Hardening IIS Servers

Hardening Microsoft IIS Web Servers

Here are my notes on hardening (securing) Microsoft's Internet Information Server against attacks.

All topics are in this one large file for quick searches through all topics.

Topics this page:
IIS Running?
IIS Component Installation
Lockdown Services
Anonymous Connections
IP Lockdwn
TCP/IP Registries for DDoS
Your comments???

Site Map
About this site

IIS Running?

To check for the presence of a web server (IIS) on a local machine listening on port 80, open up an internet browser (Internet Explorer) and type:

http://localhost

http://127.0.0.1

If you see The webpage cannot be found a web server is not running on the machine.

By default, files are displayed from folder C:\inetpub\wwwroot, which after installation contains Default document file iisstart.htm.

Unless otherwise configured, the document displayed follows this priority of display (the top file is displayed, if defined):

Default.htm
Default.asp
index.htm
iistart.asp
Default.aspx

Local IIS Service Install

Installing IIS 7.5 on Windows 7 Professional, Enterprise, or Ultimate provides a script that installs all.

Most people now use Microsoft Web Platform Installer, wpilauncher.exe (113 KB). As of May, 2014, the spotlight is on the Azure cloud rather than local instances. Click on Products, Server, Name. Scroll down. Note IIS is already Installed.

Click on Recommended Configuration.

IIS Express is required for use with WebMatrix.

IIS comes with Windows, so the service is installed from Start icon > Control Panel.

Programs and Features (previously Add or Remove Programs)
Turn Windows Features on or off (previous Add or Remove Windows Components)
Expand Internet Information Services
Expand World Wide Web Services
Expand Application Development Features
Select ASP and ASP.NET
Expand Common HTTP Features
Select Default Document, HTTP Redirection, and Static Content
Click OK to close the dialog.

Start icon > right-click on Computer > select Manage. Within Computer Management, the Services and Applications tree.

IIS Component Installation

Components can be added after initial installation in Control Panel -> Add/Remove Windows Components.

Upon initial installation, iistart.asp is shown because other files are not supplied by the IIS installer. Configure this list and other IIS web server control options from Control Panel -> Administrative Tools -> Internet Information Services.

A web form can also be selected as the Start Page by right-clicking on it.

For better security (to prevent directory traversal attacks), do not add cutom web page files in the default wwwroot folder but create a virtual folder on another drive by right-clicking on the "Default Web Site" folder and selecting "New" then "Virtual Directory.".

REMEMBER: The "WWW" service must be "bounced" (stopped and restarted) after changes to any virtual directory.

IISTracer monitors IIS to see and log state of requests, incomming/outgoing bytes, http headers and several request running times. IISTracer shows a state of running scripts (.asp, .cfm, .php, .cgi, ...), applications (.dll, .exe, ..) and a big downloads (.mp3, .zip, ...). It lets you also monitor what script or which client (IP) hangs-up your server.

Troubleshooting IIS with Exception Monitor (Dbgplus.exe unzipped from ixcptmon.exe)

Lockdown Web Services Configuration

Rather than making changes manually, I prefer using the
Microsoft IIS Lockdown Tool/Wizard to reduce the attack surface available to attackers.

It writes changes to log file \WINNT\System32\inetsrv\oblt-log.log used for undos (which is automatic when you run Islockd.exe a second time). So if you configure a virtual directory as an application root after running IIS lockdown, that change is lost when you run IISLockdown again.

The extracted IISLockd.exe launches the IIS Lockdown Wizard based on the template specified in IISlockd.ini.

Disable unused Internet Services hackers use to gain access:
- File Transfer Protocol (FTP)
- E-mail service (SMTP)
- News service (NNTP)
Disable scripts by mapping resource types to 404.dll:
- Index Server Web Interface (.idq, .htw, .ida)
- Server-side includes (.shtml, .shtm, .stm)
- Internet Data Connector (.idc)
- .HTR scripting (.htr)
- Internet printing (.printer)
Remove virtual directories:
- IIS Samples
- MSADC
- IISHelp
- Scripts
- IISAdmin
Enable authentication control by disabling anonymous user access:
- Restrict anonymous access to system utilities and the ability to write to Web content directories by creating new local user groups:
  - Web Anonymous Users with the default anonymous Internet user account IUSR_MACHINE
  - Web Applications with the IWAM_MACHINE account.
- Add deny access control entries (ACEs) for these groups to the access control list (ACL) on key utilities and directories.
Disable Web Distributed Authoring and Versioning (WebDAV).
Install the URLScan.exe ISAPI filter (which can be run separately from IISLockd.exe) to block requests that contain unsafe characters such as the period (.) used for directory traversal.
By default, it blocks the DEBUG verb needed by Microsoft Visual Studio� .NET for debugging ASP.NET pages. So add DEBUG in the [AllowVerbs] in the URLScan.ini.

How To: Use IISLockdown.exe

Understanding the IISlockdown Tool by SANS

How To: Secure Your Developer Workstation

Domain Controller Promotion: The Process and How to Troubleshoot It: June 20, 2000

Windows 2000 Utilities listed:

Activewin
Supershareware.com
MCSE Toolkit.com
CNET
Teleport traverses websites looking for key words and copying contents to your local computer.

Anonymous Connections

net use \\myserver\ipc$ "" /u: ""

If you see this complete successfully, it's vulnerable to anonymous information gathering.

To disable support in Windows NT

Backup your registry
Run Regedt32
Open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
Choose Add Value from the Edit menu.
Enter the following information in the Add Key dialog box:
Exit the Registry editor
Reboot

To disable support in Windows 2000

Invoke the Local Security Policy tool (or the Domain Policy tool if you're using a domain),
Select Local Policies (or Domain Policies).
Double-click Additional Restrictions For Anonymous Connections
Choose No Access Without Explicit Anonymous Permissions.
Close the policy tool. (There's no need to reboot)
Disable the PROPFIND service by setting "deny all" ACL on httpext.dll.

Additional Lockdown Configuration

Secure communications.

IP and domain name restrictions.

Apply NTFS permissions to website folders and files.

How To: Harden the TCP/IP Stack

TCP/IP Registry to Withstand DDoS

hisecweb.inf

this Microsoft Knowledge Base article

Registry Key	Recommended Value
Tcpip\Parameters\SynAttackProtect	0
Tcpip\Parameters\TcpMaxHalfOpen	100 (500 on Advanced Server)
Tcpip\Parameters\TcpMaxHalfOpenRetried	80 (400 on Advanced Server)
Tcpip\Parameters\EnablePMTUDiscovery	0

NetBt\Parameters\NoNameReleaseOnDemand	0
Tcpip\Parameters\EnabledDeadGWDetect	0
Tcpip\Parameters\KeepAliveTime	300,000
Tcpip\Parameters\Interfaces\PerformRouterDiscovery	0
Tcpip\Parameters\EnableICMPRedirects	0

Filex

Web Extender Client (WEC) protocol

Read and write access to the Web server is also required.

Advanced Configuration and Power Interface

AWE

Data Link Control

De-militarized Zone between the public and internal networks

Group Policy Object

Internet Printing Protocol

Line Printer Daemon

Network Bootstrap Program

Preboot Execution Environment

Trivial File Transfer Protocol

User Datagram Protocol

Related Topics:
ASP Programming
Website Security
Win2000 Install
Active Directory
Win2000 Admin
WinNT4 Install
Keyboard Shortcuts

Free Training!
Tech Support

Your rating of this page:
Low High

Your comments on this topic, please:

Publish this comment publicly

Your first name:

Your family name:

Your location (city, country):

Your Email address:

Email me updates

Top of Page

Thank you!