IIS 5.0 Baseline Security Checklist

Document directory

• Secure Windows 2000
• Run the IIS Lockdown Tool
• Customize UrlScan Configuration
• Set appropriate ACLs on virtual directories
• Set appropriate IIS Log file ACLs
• Enable logging
• Disable or remove all sample applications
• Remove the IISADMPWD virtual directory
• Remove unused script mappings

IIS 5.0 Baseline Security Checklist

On This Page Introduction Internet Information Services 5 Settings Microsoft Internet Information Services 5 Security Checklist Details Harden Metabase Permissions Harden ASP. NET Configuration Introduction This document lists some recommendations and best practices to improve the security of a server on the Web running Internet Information Services (IIS) 5. Important:The purpose of this article is to give instructions for processing a baseline level of security on IIS 5 servers. additional advanced settings are provided in the complete IIS 5 Security Checklist on the Microsoft technet security web site. Top of page Internet Information Services 5 settings Step Secure Windows 2000 Run the IIS Lockdown Tool Customize UrlScan configuration Set appropriate ACLs on virtual directories Set appropriate IIS Log file ACLs Enable logging Disable or remove all sample applications Remove the IISADMPWD virtual directory Remove unused script mappings Harden metabase permissions Harden ASP. NET configuration Top of page Microsoft Internet Information Services 5 Security Checklist detailssecure Windows 2000 Refer to the Windows 2000 Server Baseline Security Checklist for information about securing the base platform on which IIS will be hosted. Run the IIS Lockdown Tool The IIS Lockdown Tool is a retriable utility that asks you to specify the application role played by your IIS server. it will then remove any functionality that is not required for the participating Web server role. you shoshould thoroughly test any changes before implementing them in a production environment. Customize UrlScan Configuration The IIS Lockdown Tool installurlscan. urlScan is an ISAPI filter that screens and analyzes requests IIS has es them. when properly configured, UrlScan is valid at startup cing the exposure to potential Internet attacks. the default configuration of UrlScan offers significant improvement over the default configuration of IIS, IIS; however, Microsoft recommends further refining the UrlScan configuration to more closely restrict Web requests while still allowing your application to function. ideally, only requests for file extensions used by your application will be allowed. you shoshould thoroughly test any changes before implementing them in a production environment. Set appropriate ACLs on virtual directories The IIS Lockdown tool improves file permissions; however, you shoshould further refine these permissions for your specific application. Although this procedure is somewhat application-dependent, Some rules of thumb apply: File Type Access Control Lists CGI(.Exe,. dll,. cmd,. pl) Everyone (X) Administrators (Full Control) System (Full Control) Script files(. Asp) Everyone (X) Administrators (Full Control) System (Full Control) Include files(. Inc,. shtm,. shtml) Everyone (X) Administrators (Full Control) System (Full Control) Static content(.Txt,. gif,. jpg,. html) Everyone (R) Administrators (Full Control) System (Full Control) Recommended default ACLs by file type. Rather than setting ACLs on each file, you are better off creating new directories for each file type, setting ACLs on the directory, and allowing the ACLs to inherit to the files. for example, a directory structure might look like this: • C:/inetpub/wwwroot/myserver/static (.html) • C:/inetpub/wwwroot/myserver/include (. inc) • C:/inetpub/wwwroot/myserver/script (. asp) • C:/inetpub/wwwroot/myserver/executable (. dll) • C:/inetpub/wwwroot/myserver/images (.gif,. jpeg) Also, be aware that two directories need special attention: • C:/inetpub/ftproot (FTP server) • C:/inetpub/mailroot (SMTP server) The ACLs on both these directories are Everyone (Full Control) and shoshould be overridden with something tighter, depending on your level of functionality. place the folder on a different volume than the IIS server if you're going to support Everyone (Write ), or use Windows 2000 disk quotas to limit the amount data that can be written to these directories. Set appropriate IIS Log file ACLs Make sure the ACLs on the IIS-generated log files (% systemroot %/system32/LogFiles) are: • Administrators (Full Control) • System (Full Control) • Everyone (RWC) This is to help prevent malicous users from deleting the files to cover their tracks. Enable logging Logging is paramount when you want to determine whether your server is being attacked. You shoshould use W3C Extended Logging format by following this procedure: 1. Load the Internet Information Services tool. 2. Right-click the site in question, and choose Properties from the context menu. 3. Click the Web Site tab. 4. Check the Enable Logging check box. 5. Choose W3C extended log file format from the active log format drop-down list. 6. Click properties. Click the extended Properties tab, and set the following properties: • Client IP Address • User Name • Method • URI Stem • HTTP Status • Win32 Status • User Agent • Server IP Address • Server Port The latter two properties are useful only if you host multiple Web servers on a single computer.Win32 StatusProperty is useful for debugging purposes. When you examine the log, look out for error 5, which means access denied. You can find out what other Win32 errors mean by enteringNet helpmsg errOn the command line, whereErrIs the error number you are interested in. Disable or remove all sample applications Samples are just that, samples; they are not installed by default and shoshould never be installed on a production server. note that some samples install so that they can be accessed only from http: // localhost, or 127.0.0.1; however, they shoshould still be removed. The following table lists the default locations for some of the samples. Sample Virtual Directory Location IIS Samples /Iissamples C:/inetpub/iissamples IIS documentation /IISHelp C:/winnt/help/IISHelp Data Access /MSADC C:/program files/common files/system/MSADC Sample files need ded with Internet Information Services 5. Remove the IISADMPWD virtual directory This directory allows you to reset Windows NT and Windows 2000 passwords. it is designed primarily for intranet scenarios and is not installed as part of IIS 5. however, I but it is not removed when an IIS 4 server is upgraded to IIS 5. it shoshould be removed if you don't use an intranet or if you connect the server to the Web. refer to Microsoft Knowledge Base article 184619 for more information about this functionality. Remove unused script mappings IIS is preconfigured to support common filename extensions such. asp and. shtm files. when IIS has es a request for a file of one of these types, the call is handled by a DLL. the IIS Lockdown Tool removes unneeded script mappings; however, your application may allow you to further refine the configuration. if you don't use some of these extensions or functionality, you shoshould remove the mappings by following this procedure: 1. Open Internet Services Manager. 2. Right-click the Web server, and choose Properties. 3. Click master Properties 4. Select WWW Service, click Edit, click homedirectory, and then click Configuration Remove these references: If you don't use... Remove this entry: Web-based Password Reset . Htr Internet Database Connector (all IIS 5 Web sites shocould use ADO or similar technology) . Idc Server-side encryption DES . Stm,. shtm, and. shtml Internet Printing . Printer Index Server . Htw,. ida and. idq Note:Internet Printing can be configured through Group Policy as well as via the Internet Services Manager. if there is a conflict between the Group Policy settings and those in the Internet Service Manager, the Group Policy settings take precedence. if you remove Internet Printing via the Internet Services Manager, be sure to verify that it won't be re-enabled by either local or domain group policies. (The default Group Policy neither enables nor disables Internet Printing .) in the MMC Group Policy snap-in, click Computer Configuration, click Administrative Templates, click Printing, and then click Web-based Printing. Note:Unless you have a mission-critical reason to use the. htr functionality, you shoshould remove the. htr extension. Top of page Harden Metabase Permissions Security and other IIS configuration settings are maintained in the IIS Metabase file. the default file permissions cocould allow an attacker to directly edit the Metabase file. the NTFS permissions on the IIS Metabase file (and the backup Metabase file) shocould be hardened to ensure that attackers cannot modify the IIS configuration in any way. microsoft recommends removing all file permissions to the Metabase, and granting Full Control to only Administrators and SYSTEM. Top of page Harden ASP. NET Configuration If. NET Framework has been installed on the system, download and install the latest version of. NET Framework and any service packs. review the configuration of. NET Framework, and ASP. NET in particle, to ensure ASP. NET does not increase your vulnerability to attack. 2001 Microsoft Corporation. All rights reserved.