By Chris Prosise and Saumil Udayan Shah
Most successful software works right out of the box, but default installations include more functionality than is usually needed. On a server, the default is fine if your only goal is to have computers share information, but it's not so good for sharing that information securely. Finding that fine line between functionality and security is difficult. It requires trial-and-error testing, and each situation becomes unique. Over time, system administrators develop their own best practices and security checklists to meet their needs.
In this column, we’ll discuss how to lock down Microsoft Internet Information Server (IIS) by applying security templates. We'll also look at some tools found in the Windows 2000 Resource Kit for managing and applying security templates.
Microsoft includes a handy but seldom-used feature that simplifies the configuring of IIS. Microsoft's Security Analysis and Configuration Tool lets administrators create security policy, then automatically both audit the Web server against that policy and implement that policy on the Web server.
The Security Analysis and Configuration Tool uses security templates as its core component. Security templates are detailed configuration guidelines stored in a file. The templates cover a wide variety of security-related configuration parameters—everything from account policies to registry settings. Security templates are viewed and configured using the Security Templates Viewer. The viewer is available from the Windows 2000 Resource Kit (it is a Microsoft Management Console [MMC] snap-in) and can be called by typing sectemplates.msc from the command line or by going to the Start menu and selecting Run. You'll find a list of the security templates available in the Security Templates Viewer.
From this Viewer, you can modify existing templates and create new ones. Two existing templates available from Microsoft are the SecureInternetWebserver.inf and SecureIntranetWebserver.inf. As their names imply, these templates are generic starting points for Internet and intranet Web servers. These templates come with the Windows 2000 Resource Kit and are installed in the Program Files\Resource Kit directory. Copy the files into the WINNT\Security\Templates directory to view them with the Security Templates Viewer. Using the Security Templates Viewer, individual policies can be viewed and modified within the template. Double-click any policy area to reach the most granular setting level, such as the duration for account lockouts. You can modify a setting by right-clicking it.
One of the better resources for IIS security is this checklist, which is available from Microsoft. It covers operating system and application security for IIS and contains excellent guidelines to help administrators figure out the best security policy for their Web servers.
Audit the server
After adjusting or creating a security template that will meet your needs, you will want to audit the Web server to determine whether the security policy is enforced. Microsoft's "Security Analysis and Configuration Tool" is used via the MMC. Go to the Start menu, click Run, then type MMC. The Security Analysis and Configuration Tool is not available by default; it must be loaded. From the Console menu, select Add/Remove Snap-In, then add the "Security Configuration and Analysis snap-in".
You will need to create a database by right-clicking the "Security Configuration and Analysis Tool" and following the instructions. Select a security template against which the existing configuration will be audited (in our case we used SecureInternetWebserver.inf). Just right-click "Security Configuration and Analysis" and select Analyze Computer Now. You can choose a text log file for the results.
In our case, we audited a default IIS 5 installation against the recommended settings for an Internet Web server. The results were surprising, with hundreds of "Mismatch" and "Not Configured" findings on the default install. A sample of our log file is shown below:
——Analysis engine is initialized successfully.——
——Reading Configuration info...
——Analyze User Rights...
Mismatch - SeNetworkLogonRight.
Mismatch - SeMachineAccountPrivilege.
Mismatch - SeBackupPrivilege.
Mismatch - SeChangeNotifyPrivilege.
Mismatch - SeSystemtimePrivilege.
Not Configured - SeCreatePagefilePrivilege.
Not Configured - SeCreateTokenPrivilege.
Not Configured - SeCreatePermanentPrivilege.
Mismatch - SeRemoteShutdownPrivilege.
Not Configured - SeAuditPrivilege.
Not Configured - SeLockMemoryPrivilege.
To automatically configure the Web server to match the desired policy settings, simply right-click "Security Configuration and Analysis" and choose Configure Computer Now. The results of the configuration changes are reported in the log file.
We can't stress the importance of using test servers enough. As is true with any configuration changes, do not apply these changes to an operational system without testing them first. Changes to the system configuration may impair normal functionality, so test the desired configuration on a noncritical system first.
Internet Information Server, like many complex applications, requires careful administration to operate in a secure manner. The security templates and associated "Security Configuration and Analysis Tool" are great resources for simplifying the administration process. We hope this column has provided some insight on how to use these tools. In our next column, we'll cover operating system level controls for restricting access to your Web servers. Do you use security templates? Do you have your own custom templates for Web servers? Let us know at email@example.com.
Chris Prosise is the vice president of professional services at Foundstone, a network security firm specializing in consulting and training. Formerly a U.S. Air Force officer and a Big 5 consultant, Chris is the coauthor of Incident Response: Investigating Computer Crime and is an adjunct professor at Carnegie Mellon University. Chris holds a B.S. in electrical engineering from Duke University and is a Certified Information Systems Security Professional (CISSP).
Saumil Udayan Shah, principal consultant for Foundstone, provides information security consulting services to Foundstone clients. Shah specializes in ethical hacking and security architecture. He holds an M.S. in computer science from Purdue University and is a Certified Information Systems Security Professional (CISSP).