By Mike Mullins
The most common point of unauthorized entry
into any network is an external Web server. To prevent malicious
activity, this machine requires special installation procedures.
Public Web servers are definitely single-use machines
—do not install any other service, application software, or development tools.
Web server security begins with the installation. Let's look at how you can secure a Microsoft Internet Information Services (IIS) Web server from the beginning.
Start securing at installation
Never upgrade a Web server from a previous operating system version—always do a clean install. It's easier and safer to set the appropriate directory access control lists (ACLs) than it is to fix a previous poorly defined root security structure.
Don't make the Web server a member of your domain structure, and make sure the administrative account password and name are different than all other servers under your control. After a fresh installation of the OS, install all patches and security fixes before installing Web services.
Immediately after installing Web services, disable the Web services, and apply all patches and security fixes required for the new service. Partition the IIS server so the content of each service (WWW, FTP, etc.) is located on a separate partition or disk. This prevents attempts to traverse up the directory tree beyond the published content root.
Lock down services
You can disable the following services for most IIS installations:
In addition, remove all of the sample directories and sample scripts:
After disabling all unnecessary services and removing the default samples, you can start securing your directories and user permissions.
By default, IIS installation creates the IUSR_computername account. Under the security settings for this account, select the User Cannot Change Password and Password Never Expires options.
This account should be a local account, and it only requires the right to log on locally. Remove all other user rights from this account.
After securing the IUSR_computername account, create two new groups for use with IIS: a WebAdmins group (to define admins who will administer content) and a WebUsers group (the primary group for the IUSR_computername account).
By default, the IUSR_computername account is a member of the Guests, Everyone, Users, and Authenticated Users groups. Remove this account from the Guests group, and add it to the WebUsers group. You'll use these groups for setting NTFS permissions.
Now that you've defined your users and groups, modify the directory permissions on your \\InetPub\wwwroot\directory by removing all default permissions and granting the WebAdmins group Full Control and the WebUsers group Read Permissions. If you run any scripts or executables with your Web site, modify those directories to allow the WebUsers group Execute Permissions as well.
This is just the beginning of a secure IIS server installation. Depending on the type and complexity of content, you may need to implement additional security steps.
While security isn't typically free, the National Security Agency offers an excellent in-depth installation guide for IIS. Check out the Security Recommendation Guides.
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.