You should never use certain mappings on production servers. Think twice before you leave the following mappings on your server:
- .htr (Web-based password reset)—This extension is an intruder favorite. You'll find many exploit descriptions for the .htr mapping on cracker Web sites. (For information about this exploit, see "IIS Denial of Service and Code Exposure," http://www.secadministrator.com/articles/index.cfm?articleid=9441, and "IIS 5.0 May Expose Script Contents," http://www.secadministrator.com/articles/index.cfm?articleid=16543.)
- .idc (Internet Database Connector)—This IIS 1.0 mapping is now largely unused.
- .stm, .shtm, and .shtml (server-side includes—SSIs)—Leave these mappings if you plan to use SSI files on your Web pages.
- .printer (Internet Printing)—This mapping could let intruders print on your printer.
- .htw (WebHits)—Many exploits use the .htw extension. (For more information about such exploits, see "Index Server Exposes File System," http://www.secadministrator.com/ articles/index.cfm?articleid=9508, and "Index Server Vulnerable to Information Stealing," http://www .secadministrator.com/articles/index.cfm?articleid=15980.)
- .ida and .idq (Win2K Indexing Service and Microsoft Index Server)—Leave these extensions only if you use Indexing Service or Index Server on your site. Be aware that these extensions are the source of the Code Red attacks. As long as these extension mappings are present—even if Indexing Service or Index Server isn't running—the host server is vulnerable. (For more information about this vulnerability, see the Microsoft article "Microsoft Security Bulletin MS01-033: Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise" at http://www.microsoft.com/technet/ security/bulletin/ms01-033.asp.)
To delete mappings for services you don't use, choose Start, Programs, Administrative Tools, Internet Services Manager. From ISM, right-click your server, then select Master Properties, WWW Service. Click Edit, then select Home Directory, Configuration. In the Application Configuration dialog box, delete the unused mappings.
I recommend that you leave only those extensions that you use and whose functions you understand (e.g., .asp, .cer., .cdx., .asa). I also recommend that you check for COM components that your applications don't need and remove them. In addition, disable the File System Object component if possible. (Unfortunately, you must enable the File System Object to use the Dictionary object.) Use the command
regsvr32 scrrun.dll /u
to disable the File System Object.
Set System Policies
Before Win2K, administrators spent a lot of time setting correct security policy, digging in the registry, and configuring services. Now, you can use the Microsoft Management Console (MMC) Security Configuration and Analysis snap-in to perform these tasks.
First, download the template for securing a Web server at http://down load.microsoft.com/download/win2000 srv/scm/1.0/nt5/en-us/hisecweb.exe. This template is an archive with one file—hisecweb.inf. Copy this file to \%windir%\security\templates. Follow these steps to install the template:
- Run mmc.exe.
- Select Add/Remove Snap-in from the Console menu, then click Add.
- In the Add Standalone Snap-in dialog box, select the Security Configuration and Analysis snap-in, then click Add. Click Close, then click OK.
- In the Security Configuration and Analysis snap-in, load the hisecweb.inf template. Right-click the Security Configuration and Analysis snap-in, then select Analyze Computer Now.
Determine what's suitable for your system in this universal template, then update the template as necessary. After you've updated the template, right-click the Security Configuration and Analysis snap-in, then select Configure Computer Now to apply the security template to your system.
Configure TCP/IP
Win2K doesn't provide the IP-filtering functions that modern firewalls do, but it has a useful group of settings that lets you block unneeded access to IP ports. First, you need to disable access to your server through NetBIOS over TCP/IP (NetBT). Open the Control Panel Network and Dial-up Connections applet. Right-click Local Area Connection, then select Properties. Select Internet Protocol (TCP/IP), then click Properties. Click Advanced, click the WINS tab, then select the Disable NetBIOS over TCP/IP option, which Figure 3 shows.
However, disabling NetBT isn't enough. You must also unbind the TCP/IP protocol from your network advanced settings. Open the Network and Dial-up Connections applet. Select Advanced Settings from the Advanced menu, then unbind Internet Protocol (TCP/IP) from the File and Printer Sharing for Microsoft Networks service and from the Client for Microsoft Networks service, as Figure 4, page 3, shows.
Next, you must set up filtering for TCP/IP ports. Usually, attacks on a system begin with some kind of port-scanning software. If you close all unneeded ports, you offer intruders little to work with. In Win2K, you can configure tight security through an IP Security (IPSec) policy, such as the policy defined in the hisecweb.inf template, or use a few simple settings to block most of the IP ports, which is my preferred method. Figure 5 shows my port configuration settings.
If you use Terminal Services for remote control and administration, you must also enable TCP port 3389 for client connections. You can change the port number in the registry to make it harder for intruders to connect to the port. For more information about port settings for Terminal Services, see the Microsoft article "How to Change Terminal Server's Listening Port" (http://support.microsoft.com/ support/kb/articles/q187/6/23.asp).
Set Permissions
Setting correct file permissions for all files on a Web server is extremely important. Win2K has a strong security system, so use it to protect your IIS machine. If you have all your content on separate disks, you can easily create separate virtual directories for each type of content. Then, you can set access for each type of content, as Table 1 shows.
Rather than set ACLs on each file, I recommend that you create new directories for each file type, set ACLs on the directory, and let the ACLs inherit to the files. This approach saves a lot of time later because you can place content and Active Server Pages (ASP) applications in directories without having to set appropriate ACLs. For example, a directory structure might look like the one that Figure 6 shows.
To keep intruders from altering log files, set appropriate ACLs on the directory that contains IIS log files (e.g., \%systemroot%\system32\logfiles), such as Administrators (Full Control) and System (Full Control). These settings will prevent intruders from deleting the log files to cover their intrusion attempts.
Maintain Your Sites
If you think that your server is now secure, it's not. Keeping your network secure is a daily, even an hourly, task. In addition to all the configuration work I've recommended to increase security, you must monitor your server to make sure it remains secure. Fortunately, Win2K has good auditing capabilities. I recommend that you subscribe to as many security news lists as possible (e.g., http://www.micro soft.com/technet/security/notify.asp), check http://www.microsoft.com/ security regularly, and bookmark http://www.secadministrator.com.
End of Article
Prev. page
1
[2]
next page -->
