Create a bastion host IIS machine
Recent Code Red attacks on hundreds of thousands of Windows 2000– and Windows NT–based Web servers show that building bastion hosts is still something that only rich companies can afford. I show you how you can have the same level of security on your Web server without spending big bucks on firewalls and security consultants. Here's a step-by-step guide for building a bastion host Web server.
Install a Clean Copy of Win2K Server
I recommend installing a clean copy of Win2K Server by booting up from the setup CD-ROM, while installing the new OS onto a clean server. (Before you reformat the hard disk, make sure that you back up all important files from your old server.) If you upgrade from NT Server rather than perform a clean Win2K installation, many steps are the same. However, be aware that NT files can make your server more vulnerable.
If your server has just one hard disk, I recommend that you partition it. Ordinarily, I use one partition (e.g., C) as a system disk to hold all system files and another partition (e.g., D) to hold all Web content. You can create additional partitions to hold different kind of files (e.g., scripts, static content). Partitioning adds one more level of security to your Web server. Even if intruders access a disk that contains Web content, they must still break into the system partition to gain access. (Of course, all partitions should be NTFS. FAT and FAT32 partitions are absolutely insecure.) Unfortunately, Win2K setup doesn't let you choose the directory for Microsoft Internet Information Services (IIS) 5.0. Thus, moving the Web server's content and binaries away from the system files to another partition isn't easy. I suggest that you make your Web server a standalone server. If you add the Web server to your domain, you risk giving intruders access to your entire network.
On my IIS machines, I install both NetBEUI and TCP/IP protocols. I leave all file operations to the NetBEUI protocol and use TCP/IP for Web server processing only. (I discuss how to configure TCP/IP later.)
You can also decide whether to install Win2K Server Terminal Services in Administrative mode on your Web server. Terminal Services is an attractive but potentially dangerous option for remote Web server administration because it lets intruders mount brute-force attacks on administrative passwords.
Install the Latest Service Pack and Post–Service Pack Hotfixes
At the time of this writing, I have Win2K Service Pack 2 (SP2) and more than 20 post-SP2 hotfixes. Installing the many hotfixes is a boring task. Fortunately, Microsoft provides a useful tool that lets you install all the hotfixes with only one reboot. You don't even need to worry about the order in which you install the hotfixes. You can install all the hotfixes at once by running a simple script from the command line. Copy all the hotfixes to one folder, then type
for %i in (*.exe) do echo %i
-z -m -q >>hf.cmd
at the command line. This command creates the command file hf.cmd. Running hf.cmd installs all hotfixes in Silent mode without reboots. Then, go to the Microsoft article "Use QChain .exe to Install Multiple Hotfixes with Only One Reboot" (http://support .microsoft.com/support/kb/articles/ q296/8/61.asp) and download the executable file. Run qchain.exe from the folder in which you unpacked it.
To help you know whether you've installed all the necessary IIS hotfixes, Microsoft has created the Hotfix Checking tool (HFCheck) for IIS 5.0. You can download this utility from http://www.microsoft.com/downloads/ release.asp?releaseid=24168.
Before you use the hfcheck.wsf file from HFCheck, you need to reconfigure Windows Script Host (WSH) support in Win2K. Run the command
cscript //H:CScript
to change the default scripting host to the command-line version instead of the GUI-based version. (Make sure that you type two backslashes, which is the command syntax.) The .doc file that accompanies HFCheck provides additional information about how to configure the tool to automatically run on a schedule and inform you by email if new hotfixes for IIS 5.0 become available.
Delete All Samples and Default Content from IIS Folders
Deleting all samples and default content from IIS folders is an important step. Leaving samples in default folders gives intruders a great deal of access to your server.
By default, IIS provides all the samples, administrative pages, and documentation that Figure 1 shows. Sample scripts might let intruders view any text file on the server or, even worse, execute commands. To eliminate these sample files and folders, open Internet Services Manager (ISM) and delete all virtual directories from the Default Web Site.
Remove Unused Script Mappings in IIS
A basic principle of secure installations is not to install services you don't use. Unfortunately, by default, IIS has many mappings (i.e., associations between file extensions and DLLs used to handle calls to such files) for services. Many of them are rarely used and could leave your IIS machine vulnerable to attack. Figure 2 shows some of the default mappings in IIS.
Prev. page
[1]
2
next page 
