IIS Security

1
IIS Security
Sridurga Mavram
2
Contents

• Introduction
• Security Consideration
• Creating a web page
• Drawbacks
• Security Tools
• Conclusion
• References

3
Introduction

• What is IIS?
• IIS, an acronym for Internet Information Services
  is a web application server program that handles
  HTTP requests
• The Internet Information Services is a suite of
  tools and services for creating, managing, and
  securing Web sites
• Popular because IIS sites are so easy to
  implement.
• Why should you Secure it?
• Easy to use, easy to hack
• Default installation(comes with OS) is massively
  vulnerable and it is no wonder that attackers are
  finding IIS to be "the easiest pickings" of all
  Web servers.

4
Security Consideration

• During Installation/Enabling
• Post Installation

5
During Installation/Enabling

• DO NOT install IIS together with services that
  are of key importance for LAN functionality or
  security.
• Default/No Harm Services
• Common Files
• Documentation
• Internet Information Services Snap-In
• World Wide Web Server
• 
  Contd..

6

• File Transfer Protocol (FTP) Server
• NNTP Service
• SMTP Service
• Risky
• FrontPage 2000 Server Extensions
• Internet Service Manager (HTML)

7
(No Transcript)
8
Piece of Note

• The first step in securing your server is to
  download the most updated Service Pack and
  current IIS patches.
• Don't forget to register so that you will
  automatically receive Microsoft security
  bulletins

9
Post Installation

• Before attempting to change settings, ensure
  that you make a backup copy of the metabase (i.e.
  the IIS configuration).
• To do this, in the "Internet Services Manager"
  application, click on "Backup/Restore
  Configuration".
• Give a name and create a backup
• Location of Storing
• C\WINNT\system32\inetsrv\MetaBack directory

10
(No Transcript)
11
(No Transcript)
12

• Details of the Logs
• Enable Logging
• Change the log time period from daily
• Put a dedicated drive(E/LogFiles)
• Extended Properties (Select all)

13
(No Transcript)
14

• Home Directory Configuration
• Allows you to set up dynamic WWW pages(dlls) that
  are files with specific extensions.
• Example C\WINNT\System32\inetsrv\asp.dll,
  ism.dll, httpodbc.dll, ssinc.dll and
  C\WINNT\System32\msw3prt.dll, idq.dll and
  webhits.dll
• Remove all these except asp.dll and ssinc.dll
  (Security Issues)
• Reason These were used in the past for breaking
  into the IIS servers and infecting them with
  viruses
• Example buffer overflow vulnerability contained
  in the idq.dll

15
(No Transcript)
16

• File Extension Mapping
• In order to setup the extension service via ISAPI
  applications, click on the "Add" button and then
  fill in the boxes
• ExecutableC\WINNT\System32\inetsrv\asp.dll
• Extension .inc
• Limit to POST, GET, and HEAD

17
(No Transcript)
18

• Application Configuration
• Clear Enable Parent Paths
• Reason Restrict the access to the Applications
  Directory
• Clear Session State
• Reason Overloads Servers Memory
• ?Debugging
• Enable "Send text error message to client"
• Reason Prevents Hackers from knowing the detail

19
(No Transcript)
20
(No Transcript)
21

• Directory Security
• Commonly used pages Uncheck Integrated
• Problem username/password passed along the
  network.
• ?Documents
• Add default documents
• Note Home Directory settings - Read, Write,
  Directory Browsing should not be overlooked.

22
(No Transcript)
23
(No Transcript)
24
Creating Webpage

• Partition your Internet data on different disk
  drives.
• Reason Escaping from Hackers.
• -Create a virtual Directory and map it to the
  Local Directory
• -Enable only needed permissions
• For Administrators Full Control,
• For Authenticated Users Read and Execute
• For SYSTEM Full Control
• -Disable Directory Browsing

25
(No Transcript)
26
(No Transcript)
27
Drawbacks

• Managing large IIS server configurations or
  multiple servers over the Internet can be slow
  and cumbersome.
• Hacker can enter as guest and take over the
  system privileges (due to insecure dll
  isolation).
• Tools that are produced outside of Microsoft do
  not alert you when you set a property that
  requires supporting properties.

28
Security Tools

• IIS Lockdown tool
• Installation Guide
• http//www.iisanswers.com/articles/IIS_Lockdown/II
  SLockdown.htm
• Download
• http//www.microsoft.com/windows2000/downloads/rec
  ommended/iislockdown/default.asp
• URLScan
• Download
• http//www.microsoft.com/technet/security/tools/UR
  Lscan.asp

29
Conclusion

• Do not ignore making some necessary security tips
• Regularly update the server with the security
  patches
• For Additional Security, download the security
  tools

30
References

• Microsoft Windows Security Resourse Toolkit Ben
  Smith and Brian Komar
• http//www.windowsecurity.com/articles/Installing_
  Securing_IIS_Servers_Part1.html
• http//www.serverwatch.com/news/article.php/140049
  1
• http//www.informit.com/articles/article.asp?p293
  10seqNum5rl1
• http//www.eeye.com/html/Research/Advisories/AD200
  20410.html

31
Thank You