissions need to be enforced on IIS files.
  • Enable logging. The only way you can get history on possible attack data is if you have been logging your site’s information.
  • Remove sample applications and the IISADMPWD virtual directory. The sample Web applications that come with IIS should not be installed on a production machine. In addition, the IISADMPWD directory allows the resetting of Windows passwords and should not be enabled if your server is connected to the Internet.
  • Disable RDS support (IIS 4.0 only). Remote Data Services (RDS) should be disabled. The toolkit indicates that this is very important, so take heed.

Locking down IIS
Once you have followed the suggestions in the IIS checklist, the next step is to run the IIS Lockdown Wizard. This tool allows you to specify exactly which technologies the IIS server will support. In addition, the Lockdown Wizard allows you to install URLScan, which scans incoming URLs to reduce the number of potential attacks. For details on using this tool, see "Secure your Windows Web servers with the IIS Lockdown Tool."

You can either download the Lockdown Wizard from Microsoft’s site and then run it or run it from the Windows NT or Windows 2000 installation section of the Security Toolkit by following the instructions in the documentation.

When you run the installer for the Lockdown Wizard, you'll first see the standard Microsoft licensing information. Eventually, you'll get to a screen that asks you for a server template. You need to choose the closest role your server plays in your network infrastructure. The selection you make here determines what the wizard will open up for access to the server. For example, if you are installing a server to act as an Outlook Web Access server, you should choose that role from the list. For demonstration purposes, I am going to install a Dynamic Web Server that will be locked down by the program (see Figure A).

Figure A
IIS Lockdown Wizard server template selection

Click Next, and you'll see a screen that tells you which services will be enabled based on the selection you made (Figure B). Next, the script mapping selection screen will tell you what types of scripts will be allowed to run on the server. For example, for the selection I made, Internet printing is not required, so it is disabled to prevent possible problems.

Figure B
Additional security options

This wizard will also disable access to some areas that are sometimes left open on a server by mistake, such as the IIS samples area. In addition, you can disallow access to system utilities by anonymous users and lock down other areas of IIS with this utility.

The final screen gives you the option of installing URLScan, which can be used to screen incoming requests and reject certain ones based on a rule set that you can modify and customize.

While the utility installs, you will notice that it performs a variety of tasks, including disabling services that are not required and setting restrictive permissions on certain directories.

You will also notice that a number of activities are performed. Imagine compiling all of this information by hand and then applying the changes. Before this tool became available, that was the only option. I would highly recommend using this tool on your systems.

Final word
Once you've implemented the checklists and used these two IIS tools to help lock down your Web server, keeping your IIS servers secure depends on keeping them up to date with the latest patches. You can accomplish this by using the Network Security Hotfix Checker (you can read about it here), Windows Update, and Microsoft Security Bulletins. This will keep you busy, but it is critical for keeping your IIS servers safe.

How will these recommendations help your IIS security?
We look forward to getting your input and hearing about your experiences regarding this topic. Post a comment or a question about this article.


Editor's Picks