Here is a link to the original TechQ&A post:
http://techrepublic.com.com/5208-6239-0.html?forumID=39&threadID=152338&start0
Discussion on:
View:
Show:
Here is a link to the original TechQ&A post:
http://techrepublic.com.com/5208-6239-0.html?forumID=39&threadID=152338&start0
http://techrepublic.com.com/5208-6239-0.html?forumID=39&threadID=152338&start0
Unfortunately I did not get to play this little game, but I'm throwing in my guidlines for securing IIS which is a blend of my own personal mixture.
First and foremost, No app is secured unless the base OS is secured. For security reasons I have removed specific information regarding my installs, but these are the guidelines that should be used for a sucessful secure IIS server.
A. Install 2K
1. root partition = 6 gigs (6144 megs)
2. Windows Components *ONLY*
(Deselct everything not on this list!)
a. accessories
1. calculator
2. Notepad
3. Paint
b. IIS
1. Common
2. IIS snap-in
3. www server
B. Install recovery console
1. cmd prompt/cd D/ winnt32 /cmdcon
C. Set the root drive permissions to:
1. Local Admins and Local System = full
2. Remove Everyone
3. Create a SysState Folder on c:
D. Install SP3 or 4 depending on your current arch
1. do not backup archive
2. Remove Automatic Update from
Start Menu
3. In control panel/Automatic update
Uncheck keep computer up to date
5. Services- stop then disable:
a. Automatic Updates
b. Background intelligent transfer
c. Messenger service
6. Use srvinstw.exe to remove the above services
7. Change startup time from 30 to 5 seconds
E. In disk management, create an extended Partition
1. Use all available space
2. Set root drive permissions similiar to part C
3. Create a folder called Logs
4. Tools/Options/View
a. show hidden files
b. show protect system files
c. uncheck hide file extensions
Now on to IIS
First and foremost, No app is secured unless the base OS is secured. For security reasons I have removed specific information regarding my installs, but these are the guidelines that should be used for a sucessful secure IIS server.
A. Install 2K
1. root partition = 6 gigs (6144 megs)
2. Windows Components *ONLY*
(Deselct everything not on this list!)
a. accessories
1. calculator
2. Notepad
3. Paint
b. IIS
1. Common
2. IIS snap-in
3. www server
B. Install recovery console
1. cmd prompt/cd D/ winnt32 /cmdcon
C. Set the root drive permissions to:
1. Local Admins and Local System = full
2. Remove Everyone
3. Create a SysState Folder on c:
D. Install SP3 or 4 depending on your current arch
1. do not backup archive
2. Remove Automatic Update from
Start Menu
3. In control panel/Automatic update
Uncheck keep computer up to date
5. Services- stop then disable:
a. Automatic Updates
b. Background intelligent transfer
c. Messenger service
6. Use srvinstw.exe to remove the above services
7. Change startup time from 30 to 5 seconds
E. In disk management, create an extended Partition
1. Use all available space
2. Set root drive permissions similiar to part C
3. Create a folder called Logs
4. Tools/Options/View
a. show hidden files
b. show protect system files
c. uncheck hide file extensions
Now on to IIS
IIS Set-up and Security
1. Stop all web services thru service manager
2. In IIS manager, Default Web Site
a. Stop site and delete all of the virtual roots
b. delete c:\inetpub
3. create a new guest account with a random name and 21 character random strong password.
a. Set a different 21 character password to the guest account.
4. Install and configure URL Scan using the deny everything/allow selected mindset. Change the banner to something like "aOldServerV0.1a"
4. Edit master site Properties
a. Logging
1. Hourly
2. Use local time
3. log file directory = e:\logs\
a. *Each site get's it's own log file directory
4. Extended Properties, check everything unless you are using a web trends style reporting tool, then view it's documentation of items not to log.
b. Application Mappings
1. Home directory/configuration- delete all except
a. .asp
b. .cer
c. .cdx
d. .asa
2. Check Read access
c. Documents
1. set your default doc
d. Performance
1. edit this for your site
e. home directory
1. execute permissions = scripts only
f. Set the anonymous account to the guest account you created above. Do not use the IUSR account. Go back and delete the IUSR account from the local machine. You must leave the IWAM acccount in-tact, do not change it's password.
MISC----
1. After IIS is installed, run the MBSA (Microsoft Baseline security anaylzer and install your Hotfixes.
2. If this is to be only a web server with no domain membership, uninstall file and print sharing from the interface. Uncheck Client for MS networks (do not uninstall)
a. In advanced/Wins disable netbios over tcp/ip
3. set c:\winnt\system32 files to administarators and system full control
1. cmd
2. command
4. Create IP Security Filter, only allow Http 80.
1. diable ipsec exemptions
a.hklm\system\currentControlSet\Services\Ipsec
Add key: NoDefaultExempt
TYpe: Dword
Value: 1
5. Rename administrator account, set it to strong 14 charcter password.
a. Copy description and paste it to guest description
b. Rename guest to administrator
c. Delete The following local accounts
1. Local TS user
2. IUSR
6. Set the Local security policy
A. User rights
1. Log on locally
a. IWAM
b. Admins
c. users
2. Log on as batch job
a. iwam
B. Remove orhpaned sids from the policy
7. Make an erd and system backup, save it to c:\sysstate
------------------
There are alot more that can be configured (and is configured on my deployments of IIS), but using this basic template as a foundation, your IIS implementation will be extremely well secured.
1. Stop all web services thru service manager
2. In IIS manager, Default Web Site
a. Stop site and delete all of the virtual roots
b. delete c:\inetpub
3. create a new guest account with a random name and 21 character random strong password.
a. Set a different 21 character password to the guest account.
4. Install and configure URL Scan using the deny everything/allow selected mindset. Change the banner to something like "aOldServerV0.1a"
4. Edit master site Properties
a. Logging
1. Hourly
2. Use local time
3. log file directory = e:\logs\
a. *Each site get's it's own log file directory
4. Extended Properties, check everything unless you are using a web trends style reporting tool, then view it's documentation of items not to log.
b. Application Mappings
1. Home directory/configuration- delete all except
a. .asp
b. .cer
c. .cdx
d. .asa
2. Check Read access
c. Documents
1. set your default doc
d. Performance
1. edit this for your site
e. home directory
1. execute permissions = scripts only
f. Set the anonymous account to the guest account you created above. Do not use the IUSR account. Go back and delete the IUSR account from the local machine. You must leave the IWAM acccount in-tact, do not change it's password.
MISC----
1. After IIS is installed, run the MBSA (Microsoft Baseline security anaylzer and install your Hotfixes.
2. If this is to be only a web server with no domain membership, uninstall file and print sharing from the interface. Uncheck Client for MS networks (do not uninstall)
a. In advanced/Wins disable netbios over tcp/ip
3. set c:\winnt\system32 files to administarators and system full control
1. cmd
2. command
4. Create IP Security Filter, only allow Http 80.
1. diable ipsec exemptions
a.hklm\system\currentControlSet\Services\Ipsec
Add key: NoDefaultExempt
TYpe: Dword
Value: 1
5. Rename administrator account, set it to strong 14 charcter password.
a. Copy description and paste it to guest description
b. Rename guest to administrator
c. Delete The following local accounts
1. Local TS user
2. IUSR
6. Set the Local security policy
A. User rights
1. Log on locally
a. IWAM
b. Admins
c. users
2. Log on as batch job
a. iwam
B. Remove orhpaned sids from the policy
7. Make an erd and system backup, save it to c:\sysstate
------------------
There are alot more that can be configured (and is configured on my deployments of IIS), but using this basic template as a foundation, your IIS implementation will be extremely well secured.
1. Format C:
2. Insert Linux install CD
3. Install Linux with Apache web server
/joke
2. Insert Linux install CD
3. Install Linux with Apache web server
/joke
... if you HAVE to use windows then stop and disable IIS in Services and install Apache Win32.
Not my preferred option but Apache is acknowledged as more secure than IIS. Especially on Linux but I'm working in a Windows environment at the moment.
Excellent documentation and support for it too!
Not my preferred option but Apache is acknowledged as more secure than IIS. Especially on Linux but I'm working in a Windows environment at the moment.
Excellent documentation and support for it too!
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
