- Overview
- Installation
- WWW Service
- FTP Service
- Exploit Scanners
- Summary
This chapter is from the book
This chapter is from the book
This chapter is from the book
Installation
The first step in setting up a secure IIS is to ensure that the system on which it is being installed is secure. This includes locking out all extra accounts, tightening down who has access to what, ensuring the hard drive is formatted with NTFS, and more. This chapter will review the security precautions that must be met before and during the secure installation of IIS.
Preinstall Checklist
Before installing IIS, the system must be configured securely and all extra components that could cause unauthorized access must be removed. The following lists the preventative measures you need to take and describes each one in detail.
Ensure that the hard drive is formatted using NTFS.
Windows .NET Server can be installed using FAT32 or NTFS file systems. While the FAT32 is thought to be the faster of the two, NTFS is much more secure. This is because NTFS allows the user to control every aspect of a system's security, all the way down to the file level. Using NTFS, an Administrator can set permissions on a file such as read only, no access, or full access. Using these permissions an Administrator can also log who tries to access what files and whether or not they were successful. This type of micromanagement may seem overly cautious, but it is the best way to repair a computer after it has been compromised is to use the details provided by the logging ability of NTFS.
Install the IIS behind closed doors and isolated from the Internet.
While this may seem paranoid, a hacker can scan a computer within 15 minutes or less of it being connected to the Internet for the first time. While IIS can be locked down fairly securely, during the time it takes to lock it down a hacker could have the time to install a Trojan, which would make any further attempts to secure the IIS meaningless.
In addition, another common belief among computer security experts is that the biggest threat to the security of a computer comes from inside the trusted domain, rather than from outside (i.e., the Internet). In high security environments, it is essential to build the IIS system within a controlled environment. Otherwise, the system could be compromised.
Install IIS in its own domain with no trusts.
When Windows .NET Server is installed, it should be in its own domain and have no other trusts with other domains. This prevents a hacker from relaying an attack farther into a network in case the computer running IIS is compromised.
Install IIS on a standalone server that is responsible for no other services.
Installing additional programs on an IIS (e.g., SQL Server or Exchange) will create more opportunities for a hacker to breach the security of the network. IIS has programming errors that lead to vulnerabilities, as do all programs. By adding programs to the server, a computer's chance of having a weakness grows exponentially. This is because many of these programs interact with each other and can escalate an individual, low-level security weakness into multiple, severe weaknesses.
Partition the hard drive so each service (e.g., WWW, FTP) is on its own volume.
By partitioning the hard drive so each service has its own volume or drive, a hacker can be stopped from using path traversing weaknesses that are a result of Unicode or other types of vulnerabilities. Simple commands such as "/.../" have been known to provide hackers with the ability to travel up the folder structure and give them access to sensitive files such as the boot.ini or script files. Using different drives stops the hacker at the root of the drive.
Ensure TCP/IP is the only protocol installed on the computer.
The Internet uses TCP/IP as its primary method of data transfer. Although there are situations where other protocols (e.g., IPX) may be necessary, adding these protocols increases the risk by adding complexity to the security policy.
Ensure IP routing is, and remains, disabled.
Microsoft has built a VPN solution into its operating system. However, this and other technologies require that the gateway device from the Internet to the internal network be able to pass data. Windows .NET Server has this ability, but it should be disabled if the computer is to be an IIS server. When enabled, the chance for a successful hack is greatly increased because a hacker can pass data into a network and internal computers can pass data directly out of a network.
Ensure file and print sharing for Microsoft networks is installed for NNTP or SMTP services.
If SMTP or NNTP will be installed, the Server service will be required. Thus, file and print sharing for Microsoft networks must be installed. If it is not, the Server service will not show up in the available services.
Unattended Installation
Once the requisite security measures have been met, it is time to install the IIS server. The best option for maintaining security is to use an unattended installation. This is because the only way to set up the FTPROOT and WWWROOT folders on different drives is to configure an Unattended Install file and allow the installation wizard to use it to set up and configure the IIS. Figure 13.1 illustrates an example of an Unattended Installation file that will install the IIS software on the C: drive, FTPROOT on E:, and WWWROOT on F:. As you can see, this installation file that was saved on the C: drive places the ROOT folders in an INETPUB directory. Although not a serious security risk, it is better to use a less obvious name.
)
Figure 13.1 A sample Unattended Installation file.
Once the file has been created and put in an easily referenced location, start the install by following the subsequent instructions.
Click Start Programs Accessories Command Prompt to open a MS-DOS window.
Type sysocmgr/I:%windir%\inf\sysoc.inf /u:a:\iis5.txt replacing a:\iis5.txt with the drive, directory, and file name that you use to save the Unattended Install file, as shown in Figure 13.2.
Figure 13.2 C:\WINDOWS\System32\command.com.After pressing Enter, you will see a series of windows (after a Please wait window, shown in Figure 13.3) informing you of the status of the installation.
Figure 13.3 Brief window before the installation wizard starts. TIP
In order to install IIS, you will need to have a Windows CD-ROM or an image of the CD available to the destination computer.
As the IIS installer loads the program, you will see several screens, one of which is shown in Figure 13.4, describing the status of the installation.
Figure 13.4 IIS Installation window.
)
Figure 13.2)
Figure 13.3)
Figure 13.4Following is a list of many of the status messages you will see.
Building file list
Examining installed files
Copying files
Installing Internet Information Services
Once the installation is complete, the Windows Component Wizard window will close and you will be at the screen from which you originally started.
Post-Installation
Once the IIS has been successfully installed, the real work begins. At this point, the program is installed; however, there are many holes to seal and procedures that need to be accomplished to securely lock down the server installed.
User Accounts
The first thing that should be done is to remove the "Everyone" and "Guests" groups from the folders containing the IIS files. This is because IIS allows these groups full control of the publication directory (i.e., C:\Inetpub). These accounts, in combination with the knowledge that a typical installation places the Inetpub directory on the same drive as the key system files, can be used by hackers to gain unauthorized access to the files residing on the system.
To remove these dangerous groups, perform the following steps:
Find the Inetpub directory.
Right-click on the Inetpub folder and click Properties.
Click on the Security tab, shown in Figure 13.5.
Figure 13.5 Inetpub folder properties.Click on the group or user to delete and then click Remove.
)
Figure 13.5The next user issue that needs attention is that of the IUSR_computername account. This default account is created during the installation of IIS. It is used by anonymous Web users to request information from the host computer. Therefore, this account needs special consideration and its privilege should be closely reviewed. In the case the IIS is to be used within a secure network only, it is recommended that the account be disabled. This would force all users to supply a valid user name and password before requesting information from the server.
To adjust the privileges:
Click Start Settings Control Panel Administrative Tools Computer Management Local Users and Groups Users and right-click on the IUSR_computername account.
In the IUSR_computername Properties window, ensure that the User cannot change password option is checked as well as Password never expires.
If the IIS is to be used in a secure network only, also check Account is disabled. See Figure 13.6.
Figure 13.6 IUSR_computername Properties window.Click OK to save the changes.
Next click Local Users and Groups Users and double-click the Guests group.
Highlight the IUSR_computername account and click Remove. See Figure 13.7.
Figure 13.7 Removing IUSR_computername from Guest accounts.
)
Figure 13.6)
Figure 13.7In addition to these rights, the account should only be listed as a local account, not a domain-wide account, and it must have the right to log on locally. These settings are set up upon installation and should not need adjustment. However, you should remove the right to Access this computer from the network and the Log on as a batch job rights that are enabled.
To change account rights:
Click Start Settings Control Panel Administrative Tools Local Security Policy Local Policies.
Double-click on the right to be adjusted.
Click on the IUSR_computername account and click Remove. See Figure 13.8.
Figure 13.8 Removing the Access this computer from the network right for
the IUSR_computername account.Click OK or Apply to save the changes.
)
Figure 13.8Once the existing accounts have been altered or removed to maximize security, it is recommended that you create two new groups: IISUsers and IISAdmins. Once created, they can be populated with individual accounts. By controlling permissions and rights at the group level, it becomes easier to monitor and adjust who has rights to what resources. If the server is to host several client sites, you should create an IISAdmins group for each site and use the IISUsers account to hold the IUSR_computername account and any other accounts that are to be used exclusively for Web read-only access. These groups can then be used to assign individual accounts with separate rights.
Once these groups are created add the IUSR_computername account to the IISUsers group and any administrative accounts to the IISAdmin account. These groups will be used to control the NTFS permissions that are set on each file and folder on a hard drive formatted with the NTFS.
Services
During the installation of both Windows and IIS, numerous services are also installed that are not needed by the OS or any of the software used on the computer. Services are actually small programs that run in the background. They usually run at a low level and communicate directly with the hardware layer. Similar to daemons that run in the *nix environment, services not only use up memory, they also increase the chance that a computer becomes vulnerable to a hacker attack. Table 13.1 lists the services that are not needed by a standalone Web server. Note that some of the services are required if the computer is to participate in a network.
Table 13.1. Services Not Needed by a Standalone Web Server
|
Service Name |
Additional Notes |
|
Alerter |
|
|
ClipBook Server |
|
|
Computer Browser |
|
|
DHCP Client |
|
|
Distributed File System |
|
|
Distributed Link Tracking Systems |
|
|
Client |
|
|
Distributed Link Tracking Systems |
|
|
Client |
|
|
FTP Publishing Service |
Disabled unless user's require FTP services |
|
IPSEC policy agent Disabled unless IPSEC policies will be used |
|
|
Licensing Logging Service |
|
|
Logical Disk Manager Administrator |
|
|
Service |
|
|
Messenger |
|
|
Net Logon |
Disabled unless domain users are required to log on to the server, this service is required to communicate with the domain controller |
|
Network DDE |
|
|
Network DDE DSDM |
|
|
Print Spooler |
|
|
Remote Registry Service |
|
|
Removable Storage |
|
|
RPC Locator |
Required if user is doing remote administration |
|
RunAS Service |
|
|
Server Service |
Must be started if server will run the SMTP or NNTP service of IIS, for administration purposes |
|
Task Scheduler |
|
|
TCP/IP NetBIOS Helper |
|
|
Telephony |
|
|
Windows Installer |
|
Once the service is installed, it is configured to run in one of three ways:
Automatic: Used when the service needs to be started during the OS boot or when a program is initialized.
Manual: Used when the service is not needed during typical day-to-day operations, but may be started with the execution of another program.
Disable: The service is turned off and configured to remain so even as an execution is attempted.
To uninstall or disable a service:
Click Start Settings Control Panel Administrative Tools Services (Figures 13.9–13.11).
Figure 13.9 Windows .NET Server Services window.
Figure 13.10 FTP Publishing Services Properties window.
Figure 13.11 Network Connections Services Properties window.Right-click on the service to be adjusted.
Select Stop to temporarily turn off the service (Note: The service will return to its default status as configured in Properties upon computer reboot).
Select Properties to permanently adjust the service configuration.
Under the Startup type menu, select the desired option.
CAUTION
Before disabling or stopping any service, check its dependencies to ensure that it is not required by any other services. If it is, the other services will not work properly. For example, the Internet Connection Firewall service requires the Network Connection service to run.
)
Figure 13.9)
Figure 13.10)
Figure 13.11Securing the Metabase
One of the more commonly overlooked security risks involved with the operation of IIS is that of securing the metabase file. The metabase file is used by IIS in the same aspect as the registry is used by the operating system. It holds properties and settings that are used by IIS to control its operation.
The advantage of using the metabase file is threefold. For example, since the metabase file is exclusively used by IIS, its information can be accessed faster. In addition, because IIS is the only program that needs access to this file, the data in the metabase file can be made secure through encryption. The final advantage is that the metabase file can hold more detailed information than its counterpart, the registry.
While the data in the metabase file is safe from intruders, the file itself is not. In other words, if a hacker were to replace the original metabase file with a file of his or her own making, the hacker could shut down the IIS or compromise it by using another, less secure configuration.
In the case of the metabase file, the best security is obscurity. In other words, the file should be moved from its default location, \Winnt\system32\inetsrv, to another, less obvious location. The only change that needs to be made to the system to allow this action is to add a new key to the registry. To do this, follow the subsequent instructions.
CAUTION
The registry is a very sensitive part of the operating system. DO NOT make changes without knowing and understanding the outcome of these changes. In addition, you should ALWAYS make a backup of your registry the moment you open it, in case of a power loss or unrecoverable error.
Turn off the IIS services.
Move and/or rename the metabase.bin file.
Click on Start Run, type regedit, and hit OK.
Click File Export and save a copy of the registry to a safe location.
CAUTION
Ensure the backup registry file is stored in a location not normally accessed by the computer's users. If the registry backup is inadvertently double-clicked, its contents will overwrite any changes made in the registry since the date the backup file was created.
Locate the key named HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\InetMgr\Parameters.
With Parameters highlighted, click Edit New String value (Figure 13.12).
Figure 13.12 Creating a new registry key.When the New Value key appears, name it Metadata File.
Double-click the Metadata File and enter the new location and name of the metabase.bin file, including the full path and file name.
Close the registry.
)
Figure 13.12This registry entry tells IIS where the configuration file is located when it starts up. Although this procedure will secure the file, it does assume that the registry is secure. If a hacker can gain access to the data stored in the registry through the unauthorized use of an Administrator or System account, the file can still be compromised.
Backing Up/Restoring the Metabase
In addition to securing the Metabase, it is important to make regular backups in case the system falls prey to an attack, or simply crashes. There are three ways that the Metabase.bin file can be saved, which include the following:
Secure: The secure method uses the IIS snap-in to perform a backup of the metabase.bin file, which is then encrypted with a password. Only those with the correct password will have access to the data in the file.
Insecure: This method uses the IIS snap-in to perform a regular backup of the metabase.bin file. Anyone can restore the data in this file to an existing IIS installation.
Legacy: This method uses third-party programs or a simple batch file to copy and replace the metabase.bin file.
The following describes how to perform a secure and insecure backup. If you wish to use a legacy program, consult that program documentation.
Secure Backup
Open the Internet Services Manager by selecting Start Control Panel Administrative Tools Internet Information Services.
Select the computer to back up.
Click Action All Tasks Backup/Restore Configuration, shown in Figure 13.13.
Figure 13.13 Backup/Restore Configuration menu
selection. <Anchor12>Click Create backup. See Figure 13.14.
Figure 13.14 IIS Configuration Backup/Restore window.Enter backup name, check Encrypt backup using password, and enter a strong password. See Figure 13.15.
Figure 13.15 Configuration Backup window.
)
Figure 13.13)
Figure 13.14)
Figure 13.15Insecure Backup
Open the Internet Services Manager by selecting Start Control Panel Administrative Tools Internet Information Services.
Select the computer to back up.
Click Action All Tasks Backup/Restore Configuration.
Click Create backup.
Enter backup name and select OK.
Restore from Backup
Inevitably, you will need to restore the settings. This is a relatively simple task, but can take some time and will require the restarting of IIS.
To restore the metabase.bin settings:
Open the Internet Services Manager by selecting Start Control Panel Administrative Tools Internet Information Services.
Select the computer to back up.
Click Action All Tasks Backup/Restore Configuration.
Click Restore.
If required, enter password.
Using NTFS to Secure File Access
Once the accounts have been set up and the metabase.bin file made secure, the next step is to set up the NTFS permissions on the existing folders and files that were installed with the IIS.
This is a complicated process and takes a solid understanding of how IIS and Web users call upon and process files on the Web server. Table 13.2 provides us with an excellent map to securing the files used by IIS 5 or 6.
Table 13.2. Securing Files Used by IIS 5 or 6
|
Type of Data |
Example Directories |
Data Examples |
NTFS File Permissions |
IIS 5.0 Permissions |
|
Static Content |
\Inetpub\wwwroot\Images \Inetpub\wwwroot\home \lnetpub\ftproot\ftpfiles |
HTML, Images, FTP downloads, etc. |
Administrators (Full Control) System (Full Control) WebAdmins (Read & Execute, Write, Modify) Authenticated User (Read & Execute) Anonymous (Read & Execute) |
Read |
|
FTP Uploads (if required) |
\Inetpub\ftproot\dropbox |
Directory used as a place for users to store documents for review prior to the Admin making them available to everyone |
Administrators (Full Control) WebAdmins or FTPAdmins (Read & Execute, Write, Modify) Specified Users (Write) |
Write |
|
Script Files |
\Inetpub\wwwroot\scripts |
.ASP |
Administrators (Full Control) System (Full Control) WebAdmins (Read & Execute, Write, Modify) Anonymous: special access (Execute) |
Scripts only |
|
Other Executable and Include Files |
\WebScripts\executables \WebScripts\Include |
.exe, .dll, .cmd, .pl, .lnc, .shtml, .shtm |
Administrators (Full Control) System (Full Control) WebAdmins (Read & Execute, Write, Modify) Authenticated Users: special access (Execute) Anonymous: special access (Execute) |
Scripts only or Scripts and Executables (Depending on necessity) |
|
Metabase |
\WINNT\system32\Inetsrv |
MetaBase.bin |
Administrators (Full Control) System (Full Control) |
N/A |
Once the user accounts and permissions for those accounts, services, and folder properties have been secured, it is time to move on to the IIS and its associated settings. The next few segments of this chapter describe in detail how to secure IIS Web and FTP servers.
Using the Internet Service Manager (ISM)
The ISM is actually an extension of the Microsoft Management Console (MMC). The MMC is simply a standard console used to control various services and programs. By standardizing the way programs are supervised, Windows .NET Server administrators can more effectively control their systems. To access the ISM click on Start Control Panel Administrative Tools Internet Information Services.
As illustrated in Figure 13.16, we have installed the WWW service and the FTP service. Each of these services is represented by a main folder under the IIS server (SETH4). By navigating the ISM tree, you can access the global properties of a service or the individual properties of each Web site or FTP site that the IIS contains.
)
Figure 13.16 Internet Information Services