Protecting IIS

Overview

Web servers have become easy targets for attackers, especially for Microsoft's IIS servers due to its default configuration. Unless you are using Windows 2003 with IIS 6.0, most features, such as anonymous FTP, are turned on by default. This document will help you improve the security of your IIS installation.

Best Practices

Run your IIS Server on Windows 2003. The default install is minimal and locked down. You can enable specific services you need, when you need them.
We recommend you put your IIS server on separate, stand-alone hardware. Isolating your server will create a physical barrier between your web sever and your data and your other network services.
Use a separate Organizational Unit (Windows 2000/2003) for your IIS server.
Keep up to date with the latest service packs and hotfixes on your server.
Enable auditing through the Local Security Policy and enable auditing of files through NTFS advanced permissions. This step will enable auditing for all files on NTFS Volumes.
If you are not running IIS 6.0, turn off Anonymous FTP immediately after installation. It is installed by default and can be very dangerous.
Request an ITSO vulnerability scan of your server.
Monitor the audit logs daily. At a minimum you should audit Object access: success and failure.

Stay Current

Apply the latest Service Packs for IIS. Microsoft has released two security updates that combine hotfixes for vulnerabilities in IIS. These combination security updates don't include fixes for vulnerabilities involving other products that you might install on IIS servers, such as the Front Page Server Extensions and Index Server.

Windows 2000 and IIS 5.0

Service Pack 4 for Windows 2000
A Cumulative IIS Patch, including all the hotfixes through May 30, 2003
Install the most recent hotfixes
Use Microsoft Baseline Security Analyzer to look for missing security hotfixes and to verify installation of previously installed hotfixes.

Windows 2003 and IIS 6.0

Securing a Windows 2003 Server
Install the most recent hotfixes
Use Microsoft Baseline Security Analyzer to look for missing security hotfixes and to verify installation of previously installed hotfixes.

Secure the Underlying Operating System

IIS is an application that resides on top of the operating system; therefore, to fully secure IIS, you must also take the appropriate steps to secure Windows.

Windows 2000

Run the IIS Lockdown Tool. This tool will turn off a number of unnecessary features and protect parts of the Operating System from IIS.
Microsoft Operations Guide
SANS Step-by-Step Guide
Securing Internet Information Services 5.0 and 5.1

Windows 2003

Disable Unnecessary Services, Protocols and Features

Consider removing the following services if they are not being used:

Alerter
Clipbook Server
Computer Browser
DHCP Client
Messenger
NetBios Interface
Netlogon (not required on stand alone servers)
Network DDE
Network DDE DSDM
Network Monitor Agent
NWlink NetBios
Simple TCP/IP Services
Spooler
Server Service (not required unless you need Netlogon or DFS services)
SSDP Discovery Service
TCP/IP NetBios Helper
Universal Plug and Play

Restrict or delete access to certain files:

at.exe
cacls.exe
cmd.exe
cscript.exe
debug.exe
edlin.exe
finger.exe
ftp.exe
issync.exe
nbtstat.exe
net.exe
netsh.exe
poledit.exe
rcp.exe
regedit.exe
regedit32.exe
regini.exe
regsrv32.exe
rexec.exe
rsh.exe
runas.exe
runonce.exe
telnet.exe
tftp.exe
tracert.exe
tskill.exe
wscript.exe

Delete unused folders within the default Web site folder. Delete sample pages and scripts from the following folders:

\Inetpub\iisamples\
\Program Files\Common Files\System\msadc\Samples\

Remove the script mappings for Internet Data Queries (.idq files) and Administrative Scripts (.ida files) files via the Internet Services Manager in IIS.

Do not install the Internet Information Resource Kit or any other resource kits. If you need to use certain files from these kits, install them on a separate computer and move them to the IIS server as needed. Remove them when finished.

The following list contains some items you may want to consider, depending on your IIS requirements.

Remove the printer folder and unmap ISAPI
Disable unused bindings
RestrictAnonymous registry value to protect usernames
Use passfilt.dll password complexity filtering
Use passprop.exe so the administrator account can be disabled
Rename Administrator and use an Extended ASCII password
Use syskey.exe encryption of SAM database
Use NTLMv2 authentication exclusively
Disable administrative shares
Control access to the registry and named pipes
Control null session access to shares
Turn off content header info
Disable directory browsing
Default permissions are Scripts Only and Read. If you're not using ASP or other scripting, reset Scripts permissions to None.
Place scripts in a separate folder which would only have the Scripts permissions
Create a bin folder to hold all executable files or DLLs. Set the permissions to scripts and executables.
Remove Web Distributed Access and Development (WebDev)
Remove any ISAPI scripts that are not needed (look under Application Configuration)

Detecting and Removing

Recent outbreaks of computer worms spreading via vulnerabilities in Microsoft's Internet Information Server (IIS) have prompted some users to remove IIS installations completely from their networks. The following steps will help you determine if IIS 5 or 6 is running on your system and how to remove it if desired.

Windows 2000

To determine if IIS 5.0 is installed, do the following:

Click Start, point to Settings, and then click Control Panel.
Double-click Add/Remove Programs, and then click Add/Remove Windows Components.
In the Windows Component Wizard dialog box, find Internet Information Services (IIS). If the Internet Information Services (IIS) check box is selected, IIS is installed on your computer

To remove IIS from Windows 2000, do the following:

From the Start menu, select Settings, then Control Panel.
Double-click the Add/Remove Programs icon.
Click the Add/Remove Windows Components button from the left pane of the Add/Remove Programs window.
Make sure that box next to Internet Information Services (IIS) is unchecked in the Windows Components Wizard window.
Click Next.
Click Finish.
Click Close.
Click Reboot.

Windows XP

To determine if IIS 5.1 is installed, do the following:

Click on Start, and then click Control Panel.
Double-click Add/Remove Programs.
Select Add/Remove Windows Components.
In the Windows Component Wizard dialog box, find Internet Information Services (IIS). If the Internet Information Services (IIS) check box is selected, IIS is installed on your computer.

To remove IIS from Windows XP, do the following:

From the Start menu, select Control Panel.
Double-click the Add/Remove Programs icon.
Click the Add/Remove Windows Components button from the left pane of the Add/Remove Programs window.
Make sure that box next to Internet Information Services (IIS) is unchecked in the Windows Components Wizard window.
Click Next.
Click Finish.
Click Close.
Click Reboot.

Microsoft Tools and Related Information

Securing Internet Information Services 5.0 and 5.1

Securing Internet Information Services 6.0

Lockdown: This tool lets you instantly configure an IIS 5.0 or 5.1 Web server for secure operation. It provides multiple modes: an express mode that is appropriate for most basic web servers, and an advanced mode that allows the administrator pick and choose the technology the server will support. The tool provides an undo feature that allows the effects of the most recent lockdown to be reversed -

Urlscan: IIS administrators can use this tool to help secure their Web servers. When URLScan is installed, it screens all incoming requests to the server, and filters them, based on rules that the administrator has set. This significantly improves the security of the server by helping to ensure that the server only responds to valid requests for service.