Telecom and Logistics Associates 

new6.gif (1031 bytes) TLAalert    Security Service 
Translate this page from:  publication: Christian ALT 
  Save Time and Money

TLAnews: Security NEWs Service 

 26.7.2000 Security: IIS 5.0 Security Checklist from Microsoft
Microsoft recently released a new security-related document that helps administrators better secure their Internet Information Server 5.0 systems.

French: Sécuriser IIS 5.0 selon Microsoft
Microsoft a récemment mis à disposition un document de sécurité traitant des procédures de sécurisation de IIS 5.0, (nternet Information Server)

Home
Consulting
Tech Doc
FW-1 FAQ
Training
Products
TLAnews
Archive
Advertising
 

TLAnews.com
Information for security concerned people

 
Register to TLAnews letter
 


English version
The document is entitled "Secure Internet Information Services 5 Checklist" and lists a dozen specific items that must be addressed in addition to a few tweaks to the underlying Windows 2000 operating system.

To tighten IIS 5.0, Microsoft suggests users first inspect all virtual directories to ensure the Access Control Lists (ACLs) are set correctly. The checklist recommends that users establish seperate directories for each type of content. For example, the document recommends that administrator put images in one directory, ASP scripts in another directory, DLL files in yet a different directory, and so on.
For Windows 2000, Microsoft recommends that users apply a provided security template (available on their Web site), configure an IPSec packet filter on the system, and ensure the TelnetClients group does not contain any unwanted members. In addition, users are urged to apply the latest hotfixes or Service Pack for both Windows 2000 and IIS 5.0.
Résumé en français

Le document s'appelle Secure Internet Information Services 5 Checklist et liste une douzaine d'éléments  sécuriser. La première chose est de vérifier les droits d'accès sur tous les répertoires (ACL). Ensuite il suggère un répertoire spécifique à chaque  type de contenu, ainsi les filtres DLLs se trouveront dans un répertoire les ASPs dans un autre, et les pages statiques dans une arboresence séparée.

Il  y a égalemtn des recommendations de sécurisation du système d'exploitation Windows 2000 sur lequel repose le serveur IIS.

Il est evidemment recommendé d'appliquer les derniers "Services Packs" pour IIS et pour Windows 2000 rapidement.


 

From Microsoft web site:

Secure Internet Information Services 5 Checklist

29-June-2000
Michael Howard
Windows 2000 Security Team

This document lists some recommendations and best practices to secure a server on the Web running Microsoft Windows 2000 and Internet Information Services (IIS) 5. The settings err on the side of security over functionality, and hence it's important that you carefully review the suggestions below and use them to derive your own corporate settings.

Note This document is adapted from "Designing Secure Web-Based Applications for Microsoft Windows 2000", Microsoft Press, ISBN: 0735609950.

Those of you familiar with the Internet Information Server 4 checklist will notice that this list is much shorter than that checklist. This is due to two reasons:

The rest of this document is broken into the following parts:

General Security considerations

The material in this section covers general security issues.

Read Your Corporate Security Policy

Having a security policy is paramount. You need ready answers to questions like

Good sources of policy information can be found at SANS Institute; Baseline Software, Inc.; and Practical Unix & Internet Security (O'Reilly Books, 1996).

Subscribe to the Microsoft Security Notification Service

You can stay abreast of Microsoft-related security issues and fixes by subscribing to the Microsoft Security Notification Services at http://www.microsoft.com/technet/security/notify.asp. You'll get automatic notification of security issues by e-mail.

You should also consider placing a shortcut to the Microsoft Security Advisor Program on your desktop. To do so, follow these steps:

  1. Open Internet Explorer.
  2. Navigate to http://www.microsoft.com/technet/security/notify.asp.
  3. Choose Add To Favorites from the Favorites menu.
  4. Check the Make Available Offline check box.
  5. Click Customize.
  6. Click Next in the Offline Favorite Wizard.
  7. Select the Yes option button and specify to download pages two links deep from this page.
  8. Click Next.
  9. Select the I Would Like To Create A New Schedule option button, and click Next.
  10. Accept the default settings, and click Next.
  11. Click Finish.
  12. Click OK.
  13. Choose Organize Favorites from the Favorites menu.
  14. Select the Microsoft TechNet Security shortcut in the Organize Favorites dialog box.
  15. Click Properties.
  16. Click the Download tab of the Microsoft TechNet Security Properties dialog box.
  17. Uncheck the Follow Links Outside Of This Page's Web Site check box.
  18. Click OK and then Close.

You can now drag the Microsoft TechNet Security shortcut from your Favorites menu to your desktop. A small red mark will appear on the icon when there is new security news.

Important You MUST stay on top of new security issues as they arise. This cannot be stressed enough.

Windows 2000 Security Considerations Back to Top

The material in this section covers security issues specific to Windows 2000.

Review, Update, and Deploy the Provided Hisecweb.inf Security Template

We've included a security template, named Hisecweb.inf, as a baseline applicable to most secure Web sites. The template configures basic Windows 2000 systemwide policy.

Hisecweb.inf can be downloaded from:    http://download.microsoft.com/download/win2000srv/SCM/1.0/NT5/EN-US/hisecweb.exe

Perform these steps to use the template:

  1. Copy the template to the %windir%\security\templates directory.
  2. Open the Security Templates tool, and look over the settings.
  3. Open the Security Configuration And Analysis tool, and load the template.
  4. Right-click the Security Configuration And Analysis tool, and choose Analyze Computer Now from the context menu.
  5. Wait for the work to complete.
  6. Review the findings, and update the template as necessary.
  7. Once you're happy with the template, right-click the Security Configuration And Analysis tool and choose Configure Computer Now from the context menu.

Configure IPSec Policy

You should seriously consider setting an Internet Protocol Security (IPSec) packet-filtering policy on every Web server. This policy provides an extra level of security if your firewalls are breached. Multiple levels of security technology are often considered a good practice.

In general, you should block all TCP/IP protocols other than those you explicitly want to support and the ports you want to open. You can use the IPSec administration tool or the IPSecPol command line tool to deploy IPSec policy.

Secure the Telnet Server

If you plan to use the Telnet server included with Windows 2000, you should consider restricting the users who can access the service. To do this, perform the following steps:

  1. Open the Local Users And Groups tool.
  2. Right-click the Group node, and choose New Group from the context menu.
  3. Enter TelnetClients in the Group name box.
  4. Click Add, and add the users who are to have telnet access to the computer.
  5. Click Create and then Close

When the TelnetClients group exists, the Telnet service will allow only those users defined in the group to have access to the server.

IIS 5 Security Considerations Back to Top

The material in this section covers security issues specific to Internet Information Services 5.

Set Appropriate ACLs on Virtual Directories

Although this procedure is somewhat application-dependent, some rules of thumb apply, as described in Table F-1.
File Type
 Access Control Lists
CGI (.exe, .dll, .cmd, .pl)

 

 Everyone (X)
Administrators (Full Control)
System (Full Control)

 
Script files (.asp)

 

 Everyone (X)
Administrators (Full Control)
System (Full Control)

 
Include files (.inc, .shtm, .shtml)

 

 Everyone (X)
Administrators (Full Control)
System (Full Control)

 
Static content (.txt, .gif, .jpg, .html)

 

 Everyone (R)
Administrators (Full Control)
System (Full Control)

 

Recommended default ACLs by file type.

Rather than setting ACLs on each file, you're better off creating new directories for each file type, setting ACLs on the directory, and allowing the ACLs to inherit to the files. For example, a directory structure might look like this:

Also, be aware that two directories need special attention:

The ACLs on both these directories are Everyone (Full Control) and should be overridden with something tighter depending on your level of functionality. Place the folder on a different volume than the IIS server if you're going to support Everyone (Write), or use Windows 2000 disk quotas to limit the amount data that can be written to these directories.

Set Appropriate IIS Log File ACLs

Make sure the ACLs on the IIS-generated log files (%systemroot%\system32\LogFiles) are

This is to help prevent malicious users deleting the files to cover their tracks.

Enable Logging

Logging is paramount when you want to dtermine whether your server is being attacked. You should use W3C Extended Logging format by following this procedure:

  1. Load the Internet Information Services tool.
  2. Right-click site in question, and choose Properties from the context menu.
  3. Click the Web Site tab.
  4. Check the Enable Logging check box.
  5. Choose W3C Extended Log File Format from the Active Log Format drop-down list.
  6. Click Properties.
  7. Click the Extended Properties tab, and set the following properties:

The latter two properties are useful only if you host multiple Web servers on a single computer. The Win32 Status property is useful for debugging purposes. When you examine the log, look out for error 5, which means access denied. You can find out what other Win32 errors mean by entering net helpmsg err on the command line, where err is the error number you are interested in.

Set IP Address/DNS Address Restrictions

This is not a common option to set, but if you want to restrict your Web sites to certain users this is one option available to you. Note that if you enter Domain Name System (DNS) names IIS has to do a DNS lookup, which can be time-consuming.

Executable Content Validated for Trustworthiness

It's difficult to know whether executable content can be trusted. One small test is to use the DumpBin tool to see whether the executable calls certain APIs. DumpBin is included with many Win32 developer tools. For example, use the following syntax if you want to see whether a file named MyISAPI.dll calls RevertToSelf:

dumpbin /imports MyISAPI.dll | find "RevertToSelf"

If no result appears on screen, MyISAPI.dll does not call RevertToSelf directly. It might call the API through LoadLibrary, in which case you could use a similar command to search for this, too.

Update Root CA Certificates at the IIS Server

This is a two-step process: The first step is adding any new root certificate authority (CA) certificates you trust—most notably, any new root CA certificates you have created by using Microsoft Certificate Services 2.0. The second step is removing all root CA certificates you don't trust. Note that if you do not know the name of the company that issued the root certificate, you should not trust them!

All root CA certificates used by IIS reside in the computer's machine store. You can access this store by following these steps:

  1. Open the Microsoft Management Console (MMC).
  2. Choose Add/Remove Snap-in from the Console menu, and click Add.
  3. Select Certificates and click Add.
  4. Click the Computer Account option button.
  5. Click Next.
  6. Select the machine in question.
  7. Click Finish.
  8. Click Close and then click OK.
  9. Expand the Certificates node.
  10. Expand Trusted Root Certification Authorities.
  11. Select Certificates.

The right pane will show the entire root CA certificates currently trusted. You can delete multiple certificates if you want.

Disable or Remove All Sample Applications

Samples are just that, samples; they are not installed by default and should never be installed on a production server. Note that some samples install so that they can be accessed only from http://localhost, or 127.0.0.1; however, they should still be removed.

Table F-2 lists the default locations for some of the samples.
Sample
 Virtual Directory
 Location
IIS Samples

 

 \IISSamples

 

 c:\inetpub\iissamples

 
IIS Documentation

 

 \IISHelp

 

 c:\winnt\help\iishelp

 
Data Access

 

 \MSADC

 

 c:\program files\common files\system\msadc

 

Sample files included with Internet Information Server 5.

Disable or Remove Unneeded COM Components

Some COM components are not required for most applications and should be removed. Most notably, consider disabling the File System Object component, but note that this will also remove the Dictionary object. Be aware that some programs might require components you're disabling. For example, Site Server 3.0 uses File System Object. The following command will disable File System Object:

regsvr32 scrrun.dll /u

Remove the IISADMPWD Virtual Directory

This directory allows you to reset Windows NT and Windows 2000 passwords. It's designed primarily for intranet scenarios and is not installed as part of IIS 5, but it is not removed when an IIS 4 server is upgraded to IIS 5. It should be removed if you don't use an intranet or if you connect the server to the Web. Refer to Microsoft Knowledge Base article Q184619 for more info about this functionality.

Remove Unused Script Mappings

IIS is preconfigured to support common filename extensions such as .asp and .shtm files. When IIS receives a request for a file of one of these types, the call is handled by a DLL. If you don't use some of these extensions or functionality, you should remove the mappings by following this procedure:

  1. Open Internet Services Manager.
  2. Right-click the Web server, and choose Properties from the context menu.
  3. Master Properties
  4. Select WWW Service | Edit | HomeDirectory | Configuration

Remove these references:
If you don't use...
 Remove this entry:
Web-based password reset

 

 .htr

 
Internet Database Connector (all IIS 5 Web sites should use ADO or similar technology)

 

 .idc

 
Server-side Includes

 

 .stm, .shtm and .shtml

 
Internet Printing

 

 .printer

 
Index Server

 

 .htw, .ida and .idq

 

Extensions to remove from IIS 5.

Important Unless you have a mission-critical reason to use the .htr functionality, you should remove .htr extension.

Check <FORM> and Querystring Input in Your ASP Code

Many sites use input from a user to call other code or build SQL statements directly. In other words, they're treating the input as valid, well-formed, nonmalicious input. This should not be so; there are a number of attacks where user input is treated incorrectly as valid input and the user could gain access to the server or cause damage. You should always check each <FORM> input and query string before passing it on to another process or method call that might use an external resource such as the file system or a database.

You can perform text checking with the JScript V5 and VBScript V5 regular expression capabilities. The following example code will strip a string of all invalid characters (characters that are not 0-9a-zA-Z or _):

Set reg = New RegExp
reg.Pattern = "\W+" ' One or more characters which
' are NOT 0-9a-zA-Z or '_'
strUnTainted = reg.Replace(strTainted, "")

The following sample will strip all text after a | operator:

Set reg = New RegExp
reg.Pattern = "^(.+)\|(.+)" ' Any character from the start of
' the string to a | character.
strUnTainted = reg.Replace(strTainted, "$1")

Also, be careful when opening or creating files by using Scripting File System Object. If the filename is based on the user's input, the user might attempt to open a serial port or printer. The following JScript code will strip out invalid filenames:

var strOut = strIn.replace(/(AUX|PRN|NUL|COM\d|LPT\d)+\s*$/i,"");

The pattern syntax in the Version 5 script engines is the same as that in Perl 5.0. Refer to the V5 scripting engine documentation at http://msdn.microsoft.com/scripting/default.htm for further detail and http://msdn.microsoft.com/workshop/languages/clinic/scripting051099.asp for examples.

Disable Parent Paths

The Parent Paths option allows you to use ".." in calls to functions such as MapPath. By default, this option is enabled, and you should disable it. Follow this procedure to disable the option:

  1. Right-click the root of the Web site, and choose Properties from the context menu.
  2. Click the Home Directory tab.
  3. Click Configuration.
  4. Click the App Options tab.
  5. Uncheck the Enable Parent Paths check box.

Disable IP Address in Content-Location

The Content-Location header can expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) firewall or proxy server. Refer to Knowledge Base article Q218180 for further information about disabling this option.
 

Last updated July 7, 2000
© 2000 Microsoft Corporation. All rights reserved. Terms of use.

 


more security information with TLAnews ...

Author information.
Copyright © [Telecom and Logistics Associates Sàrl]. All rights reserved.
Revised: juillet 26, 2000 .

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of the particular situation.