Recent Code Red attacks on hundreds of thousands of Windows 2000– and Windows NT–based Web servers show that building bastion hosts is still something that only rich companies can afford. I show you how you can have the same level of security on your Web server without spending big bucks on firewalls and security consultants. Here's a step-by-step guide for building a bastion host Web server.
Install a Clean Copy of Win2K Server
I recommend installing a clean copy of Win2K Server by booting up from the setup CD-ROM, while installing the new OS onto a clean server. (Before you reformat the hard disk, make sure that you back up all important files from your old server.) If you upgrade from NT Server rather than perform a clean Win2K installation, many steps are the same. However, be aware that NT files can make your server more vulnerable.
If your server has just one hard disk, I recommend that you partition it. Ordinarily, I use one partition (e.g., C) as a system disk to hold all system files and another partition (e.g., D) to hold all Web content. You can create additional partitions to hold different kind of files (e.g., scripts, static content). Partitioning adds one more level of security to your Web server. Even if intruders access a disk that contains Web content, they must still break into the system partition to gain access. (Of course, all partitions should be NTFS. FAT and FAT32 partitions are absolutely insecure.) Unfortunately, Win2K setup doesn't let you choose the directory for Microsoft Internet Information Services (IIS) 5.0. Thus, moving the Web server's content and binaries away from the system files to another partition isn't easy. I suggest that you make your Web server a standalone server. If you add the Web server to your domain, you risk giving intruders access to your entire network.
On my IIS machines, I install both NetBEUI and TCP/IP protocols. I leave all file operations to the NetBEUI protocol and use TCP/IP for Web server processing only. (I discuss how to configure TCP/IP later.)
You can also decide whether to install Win2K Server Terminal Services in Administrative mode on your Web server. Terminal Services is an attractive but potentially dangerous option for remote Web server administration because it lets intruders mount brute-force attacks on administrative passwords.
Install the Latest Service Pack and Post–Service Pack Hotfixes
At the time of this writing, I have Win2K Service Pack 2 (SP2) and more than 20 post-SP2 hotfixes. Installing the many hotfixes is a boring task. Fortunately, Microsoft provides a useful tool that lets you install all the hotfixes with only one reboot. You don't even need to worry about the order in which you install the hotfixes. You can install all the hotfixes at once by running a simple script from the command line. Copy all the hotfixes to one folder, then type
for %i in (*.exe) do echo %i -z -m -q >>hf.cmd
at the command line. This command creates the command file hf.cmd. Running hf.cmd installs all hotfixes in Silent mode without reboots. Then, go to the Microsoft article "Use QChain .exe to Install Multiple Hotfixes with Only One Reboot" (http://support .microsoft.com/support/kb/articles/ q296/8/61.asp) and download the executable file. Run qchain.exe from the folder in which you unpacked it.
To help you know whether you've installed all the necessary IIS hotfixes, Microsoft has created the Hotfix Checking tool (HFCheck) for IIS 5.0. You can download this utility from http://www.microsoft.com/downloads/ release.asp?releaseid=24168.
Before you use the hfcheck.wsf file from HFCheck, you need to reconfigure Windows Script Host (WSH) support in Win2K. Run the command
to change the default scripting host to the command-line version instead of the GUI-based version. (Make sure that you type two backslashes, which is the command syntax.) The .doc file that accompanies HFCheck provides additional information about how to configure the tool to automatically run on a schedule and inform you by email if new hotfixes for IIS 5.0 become available.
Delete All Samples and Default Content from IIS Folders
Deleting all samples and default content from IIS folders is an important step. Leaving samples in default folders gives intruders a great deal of access to your server.
By default, IIS provides all the samples, administrative pages, and documentation that Figure 1 shows. Sample scripts might let intruders view any text file on the server or, even worse, execute commands. To eliminate these sample files and folders, open Internet Services Manager (ISM) and delete all virtual directories from the Default Web Site.
Remove Unused Script Mappings in IIS
A basic principle of secure installations is not to install services you don't use. Unfortunately, by default, IIS has many mappings (i.e., associations between file extensions and DLLs used to handle calls to such files) for services. Many of them are rarely used and could leave your IIS machine vulnerable to attack. Figure 2 shows some of the default mappings in IIS.
You should never use certain mappings on production servers. Think twice before you leave the following mappings on your server:
- .htr (Web-based password reset)—This extension is an intruder favorite. You'll find many exploit descriptions for the .htr mapping on cracker Web sites. (For information about this exploit, see "IIS Denial of Service and Code Exposure," http://www.secadministrator.com/articles/index.cfm?articleid=9441, and "IIS 5.0 May Expose Script Contents," http://www.secadministrator.com/articles/index.cfm?articleid=16543.)
- .idc (Internet Database Connector)—This IIS 1.0 mapping is now largely unused.
- .stm, .shtm, and .shtml (server-side includes—SSIs)—Leave these mappings if you plan to use SSI files on your Web pages.
- .printer (Internet Printing)—This mapping could let intruders print on your printer.
- .htw (WebHits)—Many exploits use the .htw extension. (For more information about such exploits, see "Index Server Exposes File System," http://www.secadministrator.com/ articles/index.cfm?articleid=9508, and "Index Server Vulnerable to Information Stealing," http://www .secadministrator.com/articles/index.cfm?articleid=15980.)
- .ida and .idq (Win2K Indexing Service and Microsoft Index Server)—Leave these extensions only if you use Indexing Service or Index Server on your site. Be aware that these extensions are the source of the Code Red attacks. As long as these extension mappings are present—even if Indexing Service or Index Server isn't running—the host server is vulnerable. (For more information about this vulnerability, see the Microsoft article "Microsoft Security Bulletin MS01-033: Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise" at http://www.microsoft.com/technet/ security/bulletin/ms01-033.asp.)
To delete mappings for services you don't use, choose Start, Programs, Administrative Tools, Internet Services Manager. From ISM, right-click your server, then select Master Properties, WWW Service. Click Edit, then select Home Directory, Configuration. In the Application Configuration dialog box, delete the unused mappings.
I recommend that you leave only those extensions that you use and whose functions you understand (e.g., .asp, .cer., .cdx., .asa). I also recommend that you check for COM components that your applications don't need and remove them. In addition, disable the File System Object component if possible. (Unfortunately, you must enable the File System Object to use the Dictionary object.) Use the command
regsvr32 scrrun.dll /u
to disable the File System Object.
Set System Policies
Before Win2K, administrators spent a lot of time setting correct security policy, digging in the registry, and configuring services. Now, you can use the Microsoft Management Console (MMC) Security Configuration and Analysis snap-in to perform these tasks.
First, download the template for securing a Web server at http://down load.microsoft.com/download/win2000 srv/scm/1.0/nt5/en-us/hisecweb.exe. This template is an archive with one file—hisecweb.inf. Copy this file to \%windir%\security\templates. Follow these steps to install the template:
- Run mmc.exe.
- Select Add/Remove Snap-in from the Console menu, then click Add.
- In the Add Standalone Snap-in dialog box, select the Security Configuration and Analysis snap-in, then click Add. Click Close, then click OK.
- In the Security Configuration and Analysis snap-in, load the hisecweb.inf template. Right-click the Security Configuration and Analysis snap-in, then select Analyze Computer Now.
Determine what's suitable for your system in this universal template, then update the template as necessary. After you've updated the template, right-click the Security Configuration and Analysis snap-in, then select Configure Computer Now to apply the security template to your system.
Win2K doesn't provide the IP-filtering functions that modern firewalls do, but it has a useful group of settings that lets you block unneeded access to IP ports. First, you need to disable access to your server through NetBIOS over TCP/IP (NetBT). Open the Control Panel Network and Dial-up Connections applet. Right-click Local Area Connection, then select Properties. Select Internet Protocol (TCP/IP), then click Properties. Click Advanced, click the WINS tab, then select the Disable NetBIOS over TCP/IP option, which Figure 3 shows.
However, disabling NetBT isn't enough. You must also unbind the TCP/IP protocol from your network advanced settings. Open the Network and Dial-up Connections applet. Select Advanced Settings from the Advanced menu, then unbind Internet Protocol (TCP/IP) from the File and Printer Sharing for Microsoft Networks service and from the Client for Microsoft Networks service, as Figure 4, page 3, shows.
Next, you must set up filtering for TCP/IP ports. Usually, attacks on a system begin with some kind of port-scanning software. If you close all unneeded ports, you offer intruders little to work with. In Win2K, you can configure tight security through an IP Security (IPSec) policy, such as the policy defined in the hisecweb.inf template, or use a few simple settings to block most of the IP ports, which is my preferred method. Figure 5 shows my port configuration settings.
If you use Terminal Services for remote control and administration, you must also enable TCP port 3389 for client connections. You can change the port number in the registry to make it harder for intruders to connect to the port. For more information about port settings for Terminal Services, see the Microsoft article "How to Change Terminal Server's Listening Port" (http://support.microsoft.com/ support/kb/articles/q187/6/23.asp).
Setting correct file permissions for all files on a Web server is extremely important. Win2K has a strong security system, so use it to protect your IIS machine. If you have all your content on separate disks, you can easily create separate virtual directories for each type of content. Then, you can set access for each type of content, as Table 1 shows.
Rather than set ACLs on each file, I recommend that you create new directories for each file type, set ACLs on the directory, and let the ACLs inherit to the files. This approach saves a lot of time later because you can place content and Active Server Pages (ASP) applications in directories without having to set appropriate ACLs. For example, a directory structure might look like the one that Figure 6 shows.
To keep intruders from altering log files, set appropriate ACLs on the directory that contains IIS log files (e.g., \%systemroot%\system32\logfiles), such as Administrators (Full Control) and System (Full Control). These settings will prevent intruders from deleting the log files to cover their intrusion attempts.
Maintain Your Sites
If you think that your server is now secure, it's not. Keeping your network secure is a daily, even an hourly, task. In addition to all the configuration work I've recommended to increase security, you must monitor your server to make sure it remains secure. Fortunately, Win2K has good auditing capabilities. I recommend that you subscribe to as many security news lists as possible (e.g., http://www.micro soft.com/technet/security/notify.asp), check http://www.microsoft.com/ security regularly, and bookmark http://www.secadministrator.com.