IIS Security

Best Practices
Thom Robbins
trobbins@microsoft.com
Overview
The Basics
Latest IIS Security Issues
Managing Service Packs and Hotfixes
Windows 2000 Configuration Best Practices
IIS 5.0 Configuration Best Practices
IIS Security-related Tools
If
Resources
Questions
What is covered?
Current issues
Advice and Best Practices
Configuration information for tightening
the security of Windows 2000 and IIS
5.0
IIS 5.0 Security and Hotfix related tools
List of resources for further information
What is not covered
Firewall and port settings
Port settings are application-specific and are outside of the
scope of this workshop
A list of known ways IIS has been compromised
Detailed settings for every component such as IPSec,
Certificates, etc.
How to completely protect against any possible
attack
The hope is to tighten the security enough so that a potential
attacker fails or gives up and chooses an easier target
The Basics
Know your Corporate Security Policy!
If you dont have one, develop one!!!
How to react to a break-in?
Where are backups stored?
Who has physical access to the servers?
Subscribe to the Microsoft Security
Notification Service
http://www.microsoft.com/technet/security/bulletin/
notify.asp
Automatic notification of security issues via e-mail
Latest IIS Security
Bulletins
MS01-044
15 August 2001 Cumulative Patch for IIS
Includes the functionality of all security patches
release to date for IIS 5.0
Includes the functionality of all security patches
released for IIS 4.0 since Windows NT 4.0
Service Pack 5
Includes fixes for five newly discovered security
vulnerabilities affecting IIS 4.0 and 5.0
See http://www.microsoft.com/security for
details
Latest IIS Security Issues
Code Red II Worm
Can be averted by installation of the patch
provided in MS01-44
Removal if already infected:
The safest way to ensure complete removal is to
rebuild the server
The other option is to use the Code Red II Worm
Removal Tool found on http://www.microsoft.com
Managing Service Packs
and Hotfixes
Service Packs
Deploy via SMS Server
Deploy via Group Policy
Deploy via logon scripts and .msi packages
Hotfixes
HFNetChk Tool
QChain
HFNetChk Tool
Microsoft Network Security Hotfix Checker
(hfnetchk.exe)
Brand new! Just released in August 2001
Command-line tool to check patch status of
all machines on the network from a central
location
HFNetChk refers to an XML database
constantly updated by Microsoft
HFNetChk Features
Runs on NT 4.0 or Windows 2000 systems
Scans local and/or remote systems for
patches for the following products:
Windows NT 4.0
Windows 2000
All system services, including Internet Information
Server 4.0 and 5.0
SQL Server 7.0 and 2000 (including Microsoft
Data Engine)
Internet Explorer 5.01 and later
HFNetChk
Screenshot
HFNetChk Features (contd)
Three items evaluated to determine
installed patches:
Registry key installed by patch
File versions
Checksum for each file installed by patch
See Knowledge Base article, Q303215
for details and download locations
QChain
Safely chains hotfixes together, allowing the
installation of multiple hotfixes with only one
reboot
Works on both Windows 2000 and Windows
NT 4.0
For Qchain usage and batch file examples
see Knowledge Base Article: Q296861: Use
Qchain.exe to Install Mutliple Hotfixes with
Only One Reboot
Windows 2000 Configuration
Windows 2000 Configuration Basics
IUSR_Computername Account
IWAM_Computername Account
Security Templates
IPSec Policies
Windows 2000 Configuration
Basics
Block all traffic to server before installation
takes place
If possible, install the IIS server in its own
domain, and on a member server
Create a new Inetpub root directory on
partition different from the OS
Use a name other than Inetpub to help counter
potential attacks
Put content for each supported service
(WWW, FTP, etc.) on its own partition
Windows 2000 Configuration
Basics (contd)
Leave IP Routing turned off
Remove all protocol stacks except TCP/IP
unless other stacks are needed
Stop Task Scheduler service if not in use
Stop FTP service if not in use
Stop Telnet service if not in use
If you plan to use Telnet, create a TelnetClients
group to restrict users who can access this service
Deny all TCP traffic except traffic to port 80
using built-in Windows 2000 port filtering

Windows 2000 Configuration Basics
(contd)
Deny access for IUSR_ComputerName and
IWAM_ComputerName to dangerous files

Scrrun.dll
Xcopy.exe
Cmd.exe
Regedit.exe
Regedt32.exe
AT.exe
Cscript.exe
Regsvr32.exe
Debug.exe
Ftp.exe
Tftp.exe
Regsvr32.exe
Debug.exe
Nbtstat.exe
Net.exe
Netsh.exe
Tskill.exe
Poledit.exe
Rexec.exe
Edlin.exe
Runas.exe
Runonce.exe
IISSync.exe
IISReset.exe
Wscript.exe
Telnet.exe
Rcp.exe
IUSR_Computername Account
Default anonymous access impersonation
account for IIS
IUSR_Computername account privileges
Select User cannot change password
Select Password Never Expires
User rights
Logon Types differ when using Allow IIS to control Password
If option is enabled, a network logon (type 3) is performed
This is a significant security benefit because users cannot gain
access to remote network resources
If option is disabled, a local logon (type 2) is performed
If anonymous access to the web site is not
required, disable the IUSR_Computername
account
IWAM_Computername Account
Default account used by DLLHost.exe
for medium and high isolation web
applications
IWAM_Computername account
privileges
Select User cannot change password
Select Password Never Expires
Anonymous access is still performed via
IUSR_Computername account
Security Templates
Security templates
Baseline templates for secure websites
Hisecweb.inf
Copy the template to the %windir%\security\templates directory
Open the Security Templates tool, and look over the settings
Open the Security Configuration And Analysis tool, and load the
template
Right-click the Security Configuration And Analysis tool, and
choose Analyze Computer Now from the context menu
Wait for the work to complete
Review the findings, and update the template as necessary
When satisfied with the template, right-click the Security
Configuration And Analysis tool and choose Configure
Computer Now from the context menu
IPSec Policies
Strongly consider setting an IPSec packet-filtering
policy on every Web server
Provides an extra level of security if firewalls are
breached
Block all TCP/IP protocols other than those you
explicitly want to support and the ports you want to
open
Deploying IPSec Policies
IPSec Administration tool
IPSecPol command line tool
IIS Configuration
Web-based Permissions
Set Appropriate ACLs
Enable Logging
Disable All Unnecessary Authentication Types
Set IP Address/DNS Address restrictions
Executable Content Validated for Trustworthiness
Update Root CA Certificates at the IIS Server
Disabling and/or Removing Unneeded Applications,
Components, Directories, Script Mappings and WebDAV
Checking Code
Disable Parent Path
Disable IP Address in Content-Location
Perform Auditing of Key Directories
Web-based Permissions
General Access Permissions
Recommended to leave General Access Permissions other
than read disabled
Leave Script Source Access disabled
Leave Write disabled
Leave Directory Browsing disabled
Leave Execute permissions set to none
Execute Permissions
Recommend setting on a per-web-site and per-directory
basis
If executables (.exe, .dll) are required, use Scripts and
Executibles setting
Otherwise, if scripts (.asp) are required, use Scripts setting
Otherwise, leave Execute Permissions to the setting of None
Web-based Permissions Screenshot
Set Appropriate ACLs on
Virtual Directories
Application dependent, but rules of thumb are:
File Type Access Control Lists
CGI (.exe, .dll, .cmd, .pl) Everyone (RX)
Administrators (Full Control)
System (Full Control)
Script files (.asp) Everyone (RX)
Administrators (Full Control)
System (Full Control)
Include files (.inc, .shtm, .shtml) Everyone (RX)
Administrators (Full Control)
System (Full Control)
Static content (.txt, .gif, .jpg, .html) Everyone (R)
Administrators (Full Control)
System (Full Control)

Set Appropriate ACLs on
Virtual Directories (contd)
Recommended default ACLs by file type
Create new directories for each file type
Set ACLs on the directory
Allow the ACLs to inherit to the files
Sample directory structure
C:\inetpub\wwwroot\myserver\static (.html)
C:\inetpub\wwwroot\myserver\include (.inc)
C:\inetpub\wwwroot\myserver\script (.asp)
C:\inetpub\wwwroot\myserver\executable (.dll)
C:\inetpub\wwwroot\myserver\images (.gif, .jpeg)
Set Appropriate ACLs on
Virtual Directories (contd)
Two directories need special attention
C:\inetpub\ftproot (FTP server)
C:\inetpub\mailroot (SMTP server)
Set to Everyone (Full Control) by default
Should be overridden with tighter permissions
depending on functionality
Place folder on different volume than IIS
server if your supporting Everyone (Write) OR
use Windows 2000 disk quotas to limit amount
of data written to these directories
Set Appropriate IIS Log
File ACLs
Make sure the ACLs on the IIS-generated log
files (%systemroot%\system32\LogFiles) are:
Administrators (Full Control)
System (Full Control)
Everyone (Read, Write, Change)
Move and rename the IIS Log Files directory
This is to help prevent malicious users deleting the
files to cover their tracks
Enable Logging
Use W3C Extended Logging
Set the following properties:
Client IP Address
User Name
Method
HTTP Status
Win32 Status (Look for error 5, Access Denied)
Use net helpmsg <error #> to decode error number
User Agent
And if hosting multiple Web servers on single
computer:
Server IP Address
Server Port
W3C Extended Logging
Extended Properties Screenshot
Disable Unnecessary Authentication
Types
Anonymous
Default authentication method
Basic
Should only be used with SSL
Digest
Requires storing passwords in clear text on the
domain controller
Integrated
Either NT Challenge Response or Kerberos as
negotiated by the browser
Inconsistent behavior through proxy servers
Set IP Address/DNS
Address Restrictions
One option to restrict your web sites to
certain users
Not a common option
Requires IIS to do a DNS lookup,
significantly impacting performance
IP Address/DNS Address
Restrictions Screenshot
Executable Content Validated for
Trustworthiness
Determine whether executable content can be trusted
Use DumpBin tool to see whether executable calls
certain APIs
Example:
To see whether a file named MyISAPI.dll calls RevertToSelf:
Dumpbin /imports MyISAPI.dll | find RevertToSelf
If no results appear, MyISAPI.dll does not call RevertToSelf
directly
It might call the API through LoadLibrary, in which case you
could search for RevertToSelf calls in all imported libraries
as well
Please refer to KB article: Q177429 for more info on
reading DumpBin output
Update Root CA Certificates
at the IIS Server
Add any new root CA certificates you
trust (such as new root CA certificates
created with Microsoft Certificate
Services 2.0)
Remove all root CA certificates you
dont trust
If you dont know the name of the company
that issued the root certificate, do not trust
them!
Update Root CA Certificates
at the IIS Server (contd)
All root CA certificates used by IIS
reside in the computers machine store
They can be managed using the
Certificates MMC Snap-in
Do not remove Microsoft or VeriSign
roots
They are used extensively by the OS
Disable or Remove All
Sample Applications
Samples should never be installed on a
production server
Default locations for some of the samples:
Sample
Virtual
Directory
Location
IIS Samples \IISSamples c:\inetpub\iissamples
IIS
Documentation
\IISHelp c:\winnt\help\iishelp
Data Access \MSADC c:\program files\common
files\system\msadc

Disable WebDAV
Enabled by default
Allows for remote file management via
HTTP
To disable: Q241520 How to Disable
WebDAV for IIS 5.0
Disable or Remove Unneeded
COM Components
Remove unused COM components
If not in use, consider disabling the File
System Object component
This also removes the Dictionary Object
Site Server 3.0 uses the File System
Object component
Remove the IISADMPWD
Virtual Directory
Remove the IISADMPWD Virtual
Directory if it exists
Allows you to reset Windows NT and
Windows 2000 passwords
Designed for intranet-only scenarios
Isnt installed by default install of IIS 5,
but is not removed when upgrading a
IIS 4 server to IIS 5
Remove Unused Script
Mappings
When IIS receives a request for a preconfigured
filetype, the call is handled by a DLL
If the filetype or functionality isnt required, remove
the mapping using the Internet Services Manager
MMC
If you don't use... Remove this entry:
Web-based password reset .htr
Internet Database Connector
(all IIS 5 Web sites should use
ADO or similar technology)
.idc
Server-side Includes .stm, .shtm and .shtml
Internet Printing .printer
Index Server .htw, .ida and .idq

Remove Unused Script
Mappings (contd)
Internet Printing can be configured by
group policy as well
Group policy settings take precedence
Unless mission-critical reason to use
.htr functionality, remove the .htr
extenstion
Check <FORM> and Querystring
Input in Your ASP Code
Many sites use user input to call other code
or build SQL statements directly
There are attacks where user input is treated
incorrectly as valid input allowing unintended
access
You should always check each <FORM>
input and query string before passing it on to
another process or method call that might use
an external resource such as the file system
or a database.
Check <FORM> and Querystring
Input in Your ASP Code (contd)
You can perform text checking with JScript V5 and VBScript V5
regular expression capabilities. This example will strip a string
of all invalid characters (characters that are not 0-9a-zA-Z or _):
Set reg = New RegExp
reg.Pattern = "\W+" ' One or more characters which
' are NOT 0-9a-zA-Z or '_'
strUnTainted = reg.Replace(strTainted, "")
Also, be careful when using Scripting File System Object. If the
filename is based on the user's input, the user might attempt to
open a serial port or printer. The following JScript code will strip
out invalid filenames:
Set reg = New RegExp
reg.Pattern = "^(.+)\|(.+)" ' Any character from
the start of
' the string to a | character.
strUnTainted = reg.Replace(strTainted, "$1")
This example will strip all text after a | operator:
var strOut strIn.replace(/(AUX|PRN|NUL|COM\d|LPT\d)+\s*$/i,"");
Disable Parent Paths
Parent Paths allows use of .. in calls to
functions as MapPath
Enabled by default
Recommend to disable this
Select Properties of Web site root
Select Home Directory, Configuration
Open App Options tab
Uncheck Enable Parent Paths check box
Disable IP Address in
Content-Location
Content-Location header can expose IP
addresses hidden by a NAT firewall or
proxy
Recommend to disable this
Refer to Knowledge Base article
Q218180 for further information
Perform Auditing of the File system
Audit important application and system
directories for changes such as
Traverse Folder / Execute File = Failure
List Folder / Read Data = Failure
Create Files / Write Data = Success / Failure
Create Folders / Append Data = Success / Failure
Delete Subfolders and Files = Success / Failure
Delete = Success / Failure
Change Permissions = Success / Failure
This audit policy should be applied to the
IUSR and IWAM accounts on the following
directories
\winnt
\inetpub
IIS Tools
Security What If Tool
Security Configuration Tool
Lockdown Tool
URLScan
IIS Security What If Tool
Simple HTML tool
Helps determine what browsers,
platforms, authentication schemes, and
server configurations allows access to a
remote resource
IIS Security
What If Tool
Screenshot
IIS Security Configuration
Tool
Automates creation and
deployment of security policies
Two phases questions phase and
deployment phase
Questions phase
HTML-based questionnaire
Produces a file with a default name of
IISTemplate.txt describing the policy
IIS Security Configuration Tool
Questionnaire Screenshot
IIS Security Configuration
Tool (contd)
Deployment phase
Use the IISConfig command line tool to deploy the
IISTemplate.txt file
Usage: IISConfig [-s server] [-f configfile] [-n] [-d] [-? | -h]
Where:
[-s server] is the server name (DNS or
NetBIOS; IP address is not
supported)
[-f configfile] is the configuration file name
[-n] configures port lockdown, services
and IIS script maps only. Does not
use SCE hisecweb.inf
[-d] display debug output as tool
executes
[-?] display help
IIS Security Configuration
Tool (contd)
Subdirectories
DataEntry directory
Where you enter your security policy
Engine directory
Where script files used to deploy policy are
stored
More information
Read the ReadMe.txt file for more
information and known issues
IIS Lockdown Tool
GUI wizard for automating lockdown settings
Two Modes:
Express Lockdown
Provides maximum security
Appropriate for basic web servers
Advanced Lockdown
Allows selection of features
Use only if Express Lockdown settings are not
appropriate
Use only if you understand the ramifications of enabling
the features
IIS Lockdown Tool (contd)
Advanced Lockdown Settings
Remove Script Mappings
Disable support for Active Server Pages (.asp)
Disable support for Index Server Web Interface (.idq, .htw, .ida)
Disable support for Server Side Includes (.shtm, .shtm, .stm)
Disable support for Internet Data Connector (.idc)
Disable support for Internet Printing (.printer)
Disable support for .HTR scripting (.htr)
IIS Lockdown Tool (contd)
Advanced Lockdown Settings (contd)
Additional Lockdown Actions
Remove sample web files
Remove the Scripts virtual directory
Remove the MSADC virtual directory
Disable Distributed Authoring and Versioning (WebDAV)
Set file permissions to prevent the IIS anonymous user
from executing system utilities (such as cmd.exe, tftp.exe)
Set file permissions to prevent the IIS anonymous user
from writing to content directories
IIS Lockdown Tool
Advanced Lockdown Settings
Screenshots
URLScan
ISAPI Filter
Analyze and screen HTTP request
Reduces exposure to potential attacks
Allows configuration of IIS to reject requests based
on the following criteria:
The request method (verb)
The file extension of the resource requested
Suspicious URL encoding
Presence of non ASCII characters in the URL
Presence of particular character sequences in the URL
Presence of particular headers in the request
Also provides the option of deleting or altering the
Server: header in the response
URLScan Configuration
UrlScan's operation is controlled by the UrlScan.ini file
UrlScan.ini should reside in the same directory as UrlScan.dll
Note that UrlScan only reads the ini file at initialization time (for
performance reasons)
It is necessary to stop and start the web service before any
changes to this file will be effective
Also note that the default options built into UrlScanl.dll will result
in a configuration that will reject all requests to the server.
It is necessary to provide a UrlScan.ini file for UrlScan to pass
requests to be served
A sample UrlScan.ini file is provided that contains the
recommended settings to defend against known attacks against IIS
servers at the time of writing
URLScan.ini Screenshot
URLScan Logging
If a request is denied, the following will
be logged
Reason for the denial
Information about the request
Typically, the URL and IP address of the
source of the request
URLScan Logfile Screenshot
If You Got Hacked
Have a Incident Response Plan
Remove machines from the net
Find out how the hacker did it
Perform a low-level format
Examine connected computers
Resources
Microsofts Security homepage
http://www.microsoft.com/security
Secure Internet Information Services 5
Checklist
http://www.microsoft.com/technet/treeview/default.asp?url=/t
echnet/itsolutions/security/tools/iis5chk.asp
Subscribe to the Microsoft Security
Notification Service
http://www.microsoft.com/technet/security/bulletin/notify.asp
Automatic notification of security issues via e-mail
More Resources
National Security Agency's Windows 2000
Security Recommendation Guidelines
http://nsa2.www.conxion.com/win2k/download.htm
SANS Institute
Worldwide institute for Security focused information and
training
http://www.sans.org
http://www.sans.org/infosecFAQ/win2000/win2000_list.htm
Even More Resources
SecurityFocus
Website dedicated to providing computer security related
information
http://www.securityfocus.com
NTBugTraq
Mailing list for the discussion of security exploits and security
bugs in Windows NT and its related applications
http://www.ntbugtraq.com
Neohapsis
Security consulting firm who provide news and commentary
on the latest security issues
http://www.neohapsis.com
Questions
trobbins@microsoft.com