This document contains some basic security precautions to protect Windows 2000 servers running Internet Information Server 5.0. These steps do not completely protect a server from any attack, but do greatly reduce the potential for intrusion and damage.

Warning: Security restrictions can interfere with the operation of computing services. ITS recommends testing any changes on non-production computers before employing them on production servers or workstations. Complications may be difficult to predict due to the unique environment and applications used by different groups at UCB.

1. Installing and Patching
   1. Getting started
   2. Partitioning
   3. IIS Components
   4. Service packs and hot fixes
2. Locking down
   1. IIS Lockdown tool
   2. Restrict file system access
   3. Restrict IP access
   4. Configure anonymous access
   5. SYN Flood Protection
   6. FTP server security
3. Cleaning up
   1. Remove scripts and samples
   2. Remove unused mappings
4. Maintaining security
   1. IIS Logging
   2. URLScan Tool
5. More information
   1. Microsoft
   2. ITS
   3. Other web sites
   4. Books

1. Installing and Patching

   1. Getting started
      1. Follow the general ITS guidelines for securing a Windows 2000 server in addition to the items outlined in this guide. (link)
      2. If possible, run IIS on a separate server from other services (file server, print server, database server, etc.). This both protects other services from attacks exploiting IIS as well as protects IIS from attacks exploiting other services.
      3. If possible, keep the IIS server as a stand-alone server, not joined to an NT4 domain or Windows 2000 Active Directory. This reduces the ability of an attacker to use access to the IIS server to gain access to other computers.
   2. Partitioning
      1. Install the root of all IIS services on a partition separate from the operating system. It is best for each service to have its own partition. This minimizes the impact of exploits that allow attackers to access other files on the same drive as the exploited IIS service root.
   3. IIS Components
      1. Install only the IIS services (WWW, FTP, SMTP, NNTP) you need. This reduces the vulnerabilities of the server by eliminating possible intrusion points or exploits.
   4. Service packs and hot fixes
      1. Install service packs and hot fixes appropriate to your server (an IIS server should have both general Windows 2000 patches and IIS patches). Most attacks use known exploits for which there is a patch. To stay up to date on Microsoft patches, visit the Technet security site where you can join an e-mail list to notify you of new patches.



2. Locking Down

   1. IIS lockdown tool
      1. This Microsoft tool is a simple way to lock down a few common security holes. If you are comfortable configuring these items yourself, greater security can be achieved through manual configuration. Situations where IIS Lockdown can be used are noted in the following sections. For more information on this tool, or to download it, please see the MS IIS Lockdown web page. Be aware that the IISLockdown tool can disable a currently running web site, but it does contain an "undo" function to remove the last set of restrictions.
   2. Restrict file system access
      1. Restrict the file system access to the IIS service directories (like webroot or ftproot) to only those who require access. Here are some suggestions for restrictions:
         • Allow full control of these files only for required users or groups like web administrators. Restrict access for other users to read-only or read and execute (see next item).
         • For web sites: Separate executable content (like scripts) from non-executable content (like HTML files and images). Configure read and execute permissions to the executable content for users and read-only permissions to non-executable content.
      2. Restricting write access by the IIS anonymous and application users to the content directories can be done using IIS Lockdown.
   3. Restrict IP access
      1. Restrict access by IP address/domain. If your IIS services are only accessed by users on campus, you can restrict the access to these services to on-campus addresses. Note: This will eliminate the ability for your IIS services to be access from other locations including many campus users from home. If your services allow for this restriction, the chances of an intrusion will be reduced as most attacks originate from off-campus sites. To enable this feature:
         1. Open the Internet Services Manager
         2. Select properties on your web or FTP server
         3. Select the Directory Security tab
         4. For web servers, click the Edit button in the IP address and domain name restrictions section
         5. Select the Denied Access radio button
         6. Click Add
         7. Select the Group of computers radio button
         8. Enter 128.138.0.0 for the Network ID and 255.255.0.0 for the Subnet Mask as shown below (the FTP and web server images will differ slightly)
            
            
            
            
         9. Click OK
   4. Configure anonymous access
      1. IIS 5 creates and uses two user accounts: IUSR_computername and IWAM_computername. The IUSR_computername account is used as the default account for anonymous access. The IWAM_computername is used by IIS for application access.
      2. Make sure the IIS anonymous access user (IUSR_computername) has "User cannot change password" and "Password never expires" checked under its properties.
      3. If no anonymous access to IIS services is required, disable the IUSR_computername account.
   5. SYN Flood Protection
      1. SYN flooding is a common denial of service attack on IIS servers, but there is a simple way to protect against the effects of such an attack.
         1. Click Start, click Run, type regedt32, and then click OK.
         2. On the Windows menu, click HKEY_LOCAL_ MACHINE on Local Machine.
         3. Click through to the System\CurrentControlSet\Services\Tcpip\Parameters folder
         4. From the Edit menu select Add Value
         5. Give it a Value Name of "SynAttackProtect" and a Data Type of "REG_DWORD" as shown below
            
         6. Click OK
         7. Select "Decimal" in the new window and enter a "2" for the Data as shown below
            
         8. Click OK
         9. Close the Registry Editor
   6. FTP server security
      1. The FTP service transmits usernames and passwords unencrypted across the network, giving attackers an opportunity to steal this information to gain access to a server. Consider pursuing other options for file transfers for greater security. If using the FTP service is a requirement, there are a few things that can be done to limit the risk.
         • If only downloading is needed and the files are not confidential, consider only allowing anonymous access. This eliminates users sending their passwords over the network.
         • If anonymous access is not possible, consider an alternative product that can encrypt usernames and passwords. One option is SafeTP, a free product that can encrypt traffic between an IIS FTP server and still allow end-users to use their choice of FTP client. Other options include using a VPN connection, IPSec, and SSH.
      2. Using virtual directories can increase the security of an FTP server by masking the true directory structure of the server.



3. Cleaning Up

   1. Remove scripts and samples - can be done using IIS Lockdown
      1. Delete sample files and scripts installed by IIS. These are generally located in \InetPub\iissamples and \InetPub\AdminScripts. If these scripts are required for some particular function, use NTFS permissions to restrict access to necessary users. This protects against several common exploits that use the sample scripts and files.
   2. Remove unused mappings - can be done using IIS Lockdown
      1. To remove an application mapping:
         1. Open the Internet Services Manager
         2. Select properties on your web server
         3. Select the Home Directory tab
         4. Click the Configuration button
         5. Select the desired mapping you wish to remove and click the Remove button. It is advised that you remove all mappings that you are not planning on using, the .ida and .printer mappings are commonly used vulnerabilities.



4. Maintaining Security

   1. IIS Logging
      1. To enable extended logging for your IIS web/FTP server and move the location of your log files:
         1. Open the Internet Services Manager
         2. Select properties on your web/FTP server
         3. Select the Web Site or FTP Site tab
         4. Make sure the Enable Logging check box is selected
         5. Select W3C Extended Log File Format from the pull down.
         6. Click the Properties button
         7. Under the General Properties tab select Daily for New Log Time Period
            • (If your web/FTP server only receives a few hits a day, you may change your logging period to Weekly, but Daily is best).
         8. Select Use local time for file naming and rollover
         9. Change the Log file directory to the location of your logs.
            • Make sure that the NTFS security settings are set to:
              • Administrators - Full Control
              • System - Full Control
            Here is an image showing the above logging settings:
            
            
            
            
         10. Select the Extended Properties tab
             • Check Date, Time, and all the Extended Property choices Here is an image showing the above logging settings:
               
               
               
               
      2. Set permissions on the log folder so that only SYSTEM and administrators have full control. Other users/groups should have no access to this folder, or read-only access if required. This step helps to prevent attackers from covering their tracks.
      3. Enhancing IIS logging provides information on the type of attack and the level of access gained. This information could help both you and other IT administrators on campus.
   2. URLScan tool
      1. This Microsoft tool allows you to filter requests to an IIS web server based on several criteria. For more information on this tool, or to download it, please see the MS URLScan web page. Be aware that the URLScan tool can disable a currently running web site and should be used with education and caution.



5. More information

   1. Microsoft
      • MS security page
      • MS Resources for Securing Internet Information Services
      • "From Blueprint to Fortress: A Guide to Securing IIS 5.0" - an MS whitepaper
      • MS security bulletins e-mail
      • MS security checklists and tools
      • MS Technet page
   2. ITS
      • ITS security site
      • CU Network Security e-mail list - cu-network-security@lists.colorado.edu
      • ITS Windows 2000 site
   3. Other web sites
      • "Hardening Windows 2000" - a free copy of a chapter from Windows 2000 Security Handbook noted below
      • National Security Agency Windows 2000 security guides
      • SANS Windows 2000 reading room
      • Security Focus - Microsoft section
   4. Books
      • Securing Windows NT/2000 Servers for the Internet
      • Windows 2000 Security Handbook
      • Hacking Exposed: Windows 2000

Getting Help

help@colorado.edu