General discussion

  • Creator
  • #2276577

    Enable intrusion detection on IIS


    by debate ·

    Does your organization audit the right events? Do you actually read your security event log? How has auditing helped secure your network? Share your comments about enabling auditing to lock down your network, as discussed in the Nov. 5 Security Solutions newsletter.

    If you haven’t subscribed to our free Security Solutions newsletter, sign up today! Click this link to subscribe automatically:

All Comments

  • Author
    • #3296492

      Intrusion Detection in IIS

      by eziots ·

      In reply to Enable intrusion detection on IIS

      This is a good first step, but there are more things you have to do to lock and secure IIS.

      1) Install and configure Urlscan with every IIS stance you run.

      2) Use the IISLockdown tool and remove all the functionality that you dont need.

      3) Use IPSEC filters to block all open ports ( 135, 445, etc etc that still exist on your server if you are putting it into a DMZ, you can also use an HIDS like Cisco Security Agent or Tripwire to protect and detect modification to system executables.

      4) Deny IUSR_Machinename and IWAM_Machinename any access to any .exe on the system, especially those that was mentioned and audit.

      5) Deny IUSR and IWAM to common startup run locations, ( use Autoruns from Sysinternals to find them all)

      6) Monitor your logs daily with webtrends or other logging facilities for trend analysis.

      7) Lock down and disable all uneeded services on the server, and know which open ports contribute to which service or process. ( Process Explorer from sysinternals can tell you all this, along with tcpvcon)

      8) If in DMZ utilize Dual Firewall configuration, and ensure you test the ruleset with NMAP frequently.

      9) Run a IDS in the DMZ, and also run a vulnerabilty scanner like Retina, from both inside and outside the DMZ to see what the hacker can see, and fix the problems before deployment.

      Ed Ziots

    • #3296450

      IIS 6.0

      by s_sykes ·

      In reply to Enable intrusion detection on IIS

      I’m assuming that the procedures Mike describes is only applicable to IIS 5 and not IIS 6.0? Is this correct?

Viewing 1 reply thread