IIS 5.0 and
Windows 2000 Hardening Guide
This document is applicable ONLY to Windows 2000 running
IIS 5.0. If any other application is running on the server
to support its function (e.g., Cold Fusion), then that
application must also be secured. The steps in this guide
should be performed on new installations only to avoid
unpredictable results. This hardening procedure should NOT
be used on general-purpose NT servers on an internal LAN
(e.g., file servers), as it removes several of the services
that NT uses for default functionality.
NOTE: You should do all of this with your PC
unplugged from the network. Create a CD with the needed
files.
Instructions
Follow these steps chronologically. You may print this
procedure and check off each of the steps as they are
completed. These steps are not a guide but minimum
requirements for DMZ deployment. Any deviation from this
process may negate the usefulness of the process
|
| |
Initial OS Configuration
and Installation
|
Check |
Step |
 |
| 1.0 |
Boot up Windows 2000
CD-ROM to begin installation and configuration.
|
1.1 The Welcome to Setup screen appears.
Press Enter to continue.
1.2 Click F8 to accept End User License
Agreement (EULA).
Note: Install only one instance of the
operating system. If you need to get on to a server
using another instance, install on need, and delete
afterwards. If there are any previous versions of
operating systems, remove by deleting partitions then
repartition. |
| |
| 2.0 |
Choose your OS partition for
installation then choose NTFS for format. Reserve
a separate minimum 4 GB partition for the OS (more
is better). | |
|
| 3.0 |
Choose regional
settings as appropriate. |
3.1 Type in name and organization.
3.2 Choose Per Seat
License. |
| |
| 4.0 |
Choose a name for the
server and set a strong administrator
password. | |
| |
5. 1 Go into Details on Accessories and
Utilities; uncheck Accessibility Wizard, uncheck
Communications, uncheck Games and uncheck Multimedia
(uncheck all and leave Accessories checked). Then
Click OK
5.2 Back at Components Uncheck Indexing
services.
5.3 Go to Details on IIS Services, Uncheck
all then check only Common Files, Internet.
5.4 Information Services Snap-In and World
Wide Web Server then click OK.
5.5 Uncheck Script Debugger.
5.6
Go to Details on Management and Monitoring Tools,
check Simple Network Management.
5.7 Protocol (SNMP) if SNMP is to be used.
5.8 Check Terminal Services.
5.9 So in Windows 2000 Component screen
after your finished you will have only Accessories and
Utilities, Internet Information Services (IIS) and
Terminal Services checked.
5.10 Click Next.
|
| |
| 6.0 |
Set Date, Time and
Time Zone then click next.
| |
| |
| 7.0 |
Select Remote
Administration Mode for terminal services then
click next. |
7.1 Choose Typical Network
Settings. |
| |
| 8.0 |
Workgroup or Computer
Domain setup: |
8.1 Choose No, This Computer Is Not On a
Network, or Is On a Network Without a Domain.
8.2 Type in a random workgroup name (Alt 255
for a blank workgroup).
Note: The file copy starts (This may takes
some time). Log back in after
reboot. |
 |
| 9.0 |
When the Windows
Configure Your Server screen
appears: |
9.1 Choose I Will Configure This Server
Later.
9.2 Click Next, then uncheck Show This
Screen at Startup. Close window. | |
 |
| |
Encryption and Patch
Setup
|
Check |
Step |
| |
NOTE: After installing the High Encryption
Pack, it is necessary to run the KEYMIGRT.EXE utility
to upgrade the encryption of the private keys used by
IIS SSL from 40-bit RC4 to 168-bit 3DES (http://www.microsoft.com/technet/security/bulletin/ms00-032.asp).
To obtain the Keymigrt tool, run the patch using
the -x option, to extract the patch contents.
Keymigrt.exe will be one of the files extracted.
10.1 You will now need to
reboot.
|
| |
11.1 When prompted to restart your computer,
select Yes. |
|
| 12.0 |
Install the latest
applicable Hotfixes |
As of 08/07/2002:
| MS02-023:
|
May 15, 2002, Cumulative Patch for
Internet Explorer
In this case Internet
Explorer 5.01 SP2 for Windows NT and Windows 2000
| | |
| |
SSHD for NT Remote Management
OK. Now you need to be able to access this machine
remotely. Here is the OLD port of SSHD for NT we used to
use. I HIGHLY recommend not using this and instead using
SSH.COM's commercial product.
NOTE: There are issues with the cygwin.dll and
separating simultaneous user space. Use with caution!
| Step |
Action |
| |
13.0 Download
and unzip sshdnt.zip |
|
14.0 Run
install.bat
This batch file should do the following:
- Create a server key
- Install SSHD as a service
- Start the sshd service
Note: Check to make sure SSHD is installed
as a service and running. If it is not, refer to
sshd_install.txt for instructions on how to create a
server key and install SSHD as a service.
|
| |
15.0 Edit the
passwd file (in c:\etc) to add additional users in this
format:
<Username>:x:<User ID>:<Group
ID>:<Full Name>:<home
directory>:
Example:
- administrator:x:1:10:Local
- administrator:/bin:
|
|
16.0 Using
SCP:
SCP use on NT DMZ host:
- Move file you need to Unix box running sshd
(e.g., host.com)
- Use srt or terra to connect to NT host running
sshd
- Type scp.exe <username>@<hostname with file>:
<filename><path to place file>
Examples:
- To move the file "net.txt" from a Unix host
(e.g., host.com) to the directory /bin on an NT host
running sshd (with IP address 10.0.0.20) do the
following:
- Login to host.com
- scp net.txt administrator@10.0.0.20:/bin
- To pull test.exe from an NT host running sshd
(with IP address 10.0.0.20) to my user directory on
host.com do the following:
- Login to host.com
- scp administrator@10.0.0.20:test.exe
/home/user
|
| | |
|
|
Media Configuration
|
|
Check |
Step |
| |
| 17.0 |
Go to Start >
Programs > Administrative Tools > Computer
Management > Disk Management.
|
17.1 Right click on CD-rom and choose Change
Drive Letter, click Edit, choose Z for drive.
18.2 Right click on the unallocated space
and choose Create Partition. The Create Partition
Wizard appears. Click Next, choose Primary Partition,
then allocate space as required.
18.3 Click Next, choose drive letter, choose
NTFS format. |
| |
| 19.0 |
Double
click "My Computer" Icon. Right mouse click on
your C drive. |
19.1 Click on Security > Remove Everyone
Group, and add Administrators and System Groups,
giving both Full Control.
IMPORTANT!! Click Advanced > Check Reset
Permissions on all Child Objects (ignore error on
pagefile). |
| |
| 20.0 |
Click
Advanced > Auditing > Click Add >
Administrator, click OK. |
20.1 Check the boxes for each of the
following:
- Create Files/Write Data
- Create Folders/Append Data
- Delete Subfolders and files
- Delete
- Change Permissions
- Take Ownership
20.2 Repeat this for the Power Users group.
Click Apply, then OK, ignore the pagefile error and
click Continue.
20.3 Click OK > Apply
> OK. You will get a message saying that auditing
is not turned on.
|
| |
| 21.0 |
Exit out
of the security section. Under the General tab,
uncheck Allow Indexing Service To Index This Disk
For Fast File Searching. |
21.1 Choose Apply Changes to c:\, subfolders
and files.
|
|
| 22.0 |
Repeat
this procedure for all other hard drives.
| |
| |
| 23.0 |
Right
Mouse click on My Computer icon, choose Properties
> Advanced > Performance Options.
|
24.1 Choose Change on Virtual Memory
Settings.
24.2 Set the page file's Min/Max as Equal.
Click OK.
24.3 You will now need to
reboot.
| |
|
|
Running IIS Lock and
URLScan
|
|
Check |
Step |
| |
24.1 Click on and run the IISLockd.exe
|
| |
| 25.0 |
Click "I
agree on the EULA license" and then click Next.
|
25.1 The Select Server Type screen will
appear.Click View template settings box.
25.2 Highlight static web server and click
Next.
|
| |
| 26.0 |
The
Internet Services screen will appear. Only the Web
service HTTP should be selected.
|
26.1 Click the Remove unselected services
box.
26.2 Answer Yes to the "do you want to
remove these services" box.
26.3 Click Next.
|
| |
| 27.0 |
The Script
Maps screen will appear. Ensure all boxes are
checked to set to disable and then click Next.
|
NOTE: If you run ASP or SSI pages you
will need to uncheck those boxes appropriately.
|
|
| 28.0 |
The
Additional Security box will appear. Ensure all
boxes are checked. Click Next.
|
|
| |
| 29.0 |
The Urlscan Screen will appear. Check the
box to Install URLScan filter on the server and
then click Next. |
|
| |
| 30.0 |
From the
Selected Changes screen, click Next.
|
|
| |
| 31.0 |
The
applying Security settings will appear. Click View
Report. The screen should resemble the image
below. |
31.1 Click Next then Finish.
To see
exactly what this does, look at this file
(oblt-log.log) in the c:\winnt\system32\inetsrv
directory.
Note: Most settings that have been applied
here are reversible by running the wizard
again.
The default URLScan configuration file
should work for you as is. It can be found at
c:\winnt\system32\inetsrv\urlscan\urlscan.ini.
| |
Services
|
Check |
Step |
| |
| 32.0 |
Disable
all network protocols except TCP, and set fixed IP
for server: |
32.1 Right click on My Network Places, right
click on Local Area Connections > Properties >
Uninstall File and Print Sharing.
32.2 Uncheck Client for Microsoft Networks.
32.3 Set Fixed IP Address(s) for the
server. |
|
| 33.0 |
Go to
Advanced Settings for TCP.
|
33.1 Click DNS, uncheck Register This
Connection's Address in DNS.
|
| |
34.1 Remove any WINS
entries.
34.2 Uncheck enable LMHOST
lookup.
34.3 Click Disable NetBios over
TCP.
 |
| |
| 35.0 |
Choose
Options > TCP/IP Filtering > Properties.
|
35.1 Check Enable TCP/IP Filtering (All
Adapters).
35.2 Change Permit All to Permit Only
Explicitly Needed Ports.
| TCP Ports |
UDP Ports |
IP
Protocols |
| 80 |
HTTP |
161 |
SNMP |
6 |
| 443 |
SSL |
162 |
SNMP |
8 |
| 22 |
SSH |
|
|
|
| 3389 |
RDP |
|
|
|
35.3 Restart your computer when
prompted. |
| |
| 36.0 |
Disable
NetBios over TCP/IP: |
36.1 Right click on My Computer >
Properties > Hardware > Device Manager.
36.2 Click on View > Show Hidden
Devices.
36.3 Click on View > Devices by
Connection.
36.4 Right click on NetBios over TCP/IP >
Properties
36.5 Driver Tab > Type > Disabled.
36.6 Click OK.
|
|
| 37.0 |
Change your
SNMP password to a strong
password |
37.1 Right mouse click on computer then
choose" manage click in services".
37.2 Right mouse click on SNMP and choose
Properties.
NOTE: Set a strong
password.
|
|
| 38.0 |
Stop and
disable the following
services: |
- Alerter
- Computer Browser
- DHCP Client
- Distributed File System
- Distributed Link Tracking Client
- Distributed Link Tracking Server
- Distributed Transaction Coordinator
- DNS Client
- Fax Service
- File Replication
- Indexing Service
- Internet Connection Sharing
- Intersite Messaging
- Kerberos Key Distribution Center
- License Logging Service
- Messenger
- Netmeeting Remote Desktop
- Network DDE
- Network DDE DSDM
- Print Spooler
- QoS RSVP
- Remote Access Auto Connection Manager
- Remote Access Connection Manager
- Remote Registry Service
- Removable Storage
- Run as a Service
- Server
- Simple Mail Transport Protocol (SMTP)
- Smart Card
- Smart Card Helper
- Task Scheduler
- TCP/IP NetBios Helper Service
- Telephony
- Telnet
- Uninterruptible Power Supply
- Windows Time
- Workstation
|
|
Setup IPSec policy to deny all and only allow
necessary ports. For example:
Use ipsecpol.exe,
and make certain these two dll's are in your path: ipsecutil.dll
and text2pol.dll.
From command prompt, enter following lines:
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r
"BlockAll" -n BLOCK -f 0=*::*
ipsecpol -x -w REG -p
"CISCO_WWWSRV" -r "AllowICMP" -n PASS -f
0::=*:*:ICMP
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r
"AllowFTPData-out" -n PASS -f 0:=*:20:TCP
ipsecpol
-x -w REG -p "CISCO_WWWSRV" -r "AllowFTP-out" -n PASS
-f 0:=*:21:TCP
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r
"AllowSSH-in" -n PASS -f 0:22+*::TCP
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r
"AllowSMTP-in" -n PASS -f 0:25+*::TCP
ipsecpol -x
-w REG -p "CISCO_WWWSRV" -r "AllowSMTP-out" -n PASS -f
0:=*:25:TCP
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r
"AllowDNS_TCP-in" -n PASS -f 0:53+*::TCP
ipsecpol
-x -w REG -p "CISCO_WWWSRV" -r "AllowDNS_TCP-out" -n
PASS -f 0:=*:53:TCP
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r
"AllowDNS-in" -n PASS -f 0:53+*::UDP
ipsecpol -x -w
REG -p "CISCO_WWWSRV" -r "AllowDNS-out" -n PASS -f
0:=*:53:UDP
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r
"AllowHTTP-in" -n PASS -f 0:80+*::TCP
ipsecpol -x
-w REG -p "CISCO_WWWSRV" -r "AllowHTTP-out" -n PASS -f
0:=*:80:TCP
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r
"AllowSNMP-in" -n PASS -f 0:161+*::UDP
ipsecpol -x
-w REG -p "CISCO_WWWSRV" -r "AllowSNMP-out" -n PASS -f
0:=*:161:UDP
ipsecpol -x -w REG -p "CISCO_WWWSRV"
-r "AllowSNMPTrap-in" -n PASS -f
0:162+*::UDP
ipsecpol -x -w REG -p "CISCO_WWWSRV"
-r "AllowSNMPTrap-out" -n PASS -f
0:=*:162:UDP
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r
"AllowHTTPS-in" -n PASS -f 0:443+*::TCP
ipsecpol -x
-w REG -p "CISCO_WWWSRV" -r "AllowHTTPS-out" -n PASS
-f 0:=*:443:TCP
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r
"AllowSysLog-in" -n PASS -f 0:514+*::UDP
ipsecpol
-x -w REG -p "CISCO_WWWSRV" -r "AllowSysLog-out" -n
PASS -f 0:=*:514:UDP
REM ipsecpol -x -w REG -p "CISCO_WWWSRV" -r
"AllowRDP-in" -n PASS -f 0:3389+*::TCP
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r
"AllowNetBackup-in" -n PASS -f
0:13700+*::TCP
ipsecpol -x -w REG -p "CISCO_WWWSRV"
-r "AllowNetBackup-in" -n PASS -f
0:13782+*::TCP
| |
| |
| |
Terminal Service
Configuration
|
Check |
Step |
| |
| 40.0 |
Configure
Terminal Service: |
40.1 Go to Start > Programs >
Administrative Tools > Terminal Services
Configuration (TSC).
40.2 Right mouse click on RDP-TCP, choose
Properties > General > Encryption Level: High.
|
| |
| 41.0 |
Under
Client Setting: |
- Uncheck Use Connection Settings From User
Settings.
- Uncheck Connect Client Printers at Logon and
Default to Main Client Printer.
41.1 Under Disable:
- Check all except Clipboard Mapping.
|
| |
42.1 Check Override User Settings, then
choose:
| End a Disconnected
Session |
| 3 hours |
Active Session Limit: 1 Day |
Idle Session Limit: 30
minutes |
42.2 Check the second Override User
Settings, and choose Disconnect From Session.
|
| |
| 43.0 |
Under
Network Adaptor, choose maximum 5 connections.
| |
|
| 44.0 |
Under
Server Settings for TSC, change Active Desktop to
Disable. | |
|
| 45.0 |
If needed,
do the below edits to the server to enable
clipboard file transfer: |
45.1 Open Regedt32, and then change the
value data in the Name value from RDPCLIP to FXRDPCLP
in the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\AddIns\Clip Redirector
45.2 Change the value data in the Startup
Programs value from RDPCLIP to FXRDPCLP in the
following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\Wds\rdpwd
45.3 Rename the new rdpclip.exe
file included in the Windows 2000 Resource Kit to
Fxrdpclp.exe, and then copy the file to the
Winnt\System32 folder.
45.4 Copy the fxfr.dll
file to the Winnt\System32 folder.
To the Clients that wish to use the enhanced
clipboard facilities:
45.5 Copy the 32-bit Fxfr.dll file to the
"Program Files\Terminal Services Client" folder.
45.6 Rename the Rdpdr.dll file in the
"Program Files\Terminal Services Client" folder to
Rdpdr.pss.
45.7 Copy the 32-bit rdpdr.dll
file from the resource kit to the "Program
Files\Terminal Services Client" folder.
|
| |
| 46.0 |
Setup TS
to run over SSH: |
46.1 Set terminal service to manual on the
client machine if that client is Windows 2000 Server
(ie the port will already be bound and listening).
NOTE : XP currently doesn't work as a
client
46.2 Open a cmd.exe (command window), type:
ssh2.exe -L 3389:127.0.0.1:3389 mailto:root@ams-eleads
login
as prompted
This uses the following
format:
ssh2.exe -L [local port]:[full name of remote
host]:[remote port] [username@remote host] [some
command]
This will tunnel on the serverside port 3389
to the client side localhost port number 3389.
46.3 Leave the command prompt open and
open the terminal service client and connect to
localhost.
Note: You will now be running TS over
one of the most security scrutinized protocols ever.
| |
| |
| |
IIS 5.0
Configuration
|
Check |
Step |
| |
| 47.0 |
Go into
ISM and Stop the Default Website.
|
47.1 Right click on the PC above it and
choose backup metabase.
|
| |
| 48.0 |
Right
mouse click on the computer name in
ISM: |
48.1 Choose Properties > Edit The Master
Properties For The WWW Service.
48.2 Choose Website > Enable Logging >
W3C Extended Log File Format > Properties.
48.3 Change the New Log Time Period to When
The File Reaches 50 MB; click OK.
50.4 Click Properties > Extended
Properties > and add checks for Cookies and
Referrer.
|
| |
| 49.0 |
Choose
Home Directory >
Configuration: |
49.1 Remove any unnecessary Application
Mappings, as referenced below.
NOTE: Remove them all and add back in as
needed!
| Extension |
Filetype |
| .asa |
Asp files to declare objects
with session or application scope |
| .asp |
Active server pages |
| .bat |
Batch files |
| .cdx |
Scripts to create Channel
Definition files |
| .cer |
Scripts for digital
certs |
| .htr |
Scripts for remote password
change |
| .htw |
Index server hit
highlighting |
| .ida |
Index server performance
monitoring |
| .idc |
Internet Dbase
connection |
| .idq |
Index server query
definition |
| .printer |
Internet Printing |
| .shtm , .shtml, .stm |
Server Side
Includes |
|
| |
| 50.0 |
Remove all
unless you explicitly need one for a specific
known purpose! |
50.1 For the remaining extensions, consider
limiting the HTTP verbs the extension will accept.
Instead of using all the verbs (DELETE, GET, HEAD,
PUT, and TRACE), use only GET for static Web pages and
PUT if you have forms on your site; this way we
explicitly allow only the minimum actions needed per
extension.
50.2 Click OK to get out of edit mode.
|
| |
| 51.0 |
Create
your new website base directory:
|
51.1 While still in ISM, highlight your
computer name, right mouse click, then choose New, Web
Site.
51.2 The new Web Site Wizard will start.
Click Next. |
| |
| 52.0 |
Choose a
drive that is NOT your system partition for the
path to your home directory.
|
|
|
| 53.0 |
Choose the
minimum set of permissions here for your web
site. |
53.1 Click Next to finish.
|
| |
| 54.0 |
Disable
Parent paths. |
54.1 Go to Properties on the Web Site >
Home Directory > Configuration > App Options.
54.2 Uncheck Enable Parent Paths.
|
|
| 55.0 |
(Optional) Microsoft
recommends configuring a separate directory for
each file type so you can easily set ACLs. Best
Practice: |
This is a good idea if you have the ability to do
so. For example, setup your web site:
- D:\test_website\static (.html)
- D:\test_website \include (.inc)
- D:\test_website \script (.asp)
- D:\test_website \executable (.dll)
- D:\test_website \images (.gif, .jpeg)
|
| |
| 56.0 |
Disable
the default web site. (It is better to leave
the default web site disabled rather than remove
it, as it may come in handy down the line.)
|
56.1 Right mouse click on the Default Web
Site. Select Properties > Directory > Security
> Anonymous Access & Authentication Control
> Edit.
56.2 Uncheck all the boxes. You will get a
warning that you are shutting off all access, click
Yes.
56.3 It will bring up a box on Inheritance.
Click Select All > OK.
Note: Do not use the default web site and
disable/delete the administrative one.
|
|
| 57.0 |
Check all
IIS Sample directories and remove if necessary
: |
IIS %webroot%\iissamples
IIS SDK %webroot%\iissamples\sdk
Admin Scripts %webroot%\AdminScripts
Data access c:\Program Files\Common
Files\System\msadc\Samples
IIS HELP
%systemroot%\help\iishelp
IIS adpwd
%systemroot%\system32\inetsrv\iisadmpwd
|
|
| 58.0 |
Remove
Internet Printing: |
Delete the printer's virtual directory at %systemroot%\web\printers |
| |
| 59.0 |
Again
backup metabase (now you have both default install
and after modification). |
|
| |
| 60.0 |
Group
Policy Object Edits: |
Internet printing can automatically re-appear. To
stop this;
60.1 Go to Start > Run > gpedit.msc
> Computer Configuration >Administrative
Template > Printers
60.2 Select web based printing disabled.
60.3 Open Network and Network and Dialup
Connections > Prohibit configuration of connection
sharing > Select enabled
| |
| |
| |
High Security
Webserver Template Application
|
Check |
Step |
| |
Copy the WWW-W2K-cisco.inf
to the %windir%\security\templates directory.
The
one linked here is a modified version of the one found
at
http://download.microsoft.com/download/win2000srv/SCM/1.0/NT5/EN-US/hise
cweb.exe,
and the NSA inf found at: http://nsa2.www.conxion.com/win2k/download.htm
|
| |
| 62.0 |
Open MMC.
Choose Console > Add/Remove
Snap-In: |
62.1 Add the Security Configuration and
Analysis tool and the Security Templates.
|
|
| 63.0 |
Right
click the Security Configuration and Analysis:
|
63.1 Choose Open Database and give a name to
the database.
63.2 Click Open, then load theWWW-W2K-cisco.inf
file . |
| |
| 64.0 |
Right-click the Security
Configuration and Analysis
tool: |
64.1 Choose Analyze Computer Now. You can
browse through the changes the template will
make. |
| |
| 65.0 |
Right-click the Security
Configuration and Analysis tool:
|
65.1 Choose Configure Computer Now from the
context menu. |
|
| 66.0 |
This will
make the following changes.
| | |
| |
| |
Table 10: User Account and ACL
Modification
|
Check |
Step |
| |
| 67.0 |
Under
Local Users and Groups, rename Internet Guest
Account to an obscure
name. |
67.1 Create a strong password
67.2 Ensure Guest Account is disabled.
67.3 Remove the renamed Internet Guest
Account from the Guest Group. |
| |
| 68.0 |
Rename Administrator Account. Change
password to a strong
password. |
Note: You will need to start the Workstation
Service to set passwords. Stop and disable service
afterwords. |
| |
| 69.0 |
Set File
Permissions: |
69.1 Set permissions for Web Anonymous Users
group on all volumes to "No
Access".
69.2 Right mouse click on Properties >
Volume > Security > ADD > Choose
Web
Anonymous Users group.
69.3 Check all Denies.
69.4 Click OK at the Caution pop-up window.
IMPORTANT!! Click Advanced > Check Reset
Permissions on all Child Objects.
|
| |
| 70.0 |
Change the
renamed IUSR account permission to Read Only for a
few directories: |
70.1 Right mouse click on Directory, go to
Properties > Security > Advanced:
| Default Path
|
Perms |
|
C:\Winnt |
READ(RX) |
| C:\Winnt\System32 |
READ (RX) |
| C:\Winnt\System32\Inetsrv |
READ (RX) |
|
C:\Program Files\Common Files
(and all
subdirectories) |
READ (RX) |
| c:\winnt %SystemRoot% |
READ (RX) |
d:\InetPub\wwwroot
(wherever your IIS
root is)
|
READ (RX) |
70.2 Uncheck Allow Inheritable Permissions
From Parent Object to Propagate to This Object.
Note: The following screen will appear:
70.3 Choose Copy.
70.4 You can now edit the permissions:
Highlight the Internet Guest Account Deny All line and
choose Clear All, then check Allow:
- Traverse Folder/Execute Data
- List Folder/Read Data
- Read Attributes
- Read Permissions
|
|
| 71.0 |
Go into
ISM and right mouse click on the WWW server you
created: |
71.1 Choose Properties > Directory
Security > Anonymous Access and Authentication
Control > Edit > Edit For Anonymous Access.
71.2 Change Username to the Renamed
IUSR_MACHINE. Uncheck Allow IIS to Control Password.
Synch the STRONG password you set earlier.
| |
| |
| |
Table 11: Firewall ACL
This hardening alone is not enough to ensure security.
The box must be placed behind a firewall or
router.
|
Check |
Step |
|
| 72.0 |
Example
ACL for router to permit only HTTP, SSH, SSL, and
SNMP: |
access-list 150 permit tcp any host
yourwebserver eq 80
access-list 150 permit tcp any host
yourwebserver eq 443
access-list 150 permit tcp SSH Client networks
yourwebserver eq 22
access-list 150 permit udp SNMP Server networks
host yourwebserver eq 161
access-list 150 permit udp SNMP Server networks
host yourwebserver eq 161
access-list 150 permit udp SNMP Server networks
host yourwebserver eq 162
access-list 150 permit udp SNMP Server network
host yourwebserver eq 162
access-list 150 permit tcp RDP client networks
yourwebserver eq 3389 | |
| |
| |
Additional
Resources
|
| |
MAJOR Revision
History (patches are update more
frequently) |
|
Date of
Change |
Responsible |
Summary of
Change |
| November 2000 |
Gavin Reid |
Developed |
| August 2001 |
Gavin Reid |
update |
| August 2002 |
Gavin Reid |
update | | |
Note: For information/questions, please
contact:
Gavin Reid, gavin@shebeen.com,
2AE4 4564 2239 F93F E52A AE25 D635 8397 03AA E562
Please link to the document do not copy
http://www.shebeen.com/w2k
|
|
| | | |