A secure web server provides a protected fo undation for hosting your web application and Web server configuration plays a critical role in your Web application's security. Badly configured virtual directories, a common mistake, can lead to unauthorized access. A forgotten share can provide a convenient back door, while an overlooked port can be an attacker's front door. Neglected user accounts can permit an attacker to slip by your defenses unnoticed.
What makes a Web server secure? Part of the challenge of securing your Web server is recognizing your goal. As soon as you know what a secure Web server is, you can learn how to apply the configuration settings to create one. This Project provides a systematic, repeatable approach that you can use to successfully configure a secure Web server. This Project provides a methodology and the steps required to secure your Web server. You can adapt the methodology for your own situation. The steps are modular and demonstrate how you can put the methodology in practice. You can use these procedures on existing Web servers or on new ones.
The fact that an attacker can strike remotely makes a Web server an appealing target. Understanding threats to your Web server and being able to identify appropriate countermeasures permits you to anticipate many attacks and thwart the ever-growing numbers of attackers. The main threats to a Web server are:
1. Profiling
2. Denial of service
3. Unauthorized access
4. Arbitrary code execution
5. Elevation of privileges
6. Viruses, worms, and Trojan horsesC:\Users\Bipin\Desktop\IC16138.gif
Prominent Web server threats and common vulnerabilities
Methodology for Securing Your Web Server
To secure a Web server, you must apply many configuration settings to reduce the server's vulnerability to attack. So, how do you know where to start, and when do you know that you are done? The best approach is to organize the precautions you must take and the settings you must configure, into categories. Using categories allows you to systematically walk through the securing process from top to bottom or pick a particular category and complete specific steps.Configuration Categories.The security methodology in this Project has been organized into the categories shown in C:\Users\Bipin\Desktop\IC40344.gif
Web server configuration categories
Steps for Securing Your Web Server
The next sections guide you through the process of securing your Web server. These sections use the configuration categories introduced in the "Methodology for Securing Your Web Server" section of this Project. Each high-level step contains one or more actions to secure a particular area or feature.
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Patches and Updates
IISLockdown
Services
Protocols
Accounts
Files and Directories
Shares
Ports
Registry
Step 10
Step 11
Step 12
Step 13
Step 14
Step 15
Step 16
Step 17
Auditing and Logging
Sites and Virtual Directories
Script Mappings
ISAPI Filters
IIS Metabase
Server Certificates
Machine.config
Code Access Security
Step 1. Patches and Updates
Update your server with the latest service packs and patches. You must update and patch all of the Web server components including Windows 2000 or Windows Server 2003 (and IIS), the .NET Framework, and Microsoft Data Access Components (MDAC).
During this step, you:
Detect and Install Patches and Updates
Use the Microsoft Baseline Security Analyzer (MBSA) to detect the patches and updates that may be missing from your current installation. MBSA compares your installation to a list of currently available updates maintained in an XML file. MBSA can download the XML file when it scans your server or you can manually download the file to the server or make it available on a network server.
To detect and install patches and updates
1. Download and install MBSA.
2 Run MBSA by double-clicking the desktop icon or selecting it from the Programs menu.
3. Click Scan a computer. MBSA defaults to the local computer.
4. Clear all check boxes apart from Check for security updates. This option detects which patches and updates are missing.
5. Click Start scan. Your server is now analyzed. When the scan is complete, MBSA displays a security report, which it also writes to the %userprofile%\SecurityScans directory.
6. Download and install the missing updates. Click the Result details link next to each failed check to view the list of security updates that are missing. The resulting dialog box displays the Microsoft security bulletin reference number. Click the reference to find out more about the bulletin and to download the update.
Step 2. IISLockdown
The IISLockdown tool helps you to automate certain security steps. IISLockdown greatly reduces the vulnerability of a Windows 2000 Web server. It allows you to pick a specific type of server role, and then use custom templates to improve security for that particular server. The templates either disable or secure various features. In addition, IISLockdown installs the URLScan ISAPI filter. URLScan allows Web site administrators to restrict the kind of HTTP requests that the server can process, based on a set of rules that the administrator controls. By blocking specific HTTP requests, the URLScan filter prevents potentially harmful requests from reaching the server and causing damage.
Note By default, IIS 6.0 has security-related configuration settings similar to those made by the IIS Lockdown Tool. Therefore you do not need to run the IIS Lockdown Tool on Web servers running IIS 6.0. However, if you are upgrading from a previous version of IIS (5.0 or lower) to IIS 6.0, it is recommended that you run the IIS Lockdown Tool to enhance the security of your Web server.
During this step, you:
1. Install and run IISLockdown. IISLockdown is available as an Internet download from the Microsoft Web site at http://download.microsoft.com/download/iis50/Utility/2.1/NT45XP/EN-US/iislockd.exe.
Save IISlockd.exe in a local folder. IISlockd.exe is the IISLockdown wizard and not an installation program. You can reverse any changes made by IISLockdown by running IISlockd.exe a second time.
If you are locking down a Windows 2000-based computer that hosts ASP.NET pages, select the Dynamic Web server template when the IISLockdown tool prompts you. When you select Dynamic Web server, IISLockdown does the following:
It disables the following insecure Internet services:
1. File Transfer Protocol (FTP)
2. E-mail service (SMTP)
3. News service (NNTP)
It disables script mappings by mapping the following file extensions to the 404.dll:
1. Index Server
2. Web Interface (.idq, .htw, .ida)
3. Server-side include files (.shtml, .shtm, .stm)
4. Internet Data Connector (.idc)
5. .HTR scripting (.htr), Internet printing (.printer)
Log Files
IISLockdown creates two reports that list the changes it has applied: %windir%\system32\inetsrv\oblt-rep.log. This contains high-level information. %windir%\system32\inetsrv\oblt-log.log. This contains low-level details such as which program files are configured with a deny access control entry (ACE) to prevent anonymous Internet user accounts from accessing them. This log file is also used to support the IISLockdown Undo Changes feature.
Web Anonymous Users and Web Application Groups
IISLockdown creates the Web Anonymous Users group and the Web Application group. The Web Anonymous Users group contains the IUSR_MACHINE account. The Web Application group contains the IWAM_MACHINE account. Permissions are assigned to system tools and content directories based on these groups and not directly to the IUSR and IWAM accounts. You can review specific permissions by viewing the IISLockdown log, %windir%\system32\inetsrv\oblt-log.log.
The 404.dll
IISLockdown installs the 404.dll, to which you can map file extensions that must not be run by the client.
URLScan
If you install the URLScan ISAPI filter as part of IISLockdown, URLScan settings are integrated with the server role you select when running IISLockdown. For example, if you select a static Web server, URLScan blocks the POST command.
Reversing IISLockdown Changes
To reverse the changes that IISLockdown performs, run IISLockd.exe a second time. This does not remove the URLScan ISAPI filter. For more information, see "Removing URLScan" in the next topic.
Install and Configure URLScan
URLScan is installed when you run IISLockdown, although you can download it and install it separately.
Note IIS 6.0 on Windows Server 2003 has functionality equivalent to URLScan built in. Your decision whether to install UrlScan should be based on your specific organizational requirements. Download IISlockd.exe from http://download.microsoft.com/download/iis50/Utility/2.1/NT45XP/EN-US/iislockd.exe. Run the following command to extract the URLScan setup: iislockd.exe /q /c
Step 3. Services
Services that do not authenticate clients, services that use insecure protocols, or services that run with too much privilege are risks. If you do not need them, do not run them. By disabling unnecessary services you quickly and easily reduce the attack surface .You also reduce your overhead in terms of maintenance (patches, service accounts, and so on.)
If you run a service, make sure that it is secure and maintained. To do so, run the service using a least privilege account, and keep the service current by applying patches.
During this step, you:
Disable unnecessary services.
Disable FTP, SMTP, and NNTP unless you require them.
Disable the ASP.NET State service unless you require it.
Step 4. Protocols
By preventing the use of unnecessary protocols, you reduce the potential for attack. The .NETÂ Framework provides granular control of protocols through settings in the Machine.config file. For example, you can control whether your Web Services can use HTTP GET, POST or SOAP.
Disable or secure WebDav.: IIS supports the WebDAV protocol, which is a standard extension to HTTP 1.1 for collaborative content publication. Disable this protocol on production servers if it is not used.
WebDAV is preferable to FTP from a security perspective, but you need to secure WebDAV. For more information, see Microsoft Knowledge Base article 323470, "How To: Create a Secure WebDAV Publishing Directory."
If you do not need WebDAV, see Microsoft Knowledge Base article 241520, "How To: Disable WebDAV for IIS 5.0."
Harden the TCP/IP stack. : Windows 2000 and Windows Server 2003 support the granular control of many parameters that configure its TCP/IP implementation. Some of the default settings are configured to provide server availability and other specific features.
Disable NetBIOS and SMB.: Disable all unnecessary protocols, including NetBIOS and SMB. Web servers do not require NetBIOS or SMB on their Internet-facing network interface cards (NICs). Disable these protocols to counter the threat of host enumeration.
Disabling NetBIOS
NetBIOS uses the following ports:
TCP and User Datagram Protocol (UDP) port 137 (NetBIOS name service)
TCP and UDP port 138 (NetBIOS datagram service)
TCP and UDP port 139 (NetBIOS session service)
Disabling NetBIOS is not sufficient to prevent SMB communication because if a standard NetBIOS port is unavailable, SMB uses TCP port 445. (This port is referred to as the SMB Direct Host.) As a result, you must take steps to disable NetBIOS and SMB separately.
To disable NetBIOS over TCP/IP
1. Right-click My Computer on the desktop, and click Manage.
2. Expand System Tools, and select Device Manager.
3. Right-click Device Manager, point to View, and click Show hidden devices.
4. Expand Non-Plug and Play Drivers.
5. Right-click NetBios over Tcpip, and click Disable.
This disables the NetBIOS direct host listener on TCP 445 and UDP 445.
