Hardening Microsoft IIS Web Servers

Here are my notes on hardening (securing) Microsoft's Internet Information Server against attacks.

All topics are in this one large file for quick searches through all topics.

Topics this page:
IIS Component Installation Lockdown Services
Anonymous Connections
IP Lockdown
TCP/IP Registries for DDoS
Your comments???

Site Map  
About this site  

IIS Component Installation

Unlike NT4, which required a separate Option Pack CD to install IIS4, Windows 2000 installs IIS5 automatically during Configuration of Windows Components. More components can be added after initial installation in Control Panel -> Add/Remove Windows Components.

To check for the presence of IIS on a local machine:

http://localhost
http://127.0.0.1

Default.htm Default.asp index.htm iistart.asp Default.aspx

This retrieves an "Under Construction" page in the folder IIS is installed (/inetpub/wwwroot). The first valid file from this list of file names is selected. Upon initial installation, iistart.asp is shown because other files are not supplied by the IIS installer. Configure this list and other IIS web server control options from Control Panel -> Administrative Tools -> Internet Information Services.

A web form can also be selected as the Start Page by right-clicking on it.

The "WWW" service must be "bounced" (stopped and restarted) after changes to any virtual directory.

For better security (to prevent directory traversal attacks), do not add cutom web page files in the default wwwroot folder but create a virtual folder on another drive by right-clicking on the "Default Web Site" folder and selecting "New" then "Virtual Directory.".

The Burrows & Langford Tutorial on Configuring and Using Internet Information Services (IIS) Server on Windowx XP describes how to move sites and create remote sites.

IISTracer monitors Microsoft IIS to see and log state of requests, incomming/outgoing bytes, http headers and several request running times. IISTracer shows a state of running scripts (.asp, .cfm, .php, .cgi, ...), applications (.dll, .exe, ..) and a big downloads (.mp3, .zip, ...). It lets you also monitor what script or which client (IP) hangs-up your server.

Troubleshooting IIS with Exception Monitor (Dbgplus.exe unzipped from ixcptmon.exe)

Lockdown Web Services Configuration

Rather than making changes manually, I prefer using the
Microsoft IIS Lockdown Tool/Wizard to reduce the attack surface available to attackers.

It writes changes to log file \WINNT\System32\inetsrv\oblt-log.log used for undos (which is automatic when you run Islockd.exe a second time). So if you configure a virtual directory as an application root after running IIS lockdown, that change is lost when you run IISLockdown again.

The extracted IISLockd.exe launches the IIS Lockdown Wizard based on the template specified in IISlockd.ini.

• Disable unused Internet Services hackers use to gain access:
  • File Transfer Protocol (FTP)
  • E-mail service (SMTP)
  • News service (NNTP)

• Disable scripts by mapping resource types to 404.dll:
  • Index Server Web Interface (.idq, .htw, .ida)
  • Server-side includes (.shtml, .shtm, .stm)
  • Internet Data Connector (.idc)
  • .HTR scripting (.htr)
  • Internet printing (.printer)

• Remove virtual directories:
  • IIS Samples
  • MSADC
  • IISHelp
  • Scripts
  • IISAdmin

• Enable authentication control by disabling anonymous user access:
  • Restrict anonymous access to system utilities and the ability to write to Web content directories by creating new local user groups:
    • Web Anonymous Users with the default anonymous Internet user account IUSR_MACHINE
    • Web Applications with the IWAM_MACHINE account.
  • Add deny access control entries (ACEs) for these groups to the access control list (ACL) on key utilities and directories.

• Disable Web Distributed Authoring and Versioning (WebDAV).

• Install the URLScan.exe ISAPI filter (which can be run separately from IISLockd.exe) to block requests that contain unsafe characters such as the period (.) used for directory traversal.

  By default, it blocks the DEBUG verb needed by Microsoft Visual Studio® .NET for debugging ASP.NET pages. So add DEBUG in the [AllowVerbs] in the URLScan.ini.

How To: Use IISLockdown.exe

Understanding the IISlockdown Tool by SANS

How To: Secure Your Developer Workstation

Domain Controller Promotion: The Process and How to Troubleshoot It: June 20, 2000

Windows 2000 Utilities listed:

• Activewin

• Supershareware.com

• MCSE Toolkit.com

• CNET

• Teleport traverses websites looking for key words and copying contents to your local computer.

Anonymous Connections

Run this command to test whether a Windows NT/2000/XP "myserver" supports anonymous connections through the ipc$ hidden administrative share:
net use \\myserver\ipc$ "" /u: ""

If you see this complete successfully, it's vulnerable to anonymous information gathering.

To disable support in Windows NT

1. Backup your registry
2. Run Regedt32
3. Open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
4. Choose Add Value from the Edit menu.
5. Enter the following information in the Add Key dialog box:
   Value name: RestrictAnonymous
   Data type: REG_DWORD
   Value: 1

6. Exit the Registry editor
7. Reboot

To disable support in Windows 2000

1. Invoke the Local Security Policy tool (or the Domain Policy tool if you're using a domain),
2. Select Local Policies (or Domain Policies).
3. Double-click Additional Restrictions For Anonymous Connections
4. Choose No Access Without Explicit Anonymous Permissions.
5. Close the policy tool. (There's no need to reboot)
6. Disable the PROPFIND service by setting "deny all" ACL on httpext.dll.

Additional Lockdown Configuration

Setup a Host header entry for each FQDN in DNS associated with each website / TCP port on the same server.

Secure communications.

IP and domain name restrictions.

Apply NTFS permissions to website folders and files.

How To: Harden the TCP/IP Stack

TCP/IP Registry to Withstand DDoS

To make TCP/IP stacks more resistant to DDoS, here are the settings from Security Configuration Tool template hisecweb.inf recommended by this Microsoft Knowledge Base article

Registry Key	Recommended Value
Tcpip\Parameters\SynAttackProtect	0
Tcpip\Parameters\TcpMaxHalfOpen	100 (500 on Advanced Server)
Tcpip\Parameters\TcpMaxHalfOpenRetried	80 (400 on Advanced Server)
Tcpip\Parameters\EnablePMTUDiscovery	0
NetBt\Parameters\NoNameReleaseOnDemand	0
Tcpip\Parameters\EnabledDeadGWDetect	0
Tcpip\Parameters\KeepAliveTime	300,000
Tcpip\Parameters\Interfaces\PerformRouterDiscovery	0
Tcpip\Parameters\EnableICMPRedirects	0

Filex

Before files and folders on a Web server can be managed, the Web server must support Web folders, which require the Web Extender Client (WEC) protocol and Front page extensions, or the WebDAV protocol and IIS.

Read and write access to the Web server is also required.