This document provides some suggestions and best practices to ensure the security of servers running Microsoft Windows 2000 and Internet Information Services (IIS) 5 on the Web. These settings focus on security, not performance. Therefore, it is important to carefully read the following suggestions and apply them to your enterprise settings.
Note that this document is adapted from "Designing Secure Web-Based Applications for Microsoft Windows 2000", Microsoft Press, ISBN: 0735609950.
Those familiar with the Internet Information Server 4 list will notice that this list is much shorter than the list of Internet Information Server 4. This is because of the following two reasons:
Many Windows 2000 system-wide settings can be configured through the provided security template (hisecweb, inf); therefore, you do not need to manually configure registry settings. Some low-security default settings on Microsoft Windows NT 4 and Internet Information Server 4 are disabled by default for Windows 2000 and IIS 5.
The rest of this document is divided into the following parts:
General security considerations
Windows 2000 security considerations
IIS 5 security considerations
General security considerations
This section describes general security issues.
Read your enterprise security policies
It is very important to have security policies. You need to answer the following questions:
How can we respond to intrusions?
Where is the backup stored?
Who is allowed to access the server?
Good policy information resources can be found in SANS Institute, Baseline Software, Inc., and Practical Unix & Internet Security (o'reilly Books, 1996.
Book Microsoft Security Notification Service
You can in http://www.microsoft.com/technet/treeview/default.asp? Url =/technet/security/bulletin/notify. asp to book the Microsoft security Notification Service so that you can know Microsoft security Questions and patches in a timely manner. You will receive automatic notifications about security issues through email.
You should also consider placing Microsoft Security Advisor shortcuts on the desktop. To complete this operation, perform the following steps:
Open Internet Explorer.
Navigate to http://www.microsoft.com/technet/security/bulletin/policy.asp.
Select "add to Favorites" from the "add to Favorites" menu ".
Select the "allow offline use" check box.
Click "Custom ".
In the offline favorites wizard, click Next ".
Select the "yes" option and specify to download the Layer 2 webpage linked to the page.
Click "Next ".
Select the "Create New scheduler" option and click "Next ".
Accept the default settings, and then click "Next ".
Click Finish ".
Click OK ".
Select "Sort favorites" from the "favorites" menu ".
In the "Sort favorites" dialog box, select the "Microsoft TechNet Security" shortcut.
Click properties ".
Click the "Download" tab in the "Microsoft TechNet Security properties" dialog box.
Deselect the "link beyond the Web site on this page" check box.
Click OK, and then click Close ".
Now you can drag the Microsoft TechNet Security shortcut from the "favorites" menu to the desktop. If a new security message is displayed, a red flag is displayed on the icon.
If there are new security issues, you must pay great attention to them. This cannot be emphasized too much.
Windows 2000 security considerations
This section focuses on Windows 2000 security issues.
Checks, updates, and deploys Hisecweb. inf Security templates.
We have included a security template named Hisecweb. inf as a benchmark for most secure websites. This template configures the Basic Windows 2000 system range policy.
Hisecweb. inf can be downloaded from the following address:
Http://download.microsoft.com/download/win2000srv/SCM/1.0/NT5/EN-US/hisecweb.exe
Follow these steps to use the template:
Copy the template to the % windir % securityemplates directory.
Open the "security template" tool and view the settings.
Open the Security Configuration and analysis tool and load the template.
Right-click the Security Configuration and analysis tool and select analyze computer from the context menu ".
Wait until the work is completed.
Check the search results and update the template as needed.
If you are satisfied with the template, right-click the "Security Configuration and analysis" tool and select "Configure computer now" from the context menu ".
Configure an IPSec Policy
You should carefully consider setting an Internet Protocol Security (IPSec) packet filter policy on each Web server. If your firewall is broken, this policy provides additional security levels. Multi-level security technology is generally considered a good practice.
In general, all other TCP/IP protocols should be blocked except for the protocols you obviously want to support and the ports you want to open. You can use the IPSec management tool or the IPSecPol command line tool to deploy an IPSec Policy.
Protects Telnet Server Security
If you are planning to use a Telnet server included in Windows 2000, you should consider limiting the number of users that can access this service. To complete this operation, perform the following steps:
Open the local user and group tool.
Right-click the "Group" node and select "new group" from the context menu ".
In the Group Name box, enter TelnetClients.
Click Add to add a user with telnet access to the computer.
Click create, and then click Close ".
When a TelnetClients group exists, the Telnet service only allows users defined in the group to access the server.
IIS 5 security considerations
This section describes the security issues related to Internet Information Services 5.
Setting the appropriate ACL for the virtual directory although this step depends to some extent on the application, some of the main rules still apply, as shown in the table F-1.
File Type
Access Control List
CGI (.exe,. dll,. cmd,. pl)
Everyone (X)
Administrators (full control)
System (full control)
Script file (. asp)
Everyone (X)
Administrators (full control)
System (full control)
Include files (. inc,. shtm,. shtml)
Everyone (X)
Administrators (full control)
System (full control)
Static content (.txt,. gif,. jpg,. html)
Everyone (R)
Administrators (full control)
System (full control)
Default ACL of recommended file types
Compared with setting an ACL for each file, it is better to create a new directory for each file type, set the ACL on these directories, and allow the ACL to inherit from the file. For example, the directory structure may be as follows:
C: inetpubwwwrootmyserverstatic (.html)
C: inetpubwwwrootmyserverinclude (. inc)
C: inetpubwwwrootmyserverscript (. asp)
C: inetpubwwwrootmyserverexecutable (. dll)
C: inetpubwwwrootmyserverimages (.gif,. jpeg)
In addition, there are two directories that require special attention:
C: inetpubftproot (FTP server)
C: inetpubmailroot (SMTP server)
The ACLs in these two directories are "Everyone (full control)" and should be set more strictly according to your function level coverage. To support "Everyone (write)", place the folder in a different volume than the IIS server, or use Windows 2000 disk space quota to limit the amount of data that can be written to these directories.
Set the ACL of an IIS Log File
Make sure that the ACL on the log file (% systemroot % system32LogFiles) generated by IIS is:
Administrators (full control)
System (full control)
Everyone (RWC)
This helps prevent malicious users from deleting files to conceal their traces.
Enable Logging
Log records are important when you want to determine whether the server is under attack. Follow these steps to extend the log format with W3C:
Load the Internet Information Services tool.
Right-click a site that is suspected to have a problem, and select "properties" from the context menu ".
Click the website tab.
Select the Enable Log check box.
Select W3C extended log file format from the activity log format drop-down list ".
Click properties ".
Click the extended attributes tab and set the following attributes:
Client IP Address
User Name
Method
URI Resource
HTTP status
Win32 status
User Agent
Server IP Address
Server Port
The last two attributes are useful only when you set multiple Web servers on the same computer. The Win32 Status attribute is very suitable for debugging. When checking logs, note Error 5, that is, the access is denied. You can enter net helpmsg err (err indicates the error number you are interested in) in the command line to find out what other Win32 errors mean.
Set IP Address/DNS address Restriction
This is not a common option, but it is a useful option if you want to restrict some users to access your website. Note that if you enter the Domain Name System (DNS) Name, then IIS