Do you use Internet Information Server (IIS) 4.0 on your Windows NT server? As
you’re probably aware, IIS 4.0 is a popular target for hackers. There are several
things to consider, including physical security and software security. From installing
patches to making registry changes, you can take many steps to shore up your IIS
server. In this Daily Drill Down, we’ll look at Microsoft’s
IIS and discuss some things you can do to secure it.

Try TechProGuild free!

If you find this article helpful, check out TechRepublic’s TechProGuild subscription resource, which offers in-depth technical articles covering a variety of IT topics, including Windows server and client platforms, Linux, troubleshooting issues, data networking challenges, and NetWare. With a TechProGuild account, you can also read the complete text of popular IT industry books online. Sign up now for a FREE 30-day TechProGuild trial.

Gathering server information
If you don’t already have a detailed description of your Internet server, you should do that first. Simply get a binder and write down the information that is pertinent to your server using the following items as a guideline:

  • Model number
  • Serial number
  • Cost
  • Manufacturer
  • Date received
  • System option
  • Date set up
  • Problem/solution

This information will also help you plan for life-cycle replacement, aid with insurance claims, make it easier to determine the total cost of ADP, and ensure that your equipment isn’t walking away. Any time you install a hot fix, service pack, and so on, you need to document it in this binder. Your notes will serve as a history of the work that’s been performed on the server. You should also document all problems thoroughly, including Event Viewer ID numbers, and describe the solution to each problem in case it recurs in the future.

Establishing a security policy
You should have a security policy in place and be familiar with it. A good security policy will describe physical, operational, or other factors external to the system that affect its security. It should address threats and vulnerabilities to your system and the countermeasures needed to overcome them. The IIS4 Resource Kit has a helpful chapter devoted to security.

Saving and restoring the registry
Since this Daily Drill Down discusses making changes in the registry, it is also prudent to discuss saving and restoring the registry. To save a registry subtree, first start the Registry Editor and select the key you want to save. On the Registry menu, choose Save Subtree As. Complete the Save As dialog box and then click Save. This will save the contents of a registry key as a text file, which includes all of the key’s descendent keys and all of the value entries assigned to them.

If you need to restore a registry key, select the predefined key in which you want to restore the hive. On the Registry menu, choose Restore to open the Restore Key dialog box. In the Look In field, select the drive, folder, or network computer and folder where the hive is located. Next, select the filename for the hive and click Open. A restored hive overwrites an existing registry key and becomes a permanent part of your configuration.

Applying Hot Fixes and Service Packs
Microsoft works constantly to fix problems that crop up in its programs. You should make sure that you stay current on all the Service Packs and Hot Fixes available for IIS. Also make sure that you keep your NT server up-to-date.

Basic Windows NT 4.0 security settings
Because IIS runs on top of Windows NT, you need to perform some basic steps to increase NT’s security. If NT isn’t secure, IIS isn’t secure. Some Windows NT settings that you want to check include:

  • Format Hard Disk(s) As NTFS. This setting provides extra security features. A drive that is formatted as FAT16 has no security. If your drive is currently formatted as FAT, you can use the Convert.exe utility to convert the drive to NTFS.
  • Set permissions. When your drive is formatted as NTFS, you should set the Access Control List (ACL) permissions for the folders for added security.
  • Turn off 8.3 name generation. NTFS can auto-generate 8.3 names for backward compatibility with 16-bit applications, which is not a good thing for IIS. Sixteen-bit applications should not be used on a secure Web server, so it is best to turn off this name generation using the Registry Editor. Your server’s performance will also benefit. Open the Registry Editor (Start | Run | Regedt32). Then, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem and change the NtfsDisable8dot3NameCreation value to 1.
  • Install IIS on a member server. By installing IIS on a member server, you will minimize any possible exposure of domain user accounts.
  • Remove all net shares. From the command prompt, type Net Share to display all shares. You should delete all shares using the Net Share /d syntax. To prevent administrative shares such as C$, D$, and ADMIN$, you have to edit the registry. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\LanmanServer\Parameters and change the setting for AutoShareServer to 0.
  • Hide last logon name. Hide the last logon username by modifying the registry. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon and change the DontDisplayLastUserName value to 1.
  • Display a legal notice. To display a banner that states the purpose of the computer use and requires the user to acknowledge it before continuing, do the following: In the registry, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon and change the LegalNoticeCaption to the text you want to specify.
  • Password length. It’s a good idea to make passwords at least eight characters long with at least one capital letter and a minimum of two numbers.
  • Remove Shutdown button. You should remove the Shutdown button from the Logon dialog box. To do this, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon in the registry and change the ShutdownWithoutLogon value to 0.
  • Rename the Administrator account. It’s a good practice to rename the Administrator account to a name that does not draw attention. You can create a new Administrator account that will have no access or privileges to the network. This adds an extra step for a would-be hacker to get into your system. You should monitor the new Administrator account to see if there are unauthorized attempts to access it.
  • Restrict anonymous network access. Allow only those who authenticate
    on your network to have access to it. You can lock down the anonymous access
    by editing the registry. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
    and change the RestrictAnonymous value to 1. If you need anonymous access
    enabled on your site, remember that when someone accesses your site anonymously,
    the user is in the context of a Windows NT account called IUSR_machinename.
    You can also limit the access that this account has to objects using NTFS
  • Remove the Everyone access. You should change the Access The Computer
    From The Network right in User Manager For Domains from Everyone to Authenticated
    Users. This will prevent those who do not have a valid account in the domain
    or on the local computer from accessing shares on the server.
  • Disable IP routing. When routing is enabled, there’s a risk that
    data may pass between your intranet and the Internet. From the TCP/IP Properties
    sheet in the Network applet, choose Routing and clear the Enable IP Forwarding
    check box.
  • Critical files. Most critical files are placed in the systemroot
    directory. These files can have access permissions added to them so that only
    administrators have rights to them. You can go a step further and actually
    move these files to a separate directory. Some of the files you may consider
    tightening control over are:
  • Synchronize server times. In order to investigate security breaches or intrusion, the times on the servers should be synchronized. This will ensure that events that are written to log files are easy to compare. You can use the Net Time command to do this.
  • Internet Information Server 4.0 settings
    Once you’ve secured your Windows NT server, you need to look at securing the specifics of IIS. There are many settings you can modify to increase IIS security. You can check:

    • Internet services.
    • Setting permissions.
    • Authentication.
    • Logging.
    • RDS support.
    • Script mappings.
    • Parent paths.
    • Command shell.

    Let’s look at each of these in detail.

    Internet services
    You need to minimize the number of services that run on your IIS. Each service that’s running can have a vulnerability that would allow someone to exploit it. All unneeded services should be disabled or stopped and set to manual. IIS requires the following services in order to run:

    • Event Log
    • IIS Admin Service
    • License Logging Service
    • MSDTC
    • Protected Storage
    • Remote Procedure Call (RPC) Service
    • Windows NT Server or Windows NT Workstation
    • Windows NTLM Security Support Provider
    • World Wide Web Publishing Service

    Setting permissions
    Setting the Access Control Level on the IIS is essential. The user Everyone will get Full Control over newly created files and folders in many instances. It is a good idea to remove the Full Control permission and assign the Read permission. This should prevent anyone with malicious intent from deleting files or folders. The Administrators group and System user should have Full Control.

    Authentication allows you to determine who has and who doesn’t have access to your site. There are several authentication methods that can be used with IIS. It is important that you make your authentication strong enough to prevent unauthorized use but not so strong as to make it a barrier to information for those who need it. The authentication methods are outlined below.

    • Anonymous: This method allows anyone to view the content on your site.
    • Basic: This type of authentication requires a user ID and password. It is not very secure, however, because the ID and password are sent as clear text or base64-encoded. This method is appropriate for some applications and is probably the most widely used authentication method.
    • NTLM: This method of authentication is also known as NT Challenge/Response. It is the most secure of the three basic authentication methods supported by IIS. However, only Internet Explorer clients support NTLM.
    • NTFS: Although this is not a form of authentication, it does allow you to specify permissions at the file level based on user or NT group.

    Anonymous, Basic, and NTLM can all be set through the same IIS dialog box using the Microsoft Management Console (MMC).

    Enabling logging on your IIS is essential if you want to see whether your server is being attacked. There are three formats: IIS log format, the National Center for Supercomputing Applications (NCSA) common format, and W3C Extended Logging. To enable logging, open the IIS in the MMC. Right-click the site and choose Properties | Web Site | Enable Logging. You’ll see the screen shown in Figure A.

    Figure A
    You can enable logging on your IIS server.

    You will then have to set the following properties:

    • Client IP Address
    • User Name
    • Method
    • URI Stem
    • HTTP Status
    • User Agent
    • Server IP Address
    • Server Port

    In addition to the IIS logging information, you can rely on your Windows NT logs. They’ll supply you with information such as access violations, low disk space, errors with hardware or services, and so on. Depending on the events you audit, your log files can contain a wealth of knowledge.

    Be careful not to audit everything, or you may be overwhelmed with needless information. The information in the IIS log will be more comprehensive with regard to the IIS function than the Windows NT logs, but you should use both.

    RDS support
    Remote Data Services (RDS) is part of the Data Access Components installed by default with Windows NT 4.0 Option Pack and IIS 4.0. RDS allows Web clients to issue client-based SQL queries to OLE DB data sources hosted on the Web server. A malicious user may be able to gain access to ODBC data when connecting to your IIS with Microsoft RDS installed. Because the RDS DataFactory allows data access requests by default, it can be exploited to allow unauthorized Internet clients to access OLE DB datasources available to the server.

    RDS can open your system up to attacks, so it’s important that it be configured properly. You can restrict its access or remove it completely.

    To remove RDS functionality, edit the registry (Start | Run | Regedt32) on the IIS. When editing the registry, it’s vital that you make only the necessary changes. Additional changes or deletions can yield unexpected results. Also, as mentioned earlier, you should make a backup of the registry before making any changes. Remove the following registry keys and any subkeys:

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \W3SVC\Parameters\ADCLaunch\RDSServer.DataFactory
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \W3SVC\Parameters\ADCLaunch\AdvancedDataFactory
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services W3SVC\Parameters\ADCLaunch\VbBusObj.VbBusObjCls

    If you don’t want to remove the RDS functionality, you can tighten security by removing all nonessential ODBC drivers, especially the Microsoft Text Driver. You should also apply NTFS permissions to restrict access to only those you trust.

    Script mappings
    By default, IIS supports common filename extensions, such as .htm, .shtm, and .asp. If you don’t support a particular extension, you should remove the mappings for it through the Internet Service Manager. Right-click your Web server and choose Properties | Master Properties | WWW service | Edit | HomeDirectory | Application Configuration. When you do, you’ll see the screen shown in Figure B.

    Figure B
    You can control application extensions here.

    Parent paths
    You should disable parent paths because they allow the use of (..) in calls to MapPath. This option is enabled by default. To disable it, right-click the Web server and select Properties. Go to Home Directory | Configuration | App Options and uncheck Enable Parent Paths.

    Command shell
    The #exec command can be used to call commands from your Web server from within an HTML page. This is disabled by default, but it is important to make sure that it has not been enabled.

    To do this, you must inspect a registry entry. Open the Registry Editor (Start | Run | Regedt32) and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters; make sure that SSIEnableCmdDirective is set to 0.

    Internet Information Servers have probably been exploited more than any other type of server due to the growth of the Web. It is essential that you secure your server, both physically and virtually, to prevent unauthorized access to your network. In this Daily Drill Down, I’ve shown you some things you can do to increase security on your IIS server.

    Have a comment?

    If you’d like to share your opinion, start a discussion below or send the editor an e-mail.