Microsoft Internet Information Server 4.0 Security Checklist Further Details

Last Updated: 27-Sep-1999                 

IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

General Security

Read your Corporate Security Policy

Having a security policy is paramount. You need ready answers to questions like:
- How do we react to a break in?
- Where are the backups stored?
- Who is allowed to access the server?

Good sources of policy information may be found at SANS Institute, Baseline Software, Inc. and Practical Unix & Internet Security.

                                                                                                                                       
Read the IIS4 Resource Kit Security Chapter

The IIS4 Resource Kit security chapter covers many aspects of Windows NT and IIS security.

Windows NT Specific Security

Latest Service Pack and Hot-fixes applied

Currently Windows NT 4.0 SP5 is the latest Service Pack and is recommended for secure IIS4 sites. Review all Microsoft Security Bulletins and then check for hot-fixes - Windows NT, IIS, and Certificate Server. Also review the latest Microsoft Security News.

Hard disk(s) formatted to NTFS

Because NTFS supports Access Control Lists you can set security policy in Windows NT rather then spread around applications. If you are using FAT you can convert to NTFS using the CONVERT.EXE tool.

Set NTFS ACLs

There are many references to what the appropriate ACLs should be, such as the IIS4 Resource Kit and Windows NT Security Guidelines - a study for NSA Research by Trusted Systems Services Inc.

Turn off NTFS 8.3 Name Generation

NTFS can auto-generate 8.3 names for backward compatibility with 16-bit applications. As 16-bit apps should not be used on a secure web server 8.3 name generation can be safely turned off. Also note, there is a performance benefit to setting this. To turn off 8.3 name generation set the following registry entry:

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

\CurrentControlSet\Control\FileSystem

Name

NtfsDisable8dot3NameCreation

Type

REG_DWORD

Value

1

 

Set Domain controller type

Generally you should set the IIS server to be a standalone server as this will minimize any possible exposure of domain user accounts.

 

OS/2 and POSIX subsystems removed

You can remove the subsystems using the C2Config tool in the Windows NT Resource Kit.

 

Remove All Net Shares

Run Net Share from the command-line and make sure you delete all of them using Net Share /d. You should also prevent all administrative shares (C$, D$, ADMIN$) by setting the following in the Registry:

 

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

CurrentControlSet\Services\LanmanServer\Parameters

Name

AutoShareServer

Type

REG_DWORD

Value

0

 

System boot time set to zero seconds

Go to Control Panel | System | Startup/Shutdown and set "Show list for" to zero.

 

Hide last logon user name

Use the C2Config tool in the Windows NT Resource Kit or set the following in the Registry:

 

Hive

HKEY_LOCAL_MACHINE\SOFTWARE

Key

\Microsoft\Windows NT\Current Version\Winlogon

Name

DontDisplayLastUserName

Type

REG_SZ

Value

1

 

Display a legal notice before logon

Use the C2Config tool in the Windows NT Resource Kit to include extra security information, or set the following in the Registry:

 

Hive

HKEY_LOCAL_MACHINE\SOFTWARE

Key

\Microsoft\Windows NT\Current Version\Winlogon

Name

LegalNoticeCaption

Type

REG_SZ

Value

Whatever you want for the title of the message box

                             

Hive

HKEY_LOCAL_MACHINE\SOFTWARE

Key

Microsoft\Windows NT\Current Version\Winlogon

Name

LegalNoticeText

Type

REG_SZ

Value

Whatever you want for the text of the message box

 

Set password length

Set to at least nine characters. This makes it much harder to guess than eight characters or less owing to the way Windows NT creates the hash of the password. Also, use punctuation and other non-alphabetic characters in the first 7 characters.

 

Remove Shutdown button from logon dialog

Use the C2Config tool in the Windows NT Resource Kit or set the following value in the Registry:

 

Hive

HKEY_LOCAL_MACHINE\SOFTWARE

Key

\Microsoft\Windows NT\Current Version\Winlogon

Name

ShutdownWithoutLogon

Type

REG_SZ

Value

0

 

Only admins can assign printers/drive letters

Secure environments should only allow Admins to determine the drive letters and printers on a computer. Use the C2Config tool in the Windows NT Resource Kit to perform this task

 

Check user accounts, group membership and privileges

Minimize the number of users and groups on the server and keep group membership small. There should be only the most trusted accounts listed in the Administrators and Domain Admins groups. Also, be wary of the privileges given to users and groups beyond the default. You can access privilege information by opening User Manager | Policies | User Rights. A complete list of recommended user rights is detailed in the IIS4 Resource Kit

 

Note, three particularly powerful rights are:

 

- Debug privilege

- Act as part of operating system

- Backup privilege

 

Scrutinize accounts with these rights.

 

Run SYSKEY Utility

SYSKEY, a tool introduced in Windows NT4, SP3 provides an extra safeguard for the SAM database. Refer to Q143475 for further details.

 

Rename Administrator account

While this is an example of "security through obscurity", it's an extra step a hacker must make to determine the admin account. Consider adding a 'fake' administrator to to help detect account attacks. Give this 'Administrator' no rights and carefully audit its use.

 

Note: nbtstat -a or nbtstat -A may be used to determine the real administrator account if they are currently logged on.

 

Allow network-only lockout for the Administrator account

Normally, the Administrator account cannot be locked out if an attacker attempts to guess the password. However, a tool in the Windows NT Resource Kit called PASSPROP supports this option. If you run the following command the Administrator account will be locked out if an attacker attempts a brute force or dictionary attack but the administrator can still logon locally at the server:

 

  passprop /adminlockout

 

Set a very strong password for Admin account

Make sure the admin account has a very difficult to guess password and change it frequently. Click here for more info.

 

Prevent unauthenticated access to the registry

The Registry Editor supports remote access to the Windows NT registry. To restrict network access to the registry, use the Registry Editor to create the following registry Key

 

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

\CurrentControlSet\Control\SecurePipeServers

Name

\winreg

 

The security permissions (ACLs) set on this key define which users or groups can connect to the system for remote registry access.

 

Restrict Anonymous Network Access

Windows NT has a feature that allows non-authenticated users to enumerate users on a Windows NT domain. If you do not want this functionality, set the following in the Registry:

 

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

CurrentControlSet\Control\LSA

Name

RestrictAnonymous

Type

REG_DWORD

Value

1

 

Change "Access this computer from the network" from Everyone to Authenticated Users

This only allows users having an account in the domain or on the machine to access shares on the server. You can perform this by opening User Manager | Policies | User Rights, then choosing "Access this computer from network", remove Everyone from the list and add Authenticated Users to the list.

 

Unbind NetBIOS from TCP/IP

Unbinding NetBIOS from TCP/IP will prevent a user from accessing machine information using tools like NBTSTAT.

 

Disable IP Routing

If routing is enabled, you run the risk of passing data between the intranet and Internet. To disable routing, open the Control Panel | Network | Protocols | TCP/IP Protocol | Properties | Routing and clear the Enable IP Forwarding check box.

 

Audit for Success/Failed Logon/Logoff

Open User Manager | Policies | Audit | Audit these Events.

 

Set Overwrite interval for Audit log

Open Event Viewer | Log | Log Settings, and set a maximum size and "Overwrite Events Older than" for all three logs. If you are going to overwrite logs after only a few days and your log maximum size is small then you need to check the logs more frequently.

 

Configure TCP/IP Filtering

Configure TCP/IP filtering by specifying which ports are allowable on each network card. Go to Control Panel | Network | Protocols | TCP/IP | Advanced | Enable Security | Configure. Now set the following options:

 

- Permit only TCP ports 80 and 443 (if you have SSL)

- Permit no UDP ports

- Permit only IP Protocol 6 (TCP)

 

Move and ACL Critical Files

Place all commonly used administrative tools in a special directory out of %systemroot% and ACL them so that only administrators have full access to these files. For example create a directory called \CommonTools and place the following files in there: 

 

cmd.exe wscript.exe cscript.exe
net.exe ftp.exe telnet.exe

IIS Specific

Install minimal Internet services required

It is generally considered good practice to reduce the number of entry points into a server, for Windows NT this means reducing the number of services. Refer to Q189271 for further details.

 

Set appropriate authentication methods

These are application specific but you need to make sure you use 'strong enough' authentication for your application. The following lists the authentication schemes supported by IIS4 in increasing trust: 

- Anonymous

- Basic

- Windows NT Challenge/Response

- Client Certificates

 

Refer to Q229694 for further details.

 

Set appropriate virtual directory permissions/Web application space

This is also application dependant, but the following rules-of-thumb apply:

 

File Type

ACL

CGI etc .EXE, .DLL, .CMD, .PL

Everyone (X)

Administrators (Full Control)

System (Full Control)

Script Files .ASP etc

Everyone (X)

Administrators (Full Control)

System (Full Control)

Include Files .INC, .SHTML, .SHTM

Everyone (X)

Administrators (Full Control)

System (Full Control)

Static Content .HTML, .GIF, .JPEG

Everyone (R)

Administrators (Full Control)

System (Full Control)

 

Rather than setting ACLs on each file, you are better off setting new directories for each type of file and setting ACLs on the dir and allow the ACLs to inherit to the files. For example a directory structure may look like this:

 

 c:\inetpub\wwwroot\myserver\static (.html)

 c:\inetpub\wwwroot\myserver\include (.inc)

 c:\inetpub\wwwroot\myserver\script (.asp)

 c:\inetpub\wwwroot\myserver\executable (.dll)

 c:\inetpub\wwwroot\myserver\images (.gif, .jpeg)

 

Real ACL inheritance is a feature of Windows NT4 SP4 with the Security Config Editor installed.

 

Also be aware that two directories need special attention:

 

 c:\inetpub\ftproot (FTP server)

 c:\inetpub\mailroot (SMTP server)

 

They are both Everyone (Full Control) and should be overridden with something tighter depending on your level of functionality. Place the folder on a different volume to the IIS server if you are going to support Everyone (Write).

 

Set appropriate IIS log file ACLs

Make sure the ACLs on the IIS-generated log files (%systemroot%\system32\LogFiles) are:

 

- Administrators (Full Control)

- System (Full Control)

 

This is to prevent malicious users deleting the files to cover their tracks.

 

Logging enabled

Logging is paramount when you want to see if your server is being attacked. You should use W3C Extended Logging format by Loading the IIS MMC tool | Right-click on site in question | Properties | Web Site | Enable Logging (W3C Extended Log), then set the following properties:

 

Client IP Address User Name Method URI Stem HTTP Status User Agent Server IP Address Server Port

 

Set IP Address/DNS Address restrictions

This is not a common option to set, but if you wish to restrict your Web sites to certain users then this is one option. Note, if you enter DNS names then IIS has to do a lookup, which can be time consuming.

 

Executable content validated for trustworthiness

It is difficult to know whether executable content can be trusted or not. One small test is use the DumpBin tool to see if the executable calls certain APIs. DumpBin is included with many Win32 developer tools. For example, use the following syntax if you wish to see if a file called MyISAPI.DLL calls RevertToSelf():

 

  dumpbin /imports MyISAPI.DLL | find "RevertToSelf"

 

If no result appears on screen then MyISAPI.DLL does not call RevertToSelf() directly. It may call the API through LoadLibrary() in which case you could search for this too.

 

Set up Secure Sockets Layer

SSL/TLS can be used to secure data as it's transferred from the client to the web server. SSL/TLS is used mainly when passwords or credit cards are to be transferred across the Internet. However, using SSL/TLS is slow, especially during the initial handshake, so keep pages that use SSL/TLS to a minimum and keep the content minimal.

 

Migrate new Root Certificates to IIS

If you are using SP4 or later you do not need to use the IISCA tool. Instead you can use the new certificate UI. Refer to Q194788 for further details.

 

Remove non-Trusted Root Certificates

In a public key infrastructure trust is determined by the root certifying authority (CA) certificates you have enabled. If you trust certificates issued by a CA then you must have that root CA certificate loaded in the operating system. You need to do the following to implement who you trust when using IIS:

 

- Determine who you trust. Write the CA's names down.

- Disable or remove the root CA certificates of those you don't trust. By implication, if you don't know the name of a CA then you cannot trust them.

 

How you achieve the second bullet point depends on what version of IIS, IE and Windows NT4 you are using:

 

IIS4 + IE4 + Windows NT 4 + SP4 or better
In this scenario, all root CA certificates are handled by schannel.dll, which stores its data in the registry. You will see a series of registry keys under the following "CertificationAuthorities" key, one for each preinstalled CA. Each CA key has an "Enabled" entry under it, set to 0x1 if the CA is trusted and 0x0 if the CA is not trusted. 

 

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

CurrentControlSet\Control\SecurityProviders\SCHANNEL\CertificationAuthorities

Name

Enabled

Type

REG_DWORD

Value

0


Note: you should not delete these registry entries, as Schannel will notice that they're missing and recreate them.

IIS4 + IE5 + Windows NT 4 + SP4 or better
For this scenario you need to perform the steps noted above and modify trusted roots in IE5:

- Open IE5
- Select Tools | Internet Options
- Click on the Content tab
- Click on the Certificates button
- Click on the Trusted Root Certification Authorities tab
- Remove any untrusted roots

Regardless of which route you take, you will need to stop and start IIS:

- net stop iisadmin /y
- net start w3svc
 

Index Server only indexing documentation

Check what documents you are indexing, makes sure you are not indexing source code!

 

Lock down Microsoft Certificate Server ASP Enrollment pages

By default the installed ASP pages for Certificate Server are not secured. You should either remove the pages or set very limited ACLs on the pages. They are located in the %systemroot%/certsrv directory. You should set the ACLs to:

 

- Administrators (Full Control)

- Certificate Issuers (Full Control)

- SYSTEM (Full Control)

 

then add trusted certificate operators to the Certificate Issuers group.

 

Disable or remove all sample applications

Samples are just that, samples, they are not installed by default and should never be installed on a production server. This includes documentation (the SDK docs include sample code), the Exploration Air sample site and others. Here are the default locations for some of the samples:

 

Technology

Location

IIS

c:\inetpub\iissamples

IIS SDK

c:\inetpub\iissamples\sdk

Admin Scripts

c:\inetpub\AdminScripts

Data access

c:\Program Files\Common Files\System\msadc\Samples

 

 

Disable or remove unneeded COM Components

Some COM components are not required for most applications and should be removed. Most notably consider disabling the File System Object component, however, this will also remove the Dictionary object. Be aware that some programs may require components you are disabling. For example, Site Server 3.0 uses the File System Object. The following will disable the File System Object:

 

  regsvr32 scrrun.dll /u

 

Remove the IISADMPWD virtual directory

This directory allows you to reset Windows NT passwords, it is designed primarily for intranet scenarios. It should be removed if this feature is not required or if the server is on the Web. Refer to Q184619 for more info about this functionality.

 

Remove Unused Script Mappings

IIS is preconfigured to support common filename extensions such as .ASP and .SHTM. When IIS receives a request for a file of one of these types the call is handled by a DLL. If you don't use some of these extensions or functionality you should remove the mappings by open Internet Services Manager then right-clicking the Web server | Properties | Master Properties | WWW Service | Edit | HomeDirectory | Configuration and remove these references:

 

If you don't use

Remove this entry

Web-based Password Reset

.htr

Internet Database Connector (new Web sites don't use this, they use ADO from Active Server Pages)

.idc

Server-side includes

.shtm, .stm, .shtml

 

 

Disable RDS support

There is a known Denial of Service attack when using RDS, you should either remove the capability or restrict it's usage using ACLs. Refer to MS99-025 for more info.

 

Check <FORM> input in your ASP code

Many sites use input from a user to call other code or build SQL statements directly. In other words they are treating the input as valid, well formed, non-malicious input. This should not be so, there are a number of attacks, most notably on Unix where user input was treated incorrectly as valid input and the user gained access to the server or caused damage. You should always check all user <FORM> input before passing it onto another process or method call which may use an external resource such as the file system or a database.

 

Checking the text can be performed with the new JScript and VBScript regular expression capabilities. The following example code will strip a string of all invalid characters (not 0-9a-zA-Z and _):

 

  Set reg = New RegExp

  reg.Pattern = "\W+" ' One or more characters which are NOT 0-9a-zA-Z or '_'

  strUnTainted = reg.Replace(strTainted, "")

 

The following sample will strip all text after a '|' operator:

 

  Set reg = New RegExp

  reg.Pattern = "^(.+)\|(.+)" ' Any character from the start of the string to a '|'

  strUnTainted = reg.Replace(strTainted,"$1")

 

The new pattern syntax is the same as that in Perl 5.0. Refer to the v5 scripting engine documentation at http://www.microsoft.com/jscript for further detail and http://msdn.microsoft.com/workshop/languages/clinic/scripting051099.asp for examples.

 

Disable Parent Paths

Parent Paths allows you to use '..' in calls to MapPath and the like. By default this option is enabled and should be disabled. To disable this option go to the root of the Web site in question, right click select Properties | Home Directory | Configuration | App Options and uncheck Enable Parent Paths.

 

Disable calling the command shell with #exec

The command can be used to call arbitrary commands at the Web server from within an HTML page. IIS disables this by default. You can double-check this by making sure the following is set to zero or is missing:

 

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

CurrentControlSet\Services\W3SVC\Parameters

Name

SSIEnableCmdDirective

Type

REG_DWORD

Value

0

 

Disable IP Address in Content-Location

The Content-Location header may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server. Refer to Q218180 for further information about disabling this option.