Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


October 2001

Hardening an IIS 4.0 Web Server

From the October 2001 Edition
of Windows Web Solutions
Gavin Reid
Feature
InstantDoc #22282
Windows Web Solutions
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows Web Solutions | See More Windows NT 4.0 Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Download the Code Here

Run the Hisecweb.inf Hardening Script
The next step is to run hisecweb.inf, a slightly modified version of Microsoft's high-security Web server .inf file for NT 4.0 and IIS 4.0. Download hisecweb .zip from the Code Library on the IIS Administrator Web site (http://www .iisadministrator.com), and unzip the file to a Temp directory.

Web-exclusive Figure 1 summarizes the changes that hisecweb.inf makes to your server. For a detailed look at the changes, open the hisecweb.inf file in the Microsoft Management Console (MMC) Security Configuration Editor snap-in. To implement the hisecweb .inf changes, type the command

secedit /configure
  /cfg hisecweb.inf /db
  %temp%\secedit.sdb /verbose
  /log %temp%\seclog.txt

at the command prompt. Hisecweb .inf renames the Administrator account to root. Set a strong password on the Administrator account, then change root to a name that's unique in your environment.

Edit the Registry
Hisecweb.inf can't perform all the necessary registry edits; you must do some manually (e.g., you must delete some registry keys). So fire up regedt32, and start hacking away at the registry. (The standard disclaimers apply, of course.) First, remove the OS/2 and POSIX subsystems. To do so, remove the HKEY_LOCAL_MACHINE\SOFT WARE \Microsoft\OS/2 Subsystem for NT registry subkey. Then remove the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Environment\Os2LibPath registry subkey. Finally, remove these registry subkeys: HKEY_LOCAL _MACHI NE\SYSTEM\CurrentControl Set\Control\Session Manager\Sub-Systems\Optional, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\SubSystems\Posix, and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\SubSystems\Os2. Open Windows Explorer, and delete the C:\winnt\system32\os2 directory and all its subdirectories.

One of the most devastating IIS attacks of recent years is an exploit in which a cracker uses the MDAC Remote Data Services (RDS) Data Factory component to gain unauthorized access to an IIS machine. After Rain .Forest.Puppy discovered the vulnerability, crackers ran autoscripts that searched the Web for IIS servers that had the component installed. When the crackers found an exploitable copy of MDAC, they copied root kits that contained remote-access programs such as Virtual Network Computing (VNC) to the Web server or they defaced the server's Web sites. No level of hotfix or service pack can protect your server against MDAC attacks—you must remove the RDS Data Factory object. If you aren't using the Data Factory object—and chances are that you aren't on a bastion Web server—remove its functionality. To do so, delete these registry subkeys: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVCParameters\ADCLaunch\RDSServer.DataFactory, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVCParameters\ADCLaunch\AdvancedDataFactory, and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVCParameters\ADCLaunch\VbBusObj.VbBusObjCls. Then, reboot your server. You can read more about the MDAC vulnerability at http://www.wiretrip.net/rfp/p/doc.asp?id=5&iface=7.

Remove Network Services
The next step is to remove unnecessary network services. In the Control Panel Network applet, click Services. Remove NetBIOS Interface, Computer Browser, Server, and Workstation. Keep RPC Configuration, and keep SNMP if necessary. Note that when you remove the Workstation service, you receive the message Windows NT Networking is not installed. Do you want to install it now? each time you open the Control Panel Network applet. Just click No in the message box when this happens.

Set Permissions
Now you can further lockdown permissions to peel off another few layers of security vulnerability. First, secure the IUSR_computername account. Open User Manager. Under Username, rename the IUSR_computername account to an obscure name. Set a strong password, and ensure that the renamed IUSR_computername account is disabled.

Remove the renamed IUSR_computername account from the Guest group. Set permission for the renamed IUSR_computername account on all volumes to No Access. To let the Web server function properly, change the renamed IUSR_computername account permission to Read Only for the directories that Table 3 shows. (Don't use recursive permissions for these directories.)

I recommend that you also reset some user rights. In User Manager, select Policies, User Rights, then set the rights that Table 4 specifies.

Set the Firewall Access List
Even these steps aren't enough to ensure the security of your bastion server. You must also have a perimeter firewall that limits access to the box. You want to let in HTTP and allow a few management protocols in to a select few subnets. Web-exclusive Figure 2 shows a sample ACL for a router acting as a firewall that permits only HTTP (port 80), SSL (port 443), SSH, and SNMP. If you need to Web surf from the box, you must also add UDP port 53 as an allowed port in the firewall.

Administer the Server with SSH
You've disabled all the normal methods for updating your Web server (i.e., Microsoft FrontPage Server Extensions, FTP, and Filesharing), but you still need to be able to administer the box, and your Web developers need to be able to upload new content in a secure way. The best tool for securely updating and administering the server is SSH, which provides strong user authentication and end-to-end encryption. SSH encrypts all communication between client and server, unlike FTP, which passes data (including passwords) in plaintext.

I currently install a commercial version of SSH, SSH Secure Shell for Windows Servers, on my bastion-host Web servers, and I highly recommend that all commercial installations do the same. You can download SSH Secure Shell for Windows Servers (which comes with support updates and a graphical file-transfer program and costs $565) from http://www.ssh .com/products/ssh.

You can download free versions of SSH for Windows from various Web sites. For your convenience, I've included sshdnt.zip, an old SSH for NT port that I formerly used. You can download sshdnt.zip from the Code Library on the IIS Administrator Web site. Use this port with caution—if you have more than one user simultaneously accessing the server, one user could run code in another user's context, thereby elevating the first user's privilege level.

Download sshdnt.zip to a Temp directory on your bastion-host Web server, then decompress it. From the same directory, run install.bat, which creates a server key, installs SSH as a service, and starts the SSH service. Edit the Passwd file (in C:\etc) to add users in the format username:x:user ID:group ID:full name:home directory:. For example, you could add the user administrator:x:1:10:Local Administrator:/bin:.

To transfer files between computers running SSH, you use the Secure Copy (scp) command. For example, to push the net.txt file from a UNIX host named host.com to the \bin directory on an NT host with IP address 10.0.0.20, you log on to host.com and type

scp net.txt
  administrator@10.0.0.20:/bin

To pull the test.exe file from the same NT host to your user directory on host.com, log on to host.com and type

scp administrator@10.0.0.20:
  test.exe /home/user

You now have a secure, remotely manageable Web server. You might think that your quest for a secure Web server is over, but nothing could be further from the truth. You've made a good start, but you need to stay current with what's happening in both the NT and the security world and make sure that you implement a process for testing and deploying hotfixes and patches before a critical event occurs.

End of Article

   Previous  1  2  [3]  Next  


Reader Comments

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
Microsoft, News Corp. Discuss Locking Out Google

Microsoft and Rupert Murdoch's News Corp. recently discussed an alliance that would counter Google's fledgling online news service. ...

2009 Windows IT Pro Editors' Best and Community Choice Awards

Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...
Security Whitepapers Reducing the Costs and Risks of Branch Office Data Protection

Solving Desktop Management Challenges in Healthcare

Solving Desktop Management Challenges in Education
Related Events Introduction to Identity Lifecycle Manager "2"

SQL Server Security: How to Secure, Monitor & Audit Your Databases

Protecting Mobile Users' Data

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Free CDs Offer Fundamental Content for IT Pros
Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Exchange Server 2010: Deploying Unified Communications - Virtual conference
December 1, 2009 - Free Registration. Build your Unified Communications future on a strong Exchange Server 2010 foundation.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement