Worried about security issues? Who isn’t? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

If your organization has a company Web server
that serves anonymous requests to either the Internet or your
intranet, then you essentially have a target. And it’s only a
matter of time before some black hat hits it.

Microsoft Internet Information Services (IIS)
Web server is a popular server on a popular platform, and it has
many published vulnerabilities. These servers are valuable targets,
and organizations spend a lot of admin time and a lot of company
money hardening, detecting, and protecting these assets from black
hats and script kiddies.

However, it’s not necessary to spend thousands
of dollars on intrusion detection for these types of machines.
Attacks to these public servers use a variety of exploits, but in
the end, they all focus on accessing a small handful of programs.
You just have to know what to look for.

The programs

The most common exploits culminate in accessing
the following programs. These are the main programs that black hats
generally need access to perform their mischief.

  • Ftp.exe: This is the command-line FTP
    client on every Windows platform. Black hats can use this
    executable to move files onto the server from their remote
    server.
  • Tftp.exe: This is a different form of
    FTP that black hats use to move files to a server.
  • Ping.exe: This is the program used to
    join a server in a distributed denial of service (DDoS) attack
    against another network.
  • Cmd.exe: Intruders can use this
    command-line emulation program to remotely administer a server.
  • Net.exe: Black hats use this program
    to start and stop services, create unauthorized users and groups,
    and access other machines on a network.

Now, let’s look at how you can stop intruders
from accessing these programs as well as log their attempts.

The protection

The first step is to search your hard drive for
these files. (You’ll find multiple locations for each one.) Then,
follow these steps:

  1. Right-click the file, and select
    Properties.
  2. On the Security tab, click Add to add a user
    or group.
  3. Click Advanced, and click Find Now.
  4. Locate the Internet Guest account
    (IUSR_MachineName), and click OK twice.
  5. Deny Full Control for this account.
  6. Click Advanced.
  7. On the Audit tab, select the same user (or
    type it in), and click OK.
  8. Select Full Control for Success and
    Failure.
  9. Click OK three times.

Repeat these actions for every instance of each
program.

There is one exception. During a buffer
overflow attack, it’s the system account that actually accesses
Cmd.exe. So, you’ll also need to audit the system account for
object access to complete your detection and protection scheme.

If the Web server is a stand-alone server,
you’ll need to enable object auditing. Follow these steps:

  1. Go to Start
    | Programs | Administrative Tools | Local Security Policy.
  2. Navigate to Local Policies | Audit
    Policy.
  3. Double-click Audit Object Access, select the
    Success and Failure check boxes, and click OK.

If the Web server is part of the domain, you
must enable object auditing within a Domain Group Policy Object
(GPO).

Final thoughts

Intruders must have access to programs on your
network to work their magic. By denying them this access and
logging their occurrences, you can increase the security level of
your organization’s Web server and your network at no cost to the
company.