How I may help
LinkedIn Profile Email me!
Call me using Skype client on your machine
Reload this page Hardening Microsoft IIS Web Servers

Here are my notes on hardening (securing) Microsoft's Internet Information Server against attacks.

All topics are in this one large file for quick searches through all topics.

 

Topics this page:
on this page IIS Running?
on this page IIS Component Installation
on this page Lockdown Services
on this page Anonymous Connections
on this page IP Lockdwn
on this page TCP/IP Registries for DDoS
on this page Your comments???

 

Site Map List all pages on this site 
About this site About this site 
Go to first topic Go to Bottom of this page


Set this at top of window. IIS Running?

Set this at top of window. Local IIS Service Install

Installing IIS 7.5 on Windows 7 Professional, Enterprise, or Ultimate provides a script that installs all.

Set this at top of window. IIS Component Installation

    Components can be added after initial installation in Control Panelanother page on this site -> Add/Remove Windows Components.

    Upon initial installation, iistart.asp is shown because other files are not supplied by the IIS installer. Configure this list and other IIS web server control options from Control Panel -> Administrative Tools -> Internet Information Services.

    A web form can also be selected as the Start Page by right-clicking on it.

    For better security (to prevent directory traversal attacks), do not add cutom web page files in the default wwwroot folder but create a virtual folder on another drive by right-clicking on the "Default Web Site" folder and selecting "New" then "Virtual Directory.".

    REMEMBER: The "WWW" service must be "bounced" (stopped and restarted) after changes to any virtual directory.

 

    tool IISTracer monitors IIS to see and log state of requests, incomming/outgoing bytes, http headers and several request running times. IISTracer shows a state of running scripts (.asp, .cfm, .php, .cgi, ...), applications (.dll, .exe, ..) and a big downloads (.mp3, .zip, ...). It lets you also monitor what script or which client (IP) hangs-up your server.

    tool Troubleshooting IIS with Exception Monitor (Dbgplus.exe unzipped from ixcptmon.exe)

 
Go to Top of this page.
Previous topic this page
Next topic this page

Set this at top of window. Lockdown Web Services Configuration

    Rather than making changes manually, I prefer using the
    iislockd.exe in version 2.1 as of 10/10/2002 Microsoft IIS Lockdown Tool/Wizard to reduce the attack surface available to attackers.

    It writes changes to log file \WINNT\System32\inetsrv\oblt-log.log used for undos (which is automatic when you run Islockd.exe a second time). So if you configure a virtual directory as an application root after running IIS lockdown, that change is lost when you run IISLockdown again.

    The extracted IISLockd.exe launches the IIS Lockdown Wizard based on the template specified in IISlockd.ini.

    • Disable unused Internet Services hackers use to gain access:
      • File Transfer Protocol (FTP)
      • E-mail service (SMTP)
      • News service (NNTP)

    • Disable scripts by mapping resource types to 404.dll:
      • Index Server Web Interface (.idq, .htw, .ida)
      • Server-side includes (.shtml, .shtm, .stm)
      • Internet Data Connector (.idc)
      • .HTR scripting (.htr)
      • Internet printing (.printer)

    • Remove virtual directories:
      • IIS Samples
      • MSADC
      • IISHelp
      • Scripts
      • IISAdmin

    • Enable authentication control by disabling anonymous user access:

      • Restrict anonymous access to system utilities and the ability to write to Web content directories by creating new local user groups:
        • Web Anonymous Users with the default anonymous Internet user account IUSR_MACHINE
        • Web Applications with the IWAM_MACHINE account.
      • Add deny access control entries (ACEs) for these groups to the access control list (ACL) on key utilities and directories.

    • Disable Web Distributed Authoring and Versioning (WebDAV).

    • Install the URLScan.exe ISAPI filter (which can be run separately from IISLockd.exe) to block requests that contain unsafe characters such as the period (.) used for directory traversal.

      By default, it blocks the DEBUG verb needed by Microsoft Visual StudioŽ .NET for debugging ASP.NET pages. So add DEBUG in the [AllowVerbs] in the URLScan.ini.

 

 
Go to Top of this page.
Previous topic this page
Next topic this page

Set this at top of window. Anonymous Connections

    Run this command to test whether a Windows NT/2000/XP "myserver" supports anonymous connections through the ipc$ hidden administrative share:

      Start > Run net use \\myserver\ipc$ "" /u: ""

    If you see this complete successfully, it's vulnerable to anonymous information gathering.

    To disable support in Windows NT

    1. Backup your registry
    2. Run Regedt32
    3. Open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
    4. Choose Add Value from the Edit menu.
    5. Enter the following information in the Add Key dialog box:

        Value name: RestrictAnonymous
        Data type: REG_DWORD
        Value: 1

    6. Exit the Registry editor
    7. Reboot

    To disable support in Windows 2000

    1. Invoke the Local Security Policy tool (or the Domain Policy tool if you're using a domain),
    2. Select Local Policies (or Domain Policies).
    3. Double-click Additional Restrictions For Anonymous Connections
    4. Choose No Access Without Explicit Anonymous Permissions.
    5. Close the policy tool. (There's no need to reboot)
    6. Disable the PROPFIND service by setting "deny all" ACL on httpext.dll.

Go to Top of this page.
Previous topic this page
Next topic this page

Set this at top of window. Additional Lockdown Configuration

    Setup a Host header entry for each FQDN in DNS associated with each website / TCP port on the same server.

    Secure communications.

    IP and domain name restrictions.

    Apply NTFS permissions to website folders and files.

 

 
Go to Top of this page.
Previous topic this page
Next topic this page

Set this at top of window. TCP/IP Registry to Withstand DDoS

    To make TCP/IP stacks more resistant to DDoS, here are the settings from Security Configuration Tool template hisecweb.inf recommended by this Microsoft Knowledge Base article
    Registry KeyRecommended Value
    Tcpip\Parameters\SynAttackProtect 0
    Tcpip\Parameters\TcpMaxHalfOpen100 (500 on Advanced Server)
    Tcpip\Parameters\TcpMaxHalfOpenRetried80 (400 on Advanced Server)
    Tcpip\Parameters\EnablePMTUDiscovery0
    NetBt\Parameters\NoNameReleaseOnDemand0
    Tcpip\Parameters\EnabledDeadGWDetect0
    Tcpip\Parameters\KeepAliveTime300,000
    Tcpip\Parameters\Interfaces\PerformRouterDiscovery0
    Tcpip\Parameters\EnableICMPRedirects0
 

. 		 
Go to Top of this page.
Previous topic this page
Next topic this page

Set this at top of window. Filex

    Before files and folders on a Web server can be managed, the Web server must support Web folders, which require the Web Extender Client (WEC) protocol and Front page extensions, or the WebDAV protocol and IIS.

    Read and write access to the Web server is also required.

 

. 		 
Go to Top of this page.
Previous topic this page
Next topic this page

Portions ©Copyright 1996-2010 Wilson Mar. All rights reserved. | Privacy Policy | Last updated

Related Topics:
another page on this site ASP Programming 
another page on this site Website Security 
another page on this site Win2000 Install 
another page on this site Active Directory 
another page on this site Win2000 Admin 
another page on this site WinNT4 Install 
another page on this site Keyboard Shortcuts 

another page on this site Free Training! 
another page on this site Tech Support 

How I may help

Send a message with your email client program


Your rating of this page:
Low High




Your first name:

Your family name:

Your location (city, country):

Your Email address: 



 		  Top of Page Go to top of page

Thank you!