Keeping Up with IIS Security

Use these documents and tools to stay ahead of intruders

Your Web server is one of the most exposed and intruder-targeted systems on your network. Securing your Microsoft IIS system is a priority, and Microsoft offers several new or updated documents and tools that can help. Some of the resources are for developers rather than administrators, but the line between development and administration is often fuzzy in the Web server world. Because many exploits result from vulnerabilities in application code rather than configuration, Web site security is as dependent on developers as on administrators. Even if you outsource Web site development, you need to know about important development-related security gotchas so that you can protect your IIS system from intrusion.

Read All About It
How can you secure your Web server? Microsoft's recently redesigned Web Site Security page (http://www.microsoft.com/technet/security/web.asp) is a good place to start searching for answers to that broad question. This Web site offers many valuable and recently updated documents about IIS security. The following documents are especially helpful.

"Security Checklist for Microsoft Internet Information Server." This checklist covers many Windows NT and IIS configuration tweaks that are Web server security musts. The document is a good starting point for securing your server and raising it to the current security patch level, after which I recommend you subscribe to the Microsoft Security Notification Service to stay up-to-date on security issues and products.

"Designing and Planning Windows NT External Security." Microsoft Consulting Services based this practical document on several real companies' best practices. Although the paper is a bit outdated (i.e., it targets NT 4.0 Service Pack 4—SP4), the discussions of demilitarized zone (DMZ) implementations—especially how to configure NT and IIS to run within a DMZ—are valuable. This comprehensive document covers other areas, such as security policy, incident response, disaster recovery, firewall implementations, and PPTP and Microsoft Proxy Server use.

"Untangling Web Security: Getting the Most from IIS Security." If you're new to IIS security, I recommend that you read this introduction to IIS 4.0 security. The document describes several basic security features and shows you how to optimize their configuration.

"Implementing a Secure Site with ASP." This article addresses developer-related IIS security. Although the article doesn't show you how to securely code Active Server Pages (ASP), it explains how IIS, NT, ASP, and Microsoft SQL Server interoperate from a security standpoint. The article also shows how IIS 4.0 authentication methods work in a multi-tier Web application and helps you identify which option works best for your needs.

"What If" You Need More Help?
In addition to helpful documents, the Web Site Security page offers the Internet Information Services Security "What If" Tool, which Figure 1 shows. "What If" helps you navigate all the options and gotchas that you might encounter while setting up Web server security. This simple Web-based tool asks you to specify your browser type and version, client OS, Web server version, authentication scheme, and whether your scenario is Internet or intranet. The utility then quickly determines combinations of browsers, servers, and technology that won't work and helps you avoid wasted development efforts.

Go Configure
All the necessary IIS security configuration changes can be overwhelming. Microsoft's new Windows 2000 Internet Server Security Configuration Tool, which Figure 2 shows, attempts to automate the configuration process for IIS 5.0 servers. (You can download this free tool at http://
www.microsoft.com/technet/security/tools.asp.)

To open the utility, open default.htm from the installed tooldataentry folder. The utility is a self-extracting collection of scripts, Web pages, and COM objects. Two directories (i.e., dataentry and engine) correspond to the tool's two-step process. In the first step, you use the DataEntry component to select the features you want to use on your Web site. The tool disables features you don't select, so the fewer features you choose, the more tightly the utility secures your server. After you select your desired features, click Create Template, which Figure 3 shows; the tool then creates a text-file template in which it stores your selection data.

Be forewarned: Don't download the Windows 2000 Internet Server Security Configuration Tool and apply it to your server without thoroughly understanding how the tool works. The utility contains some undocumented bugs that can lock you out of your site or expose certain vulnerabilities on your server. To help you avoid these problems, let's walk through the security template's selection check boxes, which Figure 3 shows, and look at precisely how the tool disables each feature.

Remote administration features. Windows Networking remote administrator access lets you remotely view and use tools such as Event Viewer and Microsoft Management Console (MMC) to administer the system. To restrict this feature, the utility blocks TCP port 139 in the system's local IP Security (IPSec) policies. To prevent remote administration from the administration Web site, the tool blocks TCP port 6583 (or whichever port you've customized for the site). Notice that the tool doesn't disable either remote administration feature but simply blocks the applicable TCP ports to prevent remote access. This distinction is necessary to let you administer your server locally.

Specialized server usage. FTP, SMTP, Network News Transfer Protocol (NNTP), and Telnet are common Web-server attack points. To disable a system's use of these protocols, the utility not only blocks the associated TCP ports (i.e., ports 20 and 21 for FTP, port 25 for SMTP, port 119 for NNTP, and port 23 for Telnet) but also disables the corresponding system services. The tool also blocks Secure Sockets Layer (SSL—TCP port 443) access, unless you select that feature. The utility automatically blocks all other ports except TCP port 80 for Web access.

Serving nonstatic files and ASPs. Internet printing, server-side includes (SSI), password changes over the Web, and Microsoft Index Server can create security holes. All these vulnerable features use IIS script mappings, so to block the features, the utility removes their mappings.

Web samples. IIS includes sample Web applications, which present vulnerabilities that attackers always look for. Although the utility theoretically lets you disable these applications, I noticed a message in the debug output that said "Settings samples is currently NYI." Upon investigating the code, I determined that NYI stands for "not yet implemented." By including this template option before it is operable and by failing to clearly state the option's nonactive status, Microsoft gives customers an illusion of security. I recommend you consult the "Security Checklist for Microsoft Internet Information Server" for instructions to delete the sample applications.

In the second step of the tool's process, the Engine component uses the template to configure the server. To run the Engine from the command line and secure the local system, type

iisconfig.cmd ­f 

where iistemplate.txt is the text file you created during the DataEntry step. If you aren't executing the command from the directory that contains the text file, you'll need to include the file's full pathname. To secure a remote server, use the ­s parameter, followed by the server's NetBIOS or DNS name. Besides configuring the server, the Engine provides good diagnostic information. Whenever you run iisconfig.cmd, the Engine summarizes all the changes in a Windows Script Host (WSH) source event ID 0, which the Engine logs to the configured server's Application log. You can also use the iisconfig.cmd ­d parameter, which displays valuable debugging information on the screen. And you can incorporate this configuration step into a script as part of a server deployment or recovery process—a useful feature.

Finally, the utility automatically applies the hisecweb.inf special Security Configuration Editor template. (Security Configuration Editor is the same component that the Group Policy Editor—GPE—MMC snap-in uses to apply security settings.) This template secures an external, standalone (i.e., a member of no domain) Internet Web server that isn't a domain controller. (If you want to use the tool on a domain's member server, remember that Win2K always applies local policies first, so group policies can override them.) Hisecweb.inf also assumes the server is a physically secure dedicated Web server that doesn't permit remote logons and lets only administrators log on locally. (If you're configuring a remote server, the tool won't apply hisecweb.inf because the template works only locally.) Hisecweb.inf specifies reasonable policies for password, account lockout, auditing, and log configuration; makes a host of security-related Registry settings; and disables many unnecessary system services (e.g., Alerter, Browser, RAS).

I recommend you test this tool in a lab setting and first back up your current configuration. To reenable the template settings, simply rerun the Windows 2000 Internet Server Security Configuration Tool and select the previously disabled features from the feature list. Reversing the Security Configuration Editor settings is more difficult. You need to open the Security Configuration and Analysis MMC snap-in and load hisecweb.inf. Then, reverse each of the relevant hisecweb.inf settings and reapply the template. Of course, rather than try to reverse each setting, you can use your backup to restore the original configuration.

Although this promising tool doesn't make every possible security enhancement (or even all the changes that the IIS security checklist suggests), it does protect administrator access, remove several IIS-specific vulnerabilities, and limit potential malicious-intrusion exploits to TCP port 80. For experienced administrators, this utility, which includes source code that you can extend or modify, is a useful starting point.

—Randy Franklin Smith