|
Securing IIS
5.0
The folllowing steps may be used to install and configure a
Microsoft Internet Information Services 5 server. The information below addresses the installation of a basic
IIS Web Server. It does not cover every potential configuration of
IIS and its related services.
Install
Windows 2000 from the original installation media (via CD)
Install Windows 2000 as a standalone server. Whenever
possible do not make it a Domain Controller of the member of a
domain. Make sure the server does not have an Internet connection
during install.
Install the
operating system on an NTFS partition
Installing the OS on an NTFS permission will allow us to
further secure critical files and directories using Access Control
Lists (ACLs). NT can be installed on a FAT partition and this
partition can later be "converted" to NTFS, however, the default
ACLs are not applied during the conversion process.
DO NOT use the
default installation paths.
If at all possible, install your system files to a
partition other than C: and a folder other than WINNT. Place your
Intepub folder on a seperate partition from your system folder.
DO NOT set a password for the administrator account during
installation
This will be set later.
Install only necessary protocols
Avoid installing NetBEUI and IPX/SPX if at all possible.
Configure network cards and video adapters as needed.
Cards that are not auto-detected will need to have drivers
manually installed.
Install Service Pack 2 for Windows 2000
Install the Service Pack and any other hotfixes.
Remove or disable all sample applications and directories
Item Location
IIS ?\Inetpub\iissamples
Admin Scripts ?\Inetpub\AdminScripts
IIS Documentation %systemroot%\help\iishelp
Data Access ?\Program Files\common files\system\msadc
Secure the
Telnet server
Create a local TelnetClients group. Add users allowed to
access the Telnet server to this group. When this group is created,
only members of this group can access the Telnet server. If you
don't need Telnet, disable the service.
Set appropriate ACLs
The Microsoft reccomended ACLs are:
File Type ACL
CGI (.exe, .dll, .cmd, .pl) Everyone (X)
Administrators (Full Control)
System (Full Control)
Script Files (.asp) Everyone (X)
Administrators (Full Control)
System (Full Control)
Include files (.inc, .shtm, .shtml) Everyone (X)
Administrators (Full Control)
System (Full Control)
Static content (.txt, .gif, .jpg, .html) Everyone (R)
Administrators (Full Control)
System (Full Control)
Check ftproot
and mailroot ACLs
By default the ACLs on these folders are set to Everyone
(Full Control). More restrictive settings are reccomended, but will
vary according to needs. If there is no need for these folders on
the webserver, remove them and disable the corresponding services.
Set IIS log file ACLs
The Microsoft reccomended ACLs for
%systemroot%\system32\logfiles are:
Administrators (Full Control)
System (Full Control)
Everyone (RWC)
Remove dangerous script mappings
If you don't use the following script types, remove their
mappings:
Script Type Mapping
Web-based password reset .htr
Internet Database Connector .idc
Server-Side Includes .stm .shtml .shtm
Internet Printing .printer
Index Server .ida .idq .hta
It is important to note that most of these script mappings
have been used to exploit IIS in the past. If you must use these
script mappings, ensure you are up to date on all Service Packs and
Hotfixes.
Credits
Securing IIS 5.0
by SecurityFocus
last updated Fri Aug 24 2001
|