IIS Security

Sridurga Mavram

Contents

-Introduction

-Security Consideration

-Creating a web page

-Drawbacks

-Security Tools

-Conclusion

-References

- What is IIS?

IIS, an acronym for Internet Information Services is a web application server program that handles HTTP requests

The Internet Information Services is a suite of tools and services for creating, managing, and securing Web sites

Popular because IIS sites are so easy to implement.

- Why should you Secure it?

Easy to use, easy to hack

Default installation(comes with OS) is massively vulnerable and it is no wonder that attackers are finding IIS to be "the easiest pickings" of all Web servers.

Introduction

Security Consideration

- During Installation/Enabling

- Post Installation

During Installation/Enabling

DO NOT install IIS together with services that are of key importance for LAN functionality or security.

Default/No Harm Services:

•Common Files

•Documentation

•Internet Information Services Snap-In

•World Wide Web Server

Contd..

•File Transfer Protocol (FTP) Server

•NNTP Service

•SMTP Service

Risky:

•FrontPage 2000 Server Extensions

•Internet Service Manager (HTML)

-The first step in securing your server is to download the most updated Service Pack and current IIS patches.

- Don't forget to register so that you will automatically receive Microsoft security bulletins

Piece of Note

Post Installation

Before attempting to change settings, ensure that you make a backup copy of the metabase (i.e. the IIS configuration).

To do this, in the "Internet Services Manager" application, click on "Backup/Restore Configuration".

Give a name and create a backup

Location of Storing :

C:\WINNT\system32\inetsrv\MetaBack directory

Details of the Logs

“Enable Logging”

Change the log time period from daily

Put a dedicated drive(E:/LogFiles)

Extended Properties (Select all)

Home Directory Configuration

Allows you to set up dynamic WWW pages(dlls) that are files with specific extensions.

Example: C:\WINNT\System32\inetsrv\asp.dll, ism.dll, httpodbc.dll, ssinc.dll and C:\WINNT\System32\msw3prt.dll, idq.dll and webhits.dll

Remove all these except asp.dll and ssinc.dll (Security Issues)

Reason: These were used in the past for breaking into the IIS servers and infecting them with viruses

Example : buffer overflow vulnerability contained in the idq.dll

File Extension Mapping

In order to setup the extension service via ISAPI applications, click on the "Add" button and then fill in the boxes:

Executable:C:\WINNT\System32\inetsrv\asp.dll

Extension: .inc

Limit to: POST, GET, and HEAD

Application Configuration

Clear “Enable Parent Paths”

Reason: Restrict the access to the Application’s Directory

Clear “Session State”

Reason: Overloads Server’s Memory

Debugging

Enable "Send text error message to client"

Reason: Prevents Hackers from knowing the detail

Directory Security

Commonly used pages – Uncheck Integrated

Problem : username/password passed along the network.

Documents

Add default documents

Note: Home Directory settings - Read, Write, Directory Browsing should not be overlooked.

Creating Webpage

-Partition your Internet data on different disk drives.

Reason: Escaping from Hackers.

-Create a virtual Directory and map it to the Local Directory

-Enable only needed permissions

For Administrators: Full Control,

For Authenticated Users: Read and Execute

For SYSTEM: Full Control

-Disable Directory Browsing

Drawbacks

-Managing large IIS server configurations or multiple servers over the Internet can be slow and cumbersome.

-Hacker can enter as guest and take over the system privileges (due to insecure dll isolation).

- Tools that are produced outside of Microsoft do not alert you when you set a property that requires supporting properties.

Security Tools

IIS Lockdown tool

Installation Guide:

http://www.iisanswers.com/articles/IIS_Lockdown/IISLockdown.htm

Download:

http://www.microsoft.com/windows2000/downloads/recommended/iislockdown/default.asp

URLScan

Download:

http://www.microsoft.com/technet/security/tools/URLscan.asp

Conclusion

-Do not ignore making some necessary security tips

-Regularly update the server with the security patches

-For Additional Security, download the security tools

References

-Microsoft Windows Security Resourse Toolkit – Ben Smith and Brian Komar

-http://www.windowsecurity.com/articles/Installing_Securing_IIS_Servers_Part1.html

-http://www.serverwatch.com/news/article.php/1400491

-http://www.informit.com/articles/article.asp?p=29310&seqNum=5&rl=1

-http://www.eeye.com/html/Research/Advisories/AD20020410.html

Thank You