Last
Updated: 27-Sep-1999
IMPORTANT: This article contains information about editing the registry.
Before you edit the registry, make sure you understand how to restore it if a problem
occurs. For information about how to do this, view the "Restoring the
Registry" Help topic in Regedit.exe or the "Restoring a Registry
Key" Help topic in Regedt32.exe.
Having a security policy is paramount. You need ready answers to questions
like:
- How do we react to a break in?
- Where are the backups stored?
- Who is allowed to access the server?
Good sources of policy information may be found at SANS Institute, Baseline Software, Inc. and Practical
Unix & Internet Security.
The IIS4
Resource Kit security chapter covers many aspects of Windows NT and IIS
security.
Currently Windows NT 4.0 SP5 is the latest Service Pack and is recommended for
secure IIS4 sites. Review all Microsoft Security Bulletins and then check for
hot-fixes - Windows
NT, IIS,
and Certificate
Server. Also review the latest Microsoft
Security News.
Because NTFS supports Access Control Lists you can set security policy in
Windows NT rather then spread around applications. If you are using FAT you can
convert to NTFS using the CONVERT.EXE tool.
There are many
references to what the appropriate ACLs should be, such as the IIS4
Resource Kit and Windows
NT Security Guidelines - a study for NSA Research by Trusted Systems
Services Inc.
NTFS can
auto-generate 8.3 names for backward compatibility with 16-bit applications. As
16-bit apps should not be used on a secure web server 8.3 name generation can
be safely turned off. Also note, there is a performance benefit to setting
this. To turn off 8.3 name generation set the following registry entry:
Hive |
HKEY_LOCAL_MACHINE\SYSTEM |
Key |
\CurrentControlSet\Control\FileSystem |
Name |
NtfsDisable8dot3NameCreation |
Type |
REG_DWORD |
Value |
1 |
Generally you should set the IIS server to be a standalone server as this will minimize any possible exposure of domain user accounts.
OS/2 and POSIX subsystems removed
You can
remove the subsystems using the C2Config tool in the Windows NT Resource Kit.
Run Net
Share from the command-line and make sure you delete all of them using Net
Share /d. You should also prevent all administrative shares (C$, D$, ADMIN$) by
setting the following in the Registry:
Hive |
HKEY_LOCAL_MACHINE\SYSTEM |
Key |
CurrentControlSet\Services\LanmanServer\Parameters |
Name |
AutoShareServer |
Type |
REG_DWORD |
Value |
0 |
Go to
Control Panel | System | Startup/Shutdown and set "Show list for" to
zero.
Use the
C2Config tool in the Windows NT Resource Kit or set the following in the
Registry:
Hive |
HKEY_LOCAL_MACHINE\SOFTWARE |
Key |
\Microsoft\Windows
NT\Current Version\Winlogon |
Name |
DontDisplayLastUserName |
Type |
REG_SZ |
Value |
1 |
Use the
C2Config tool in the Windows NT Resource Kit to include extra security
information, or set the following in the Registry:
Hive |
HKEY_LOCAL_MACHINE\SOFTWARE |
Key |
\Microsoft\Windows
NT\Current Version\Winlogon |
Name |
LegalNoticeCaption |
Type |
REG_SZ |
Value |
Whatever
you want for the title of the message box |
Hive |
HKEY_LOCAL_MACHINE\SOFTWARE |
Key |
Microsoft\Windows
NT\Current Version\Winlogon |
Name |
LegalNoticeText |
Type |
REG_SZ |
Value |
Whatever
you want for the text of the message box |
Set to at
least nine characters. This makes it much harder to guess than eight characters
or less owing to the way Windows NT creates the hash of the password. Also, use
punctuation and other non-alphabetic characters in the first 7 characters.
Use the
C2Config tool in the Windows NT Resource Kit or set the following value in the
Registry:
Hive |
HKEY_LOCAL_MACHINE\SOFTWARE |
Key |
\Microsoft\Windows
NT\Current Version\Winlogon |
Name |
ShutdownWithoutLogon |
Type |
REG_SZ |
Value |
0 |
Secure
environments should only allow Admins to determine the drive letters and
printers on a computer. Use the C2Config tool in the Windows NT Resource Kit to
perform this task
Minimize the number of users and groups on the server and keep group membership small. There should be only the most trusted accounts listed in the Administrators and Domain Admins groups. Also, be wary of the privileges given to users and groups beyond the default. You can access privilege information by opening User Manager | Policies | User Rights. A complete list of recommended user rights is detailed in the IIS4 Resource Kit.
Note, three particularly powerful rights are:
- Debug privilege
- Act as part of operating system
- Backup privilege
Scrutinize
accounts with these rights.
SYSKEY, a
tool introduced in Windows NT4, SP3 provides an extra safeguard for the SAM
database. Refer to Q143475
for further details.
While
this is an example of "security through obscurity", it's an extra
step a hacker must make to determine the admin account. Consider adding a
'fake' administrator to to help detect account attacks. Give this
'Administrator' no rights and carefully audit its use.
Note: nbtstat -a
Normally,
the Administrator account cannot be locked out if an attacker attempts to guess
the password. However, a tool in the Windows NT Resource Kit called PASSPROP
supports this option. If you run the following command the Administrator
account will be locked out if an attacker attempts a brute force or dictionary
attack but the administrator can still logon locally at the server:
passprop /adminlockout
Make sure
the admin account has a very difficult to guess password and change it
frequently. Click here for more
info.
The
Registry Editor supports remote access to the Windows NT registry. To restrict
network access to the registry, use the Registry Editor to create the following
registry Key
Hive |
HKEY_LOCAL_MACHINE\SYSTEM |
Key |
\CurrentControlSet\Control\SecurePipeServers |
Name |
\winreg |
The
security permissions (ACLs) set on this key define which users or groups can connect
to the system for remote registry access.
Windows
NT has a feature that allows non-authenticated users to enumerate users on a
Windows NT domain. If you do not want this functionality, set the following in
the Registry:
Hive |
HKEY_LOCAL_MACHINE\SYSTEM |
Key |
CurrentControlSet\Control\LSA |
Name |
RestrictAnonymous |
Type |
REG_DWORD |
Value |
1 |
This only
allows users having an account in the domain or on the machine to access shares
on the server. You can perform this by opening User Manager | Policies | User
Rights, then choosing "Access this computer from network", remove
Everyone from the list and add Authenticated Users to the list.
Unbinding
NetBIOS from TCP/IP will prevent a user from accessing machine information
using tools like NBTSTAT.
If
routing is enabled, you run the risk of passing data between the intranet and
Internet. To disable routing, open the Control Panel | Network | Protocols |
TCP/IP Protocol | Properties | Routing and clear the Enable IP Forwarding check
box.
Open User
Manager | Policies | Audit | Audit these Events.
Open
Event Viewer | Log | Log Settings, and set a maximum size and "Overwrite
Events Older than" for all three logs. If you are going to overwrite logs
after only a few days and your log maximum size is small then you need to check
the logs more frequently.
Configure
TCP/IP filtering by specifying which ports are allowable on each network card. Go
to Control Panel | Network | Protocols | TCP/IP | Advanced | Enable Security |
Configure. Now set the following options:
- Permit
only TCP ports 80 and 443 (if you have SSL)
- Permit
no UDP ports
- Permit
only IP Protocol 6 (TCP)
Place all commonly used administrative tools in a special directory out of %systemroot% and ACL them so that only administrators have full access to these files. For example create a directory called \CommonTools and place the following files in there:
cmd.exe |
wscript.exe
|
cscript.exe |
net.exe |
ftp.exe |
telnet.exe
|
It is
generally considered good practice to reduce the number of entry points into a
server, for Windows NT this means reducing the number of services. Refer to Q189271
for further details.
These are application specific but you need to make sure you use 'strong enough' authentication for your application. The following lists the authentication schemes supported by IIS4 in increasing trust:
-
Anonymous
-
Basic
-
Windows
NT Challenge/Response
-
Client
Certificates
Refer to Q229694
for further details.
This is
also application dependant, but the following rules-of-thumb apply:
File
Type |
ACL
|
CGI etc
.EXE,
.DLL, .CMD, .PL |
Everyone
(X) Administrators
(Full Control) System
(Full Control) |
Script
Files .ASP
etc |
Everyone
(X) Administrators
(Full Control) System
(Full Control) |
Include
Files .INC,
.SHTML, .SHTM |
Everyone
(X) Administrators
(Full Control) System
(Full Control) |
Static
Content .HTML,
.GIF, .JPEG |
Everyone
(R) Administrators
(Full Control) System
(Full Control) |
Rather than
setting ACLs on each file, you are better off setting new directories for each
type of file and setting ACLs on the dir and allow the ACLs to inherit to the
files. For example a directory structure may look like this:
c:\inetpub\wwwroot\myserver\static
(.html)
c:\inetpub\wwwroot\myserver\include
(.inc)
c:\inetpub\wwwroot\myserver\script
(.asp)
c:\inetpub\wwwroot\myserver\executable
(.dll)
c:\inetpub\wwwroot\myserver\images (.gif, .jpeg)
Real ACL inheritance
is a feature of Windows NT4 SP4 with the Security Config Editor installed.
Also be
aware that two directories need special attention:
c:\inetpub\ftproot (FTP server)
c:\inetpub\mailroot (SMTP server)
They are
both Everyone (Full Control) and should be overridden with something tighter
depending on your level of functionality. Place the folder on a different
volume to the IIS server if you are going to support Everyone (Write).
Make sure
the ACLs on the IIS-generated log files (%systemroot%\system32\LogFiles) are:
-
Administrators
(Full Control)
-
System
(Full Control)
This is
to prevent malicious users deleting the files to cover their tracks.
Logging
is paramount when you want to see if your server is being attacked. You should
use W3C Extended Logging format by Loading the IIS MMC tool | Right-click on
site in question | Properties | Web Site | Enable Logging (W3C Extended Log),
then set the following properties:
Client IP
Address User Name Method URI Stem HTTP Status User Agent Server IP Address
Server Port
This is
not a common option to set, but if you wish to restrict your Web sites to
certain users then this is one option. Note, if you enter DNS names then IIS
has to do a lookup, which can be time consuming.
It is
difficult to know whether executable content can be trusted or not. One small
test is use the DumpBin tool to see if the executable calls certain APIs.
DumpBin is included with many Win32 developer tools. For example, use the
following syntax if you wish to see if a file called MyISAPI.DLL calls
RevertToSelf():
dumpbin /imports MyISAPI.DLL | find
"RevertToSelf"
If no
result appears on screen then MyISAPI.DLL does not call RevertToSelf()
directly. It may call the API through LoadLibrary() in which case you could
search for this too.
SSL/TLS
can be used to secure data as it's transferred from the client to the web
server. SSL/TLS is used mainly when passwords or credit cards are to be
transferred across the Internet. However, using SSL/TLS is slow, especially
during the initial handshake, so keep pages that use SSL/TLS to a minimum and
keep the content minimal.
If you are using SP4 or later you do not need to use the IISCA tool. Instead you can use the new certificate UI. Refer to Q194788 for further details.
In a public key infrastructure trust is determined by the
root certifying authority (CA) certificates you have enabled. If you trust
certificates issued by a CA then you must have that root CA certificate loaded
in the operating system. You need to do the following to implement who you
trust when using IIS:
- Determine who you trust. Write the CA's names down.
- Disable or remove the root CA certificates of those you
don't trust. By implication, if you don't know the name of a CA then you cannot
trust them.
How you achieve the second bullet point depends on what
version of IIS, IE and Windows NT4 you are using:
IIS4 +
IE4 + Windows NT 4 + SP4 or better
In this scenario, all root CA certificates are handled by schannel.dll, which
stores its data in the registry. You will see a series of registry keys under
the following "CertificationAuthorities" key, one for each
preinstalled CA. Each CA key has an "Enabled" entry under it, set to
0x1 if the CA is trusted and 0x0 if the CA is not trusted.
Hive |
HKEY_LOCAL_MACHINE\SYSTEM |
Key |
CurrentControlSet\Control\SecurityProviders\SCHANNEL\CertificationAuthorities |
Name |
Enabled |
Type |
REG_DWORD |
Value |
0 |
Note: you should not delete these registry entries, as Schannel will
notice that they're missing and recreate them.
IIS4 + IE5 + Windows NT 4 + SP4 or better
For this scenario you need to perform the steps noted above and modify
trusted roots in IE5:
- Open IE5
- Select Tools | Internet Options
- Click on the Content tab
- Click on the Certificates button
- Click on the Trusted Root Certification Authorities tab
- Remove any untrusted roots
Regardless of which route you take, you will need to stop and start IIS:
- net stop iisadmin /y
- net start w3svc
Check
what documents you are indexing, makes sure you are not indexing source code!
By
default the installed ASP pages for Certificate Server are not secured. You
should either remove the pages or set very limited ACLs on the pages. They are
located in the %systemroot%/certsrv directory. You should set the ACLs to:
-
Administrators
(Full Control)
-
Certificate
Issuers (Full Control)
-
SYSTEM
(Full Control)
then add
trusted certificate operators to the Certificate Issuers group.
Samples
are just that, samples, they are not installed by default and should never be
installed on a production server. This includes documentation (the SDK docs
include sample code), the Exploration Air sample site and others. Here are the
default locations for some of the samples:
Technology |
Location |
IIS |
c:\inetpub\iissamples |
IIS SDK |
c:\inetpub\iissamples\sdk |
Admin
Scripts |
c:\inetpub\AdminScripts |
Data
access |
c:\Program
Files\Common Files\System\msadc\Samples |
Some COM
components are not required for most applications and should be removed. Most
notably consider disabling the File System Object component, however, this will
also remove the Dictionary object. Be aware that some programs may require
components you are disabling. For example, Site Server 3.0 uses the File System
Object. The following will disable the File System Object:
regsvr32 scrrun.dll /u
This
directory allows you to reset Windows NT passwords, it is designed primarily
for intranet scenarios. It should be removed if this feature is not required or
if the server is on the Web. Refer to Q184619
for more info about this functionality.
IIS is
preconfigured to support common filename extensions such as .ASP and .SHTM.
When IIS receives a request for a file of one of these types the call is
handled by a DLL. If you don't use some of these extensions or functionality
you should remove the mappings by open Internet Services Manager then right-clicking
the Web server | Properties | Master Properties | WWW Service | Edit |
HomeDirectory | Configuration and remove these references:
If
you don't use |
Remove
this entry |
Web-based
Password Reset |
.htr |
Internet
Database Connector (new
Web sites don't use this, they use ADO from Active Server Pages) |
.idc |
Server-side
includes |
.shtm,
.stm, .shtml |
There is
a known Denial of Service attack when using RDS, you should either remove the
capability or restrict it's usage using ACLs. Refer to MS99-025
for more info.
Many
sites use input from a user to call other code or build SQL statements directly.
In other words they are treating the input as valid, well formed, non-malicious
input. This should not be so, there are a number of attacks, most notably on
Unix where user input was treated incorrectly as valid input and the user
gained access to the server or caused damage. You should always check all user
<FORM> input before passing it onto another process or method call which
may use an external resource such as the file system or a database.
Checking
the text can be performed with the new JScript and VBScript regular expression
capabilities. The following example code will strip a string of all invalid
characters (not 0-9a-zA-Z and _):
Set reg = New RegExp
reg.Pattern = "\W+" ' One or
more characters which are NOT 0-9a-zA-Z or '_'
strUnTainted = reg.Replace(strTainted,
"")
The
following sample will strip all text after a '|' operator:
Set reg = New RegExp
reg.Pattern = "^(.+)\|(.+)" '
Any character from the start of the string to a '|'
strUnTainted = reg.Replace(strTainted,"$1")
The new
pattern syntax is the same as that in Perl 5.0. Refer to the v5 scripting
engine documentation at http://www.microsoft.com/jscript
for further detail and http://msdn.microsoft.com/workshop/languages/clinic/scripting051099.asp
for examples.
Parent Paths
allows you to use '..' in calls to MapPath and the like. By default this option
is enabled and should be disabled. To disable this option go to the root of the
Web site in question, right click select Properties | Home Directory |
Configuration | App Options and uncheck Enable Parent Paths.
The command
can be used to call arbitrary commands at the Web server from within an HTML
page. IIS disables this by default. You can double-check this by making sure the
following is set to zero or is missing:
Hive |
HKEY_LOCAL_MACHINE\SYSTEM |
Key |
CurrentControlSet\Services\W3SVC\Parameters |
Name |
SSIEnableCmdDirective |
Type |
REG_DWORD |
Value |
0 |
The
Content-Location header may expose internal IP addresses that are usually
hidden or masked behind a Network Address Translation (NAT) Firewall or proxy
server. Refer to Q218180
for further information about disabling this option.