|
|
|
A guide to installation and configuration of
Internet Information Server (IIS) on Windows NT and Windows 2000 systems
with emphasis on web site security. |
|
|
|
|
|
Al Lilianstrom |
|
x2028 |
|
Al.Lilianstrom@fnal.gov |
|
CD/OSS/CSI |
|
|
|
|
This talk describes how I build a Windows NT or
Windows 2000 based system for use with IIS |
|
|
|
I really do things this way |
|
|
|
I didn't think of all this by myself |
|
|
|
This information comes from experience – my own
and countless others |
|
|
|
And yes I have had a system defaced |
|
|
|
|
|
Think about this - |
|
Can I publish this data elsewhere? |
|
Am I going to pay attention to this server? |
|
|
|
Alternatives |
|
Professional home pages available in AFS space |
|
Project web sites available on CD managed
servers |
|
|
|
|
|
|
Web servers should not be on any type of domain
controller |
|
|
|
Unless you absolutely have to, web servers
should not be on fileservers |
|
|
|
A separate system, while not necessarily cost
effective, allows more flexibility and doesn’t have as much impact on
regular business if the web server must be removed from the network or
rebuilt. |
|
|
|
|
|
|
The system should be off the network from the
time you start the OS installation until all patches are applied and all
required changes are made |
|
|
|
NTFS filesystems only! |
|
|
|
Windows NT - Do NOT install IIS as part of the
NTAS installation! Install from the NT Option Pack. Remember - less is
better when choosing IIS options! Don’t forget the IIS patches! |
|
|
|
Windows 2000 – Pay attention to the install so
you can choose what parts of IIS you want installed. |
|
|
|
|
|
|
|
This is a good start |
|
|
|
Note – |
|
No Index Server |
|
No FrontPage Extensions |
|
Not all IIS options are selected |
|
|
|
Only install what you need |
|
|
|
Apply all applicable patches |
|
|
|
This should be done off the network |
|
|
|
|
The NT and Windows 2000 default location for the
web server root is c:\inetpub\wwwroot. This has to be changed! |
|
|
|
The default file permissions here are Everyone:Full
Control |
|
|
|
The default permissions for any new file system
created in NT/W2K are Everyone:Full Control |
|
|
|
|
Prepare a new home for your web site. It should
NOT be on the system disk. I normally use d:\inetpub. Create a wwwroot
directory below inetpub. Be sure that permissions are set properly. By
default IIS accesses files using the properties of the the IUSR_machinename
account. Read only access! |
|
|
|
|
Open up the IIS MMC - there are known holes in
MSADC and IISSAMPLES. |
|
|
|
|
Move the logs. Default is
c:\winnt\system32\logfiles. I tend to use d:\logfiles. Right click on the
default web site and go to properties. Near the bottom make sure that
logging is enabled and click on Properties. |
|
|
|
|
Change the logfiles directory to d:\logfiles and
click on Ok. |
|
|
|
|
Click on the Home Directory tab and set the
local path to d:\inetpub\wwwroot. (Note - this can also be a share on
another computer) Click on apply. |
|
|
|
|
Click on Configuration. This will bring up the
default script mappings. |
|
|
|
Remove all
unnecessary items |
|
|
|
|
|
|
I usually leave the .asp mapping as I use these
for some applications. The web site will function without this mapping so
it can be removed if you don't need it. Click on OK and exit the MMC. |
|
|
|
|
|
|
At this time (assuming that you have applied all
the appropriate patches) you can connect to the network. Good time to test
the basic function of the web server. |
|
|
|
Put a couple of files to test with in the root
of your new web server. If you have a particular application that this web
server is to be used for - install it and test. |
|
|
|
|
What is your target audience? On site? Off site?
If this is meant to be a FNAL only site, IIS can (and should) be set to
only accept connections from our network. |
|
|
|
Open up the IIS MMC and right click on the web
site (or directory in the site) that you want to protect. Click on the
Directory Security tab. Click on the Edit tab by the IP Address and Domain
Name restrictions. |
|
|
|
|
Click on Add. Select Group of Computers and put
in the Network ID and Subnet Mask as shown. Click on OK a couple of times
to get back to the MMC. This site is now only available from machines on
the Fermilab network. Other networks can be added. |
|
|
|
|
You can require the use of host headers to
access your pages. This keeps the script kiddies away as they are not using
(at least not yet) DNS names in their attacks. With host headers enabled if
the DNS name of the site is not included in the header of the request the
the request is ignored. Current attacks fall in this category. To do this
open the IIS MMC, right click on the web site and go to Properties. Click
on the advanced button next to the IP address of the web site. |
|
|
|
|
Edit and add DNS names to match your IP
address. Click on OK to get back to the MMC. |
|
|
|
Warning - |
|
|
|
This feature can't be used with SSL encrypted
pages or sites |
|
|
|
Older browsers will no longer be able to view
the site |
|
|
|
|
IP address based requests will fail |
|
|
|
|
|
|
|
|
|
The same request using a DNS name works |
|
|
|
|
|
|
|
|
|
|
|
|
Internet Explorer is the browser |
|
|
|
The user has an account in the domain that the
web server is configured to use for authentication |
|
|
|
|
|
|
|
|
|
|
|
|
Disable any unnecessary services. The spooler,
index server, and SNMP come to mind. If you must have SNMP configure it
properly |
|
Rename administrator account |
|
Disable 8.3 filename support |
|
Disable null session enumeration |
|
IIS Lockdown tool from Microsoft |
|
URLCheck from Microsoft |
|
Restrict access for command line tools to local
System account and Administrators group |
|
Remove write access for IUSR, IWAM, and Everyone
group anywhere it exists. |
|
|
|
|
The Computing Division Computer Security Group
will scan your machine on request and send you the results. Request this
through your division/section GCSC (General Computer Security Contact) Use
the results of this scan to modify your configuration as necessary. Do this
before the machine goes into production. |
|
|
|
This would also be a good time to get a baseline
backup of the system. |
|
|
|
|
Microsoft distributes a free tool called
hfnetchk. It uses a XML data file to compare your system to all known
patches. It can be used by |
|
|
|
“* By users checking their own desktop systems, |
|
* By admins checking any system on which they
have administrator access.” |
|
|
|
Matt Crawford crawdad@fnal.gov 8/17/2001 8:43 AM
message to the pc-manager list. |
|
|
|
See the list archive for the complete text of
the message (http://listserv.fnal.gov/archives/pc-manager.html) |
|
|
|
|
C:\hfc3>hfnetchk -x mssecure.xml -h newpckits |
|
Microsoft Network Security Hotfix Checker, 3.2 |
|
Developed for Microsoft by Shavlik Technologies,
LLC |
|
info@shavlik.com (www.shavlik.com) |
|
|
|
Using XML data version = 1.0.1.159 Last modified on 10/24/2001. |
|
* WINDOWS 2000 SERVER SP2 |
|
|
|
Patch NOT Found MS01-013
Q285156 |
|
NOTE MS01-022 Q296441 |
|
|
|
*
Internet Information Services 5.0 |
|
|
|
INFORMATION All necessary
hotfixes have been applied |
|
|
|
*
Internet Explorer 6 Gold |
|
|
|
INFORMATION |
|
All necessary hotfixes have been applied. |
|
|
|
|
In my opinion Microsoft errs by continuing to
release a web server with all options enabled and in need of patches. The
current NTOptionPack download (the installer for IIS4) does NOT have any
patches applied. |
|
|
|
Running a web server requires discipline and
attention. You need to watch your web server and system logs. You need to
be aware of the latest attacks and patches. |
|
|
|
|
|
Microsoft Security |
|
http://www.microsoft.com/security |
|
|
|
IIS4 Security Checklist |
|
http://www.microsoft.com/technet/security/tools/iischk.asp |
|
|
|
IIS5 Security Checklist |
|
http://www.microsoft.com/technet/security/iis5chk.asp |
|
|
|
Microsoft IIS |
|
http://www.microsoft.com/technet/prodtechnol/iis/ |
|
|
|
URLScan Security Tool |
|
http://www.microsoft.com/technet/security/tools/urlscan.asp |
|
|
|
IIS Lockdown Tool |
|
http://www.microsoft.com/technet/security/tools/locktool.asp |
|
|
|
Security Focus |
|
http://www.securityfocus.com/infocus/1311 |
|
|
|
|
|
Latest patches are on PCKITS -
\\pckits\fermi-rollup |
|
|
|
Patch CD available for offline builds. This is a
mirror of the PCKITS site. ISO image is available if you want to burn your
own – See the OSS home page at http://www-oss.fnal.gov under Miscellaneous |
|
|
|
Technical assistance available. Don't be afraid
to ask! |
|
|
|
helpdesk@fnal.gov |
|
pc-manager@fnal.gov |
|
|
|
|
|
|
|
If you are a administrator of a system on the
Fermilab network you should be a registered system admin - See http://miscomp.fnal.gov/sysadmindb/ |
|
|
|
Manage NT/2000/etc |
|
Join the pc-manager list - http://listserv.fnal.gov/users.asp#subscribe%20to%20list |
|
|
|
Join the Microsoft Security bulletin mailing
list - http://www.microsoft.com/technet/security/bulletin/notify.asp |
|
|
|
|
|
Notes