Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


October 2001

Hardening an IIS 4.0 Web Server

From the October 2001 Edition
of Windows Web Solutions
Gavin Reid
Feature
InstantDoc #22282
Windows Web Solutions
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows Web Solutions | See More Windows NT 4.0 Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Download the Code Here

Peel off the extra service layers to create an impenetrable public Internet server

Running any service on a computer attached to the Internet requires careful planning. While providing the required service, you need to ensure that you aren't providing other services that crackers can use as entry points into your network. Furthermore, you need to take steps to lockdown the required service as much as possible. This guide helps you perform both of these hardening tasks on a Windows NT 4.0 server running IIS 4.0. I show you how to turn your Web server into a bastion host—a host computer that you make directly available to the public network and that's designed to screen the rest of the network from security exposures.

(Don't use hardening techniques on an internal file and print server or domain controller—DC; the techniques remove some services that these servers need to function.)

To build a UNIX Web server, you usually start with a base installation of the OS and add only the necessary services, thereby limiting the server's functionality and complexity to the minimum required. For an NT Web server, you work backwards from a complete installation to remove all but what you need. In other words, you peel away the outer layers of software and services until you're left with nothing but a hard inner core of NT and IIS. By removing or locking down all unnecessary functions on your Web server, you protect your server not only from today's known attacks but also from attacks that will be developed in the future. For example, if someone manages to use a new type of attack, or exploit, to somehow make the IUSR_computername account execute a file that isn't in the server's \wwwroot directory, that attempt won't compromise your machine because you'll have explicitly locked down permissions on that account.

Install NT
Start with a fresh installation of the English-language version of NT Server 4.0. (Microsoft is notoriously slow to release patches for foreign-language versions.) Don't attempt to harden an existing production Web server; unpredictable results will occur. If you want to harden an existing Web site, set up a new server and migrate the Web site's application and data to the new box after you've completed the steps in this guide.

Use NTFS on all partitions. Install only one copy of the OS on the server. If you ever need another copy of the OS on the server for troubleshooting, install it only when necessary and remove it afterward to limit the server's exposure to attacks. Choose the standalone server role, not the PDC or BDC role. Install the server as a workgroup member, not a domain member. You want only local accounts on this machine to limit exposure to your production NT domain. You'll remove most of the functionality that would let this server communicate in a domain infrastructure. You won't be able to use normal NT drive mapping or other trusted host-type features that are commonly used in NT domains.

After installing the OS, download NT 4.0 Service Pack 6a (SP6a) at http://www.microsoft.com/ntserver/nts/downloads/recommended/sp6/allsp6.asp and install it. Then, download Microsoft Internet Explorer (IE) 5.01 SP2 at http://www.microsoft.com/ windows/ie/download/ie501sp2.htm and install it. Don't install Active Desktop—you're trying to keep the installation as simple as possible by limiting it to the software necessary for Web functionality.

Install the NT 4.0 Option Pack, and choose custom installation. Install only the items that Figure 1 shows. (Clear all other items.)

After you install the Option Pack, install applicable updates. Keeping up-to-date with service packs and hotfixes is a full-time job. Microsoft has withdrawn some hotfixes a few days after releasing them because the fixes introduced bigger security holes than they fixed. Other hotfixes have been known to break a server. When a new fix becomes available, you must assess your level of exposure and decide how soon to implement the fix. A lab with a similarly configured Web server on which you can test the fix is extremely helpful in making such calls. However, unless you're facing a clear and present danger, I suggest waiting a few days after Microsoft releases a hotfix and monitoring the security mailing lists and newsgroups to see what results others have with the fix. Figure 2 lists the service packs and hotfixes I had installed as of August 2000. For more complete information, see http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/current.asp? productid=16&servicepackid=7.

Move your \wwwroot directory to a separate partition or disk from the OS. Choose the default setting, local administration, for Microsoft Transaction Server (MTS). Microsoft Data Access Components (MDAC) has created holes that have given crackers access to many IIS servers. Later, I show you how to edit the registry to close these holes. For now, install the latest compatible version of MDAC (release to manufacturing—RTM—version 2.6 as of this writing) at http://www.microsoft.com/data/download.htm?rld=377.

Configure NT
Now that you've installed most of the necessary software, you can start configuring it. First, on all partitions, change the default setting that gives everyone full control. Use File Manager to recursively set permissions on each partition's root directory to give administrators full control and the system full control. You'll further refine the NTFS permissions later.

To protect the server console, set up the screen saver for the administrator's profile. Open the Control Panel Display applet, click the Screen Saver tab, and select the Password protection check box.

   Previous  [1]  2  3  Next 


Top Viewed ArticlesView all articles
What You Need to Know About Microsoft's x64 Server Product Plans

What do Longhorn Server, Windows Compute Cluster Server, and Windows Vista have in common? The x64 platform. ...

WinInfo Short Takes: 4th of July Special Edition

An often irreverent look at some of the week's other news, including a shortened work week thanks to the 4th of July, expensive Windows 7 pricing, Bing's modest monthly gains, IE 8 heading to work, Steve Jobs back at Apple, and so much more ...

Social War Dialing - The New Identity Theft Menace

A new method of stealing personal financial information uses VOIP to attack bank customer over the phone. ...
Security Whitepapers Sustainable Compliance: How to reconnect compliance, security and business goals

The Impact of Messaging and Web Threats

Why SaaS is the Right Solution for Log Management
Related Events WinConnections and Microsoft® Exchange Connections

Security Summit

Top 10 Email Security Challenges and Solutions

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format

Test Drive IT Solutions and Get Free Music Downloads
Solve your toughest IT problems with these free downloads and receive 5 free music downloads!


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Get Microsoft Microsoft Certified With Train Signal Computer Training
Train Signal’s computer training software videos will teach you the skills you need to get certified and gain experience in areas like Windows Server 2008, Exchange Server, SharePoint Server, and more.
Get Mark Minasi’s Windows Server 2008 Audio CDs
"Windows expert, consultant and best-selling author Mark Minasi shows you if 2008 is right for you and, if so, how to get the most out of it!

Desktop Management is a Never-Ending Job for Administrators
Get a complete desktop management solution to centralize the management of thousands of desktops that will help you keep up with increased demand with limited manpower.

Integrate Fax Servers into Your Unified Communications Plan
In this fundamentals eBook you will learn how you can implement a solution that is easy to support, secure, and integrate.

Take Control of Your Email
Optimize your email storage – Download this white paper to learn key how-to’s in email storage management.

Get Windows IT Pro To Go!
The Windows IT Pro Magazine Master CD is a powerful combination of content and convenience.   Order now, and save up to 25%--plus you’ll get online access to new articles each and every month!  Subscribe today!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home asp.netPRO Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement | Reprints and Licensing