General discussion


Enable intrusion detection on IIS

By debate ·
Does your organization audit the right events? Do you actually read your security event log? How has auditing helped secure your network? Share your comments about enabling auditing to lock down your network, as discussed in the Nov. 5 Security Solutions newsletter.

If you haven't subscribed to our free Security Solutions newsletter, sign up today! Click this link to subscribe automatically:

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Intrusion Detection in IIS

by eziots In reply to Enable intrusion detectio ...

This is a good first step, but there are more things you have to do to lock and secure IIS.

1) Install and configure Urlscan with every IIS stance you run.

2) Use the IISLockdown tool and remove all the functionality that you dont need.

3) Use IPSEC filters to block all open ports ( 135, 445, etc etc that still exist on your server if you are putting it into a DMZ, you can also use an HIDS like Cisco Security Agent or Tripwire to protect and detect modification to system executables.

4) Deny IUSR_Machinename and IWAM_Machinename any access to any .exe on the system, especially those that was mentioned and audit.

5) Deny IUSR and IWAM to common startup run locations, ( use Autoruns from Sysinternals to find them all)

6) Monitor your logs daily with webtrends or other logging facilities for trend analysis.

7) Lock down and disable all uneeded services on the server, and know which open ports contribute to which service or process. ( Process Explorer from sysinternals can tell you all this, along with tcpvcon)

If in DMZ utilize Dual Firewall configuration, and ensure you test the ruleset with NMAP frequently.

9) Run a IDS in the DMZ, and also run a vulnerabilty scanner like Retina, from both inside and outside the DMZ to see what the hacker can see, and fix the problems before deployment.

Ed Ziots

Collapse -

IIS 6.0

by s_sykes In reply to Enable intrusion detectio ...

I'm assuming that the procedures Mike describes is only applicable to IIS 5 and not IIS 6.0? Is this correct?

Related Discussions

Related Forums