Re: Secured IIS Project - IIS 4.0 Secure Script

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 07/24/01


Message-ID:  <E9A01F52DC939448BBDE44ED2E1C468F167ACB@muskie.rc.on.ca>
Date:         Tue, 24 Jul 2001 12:08:12 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
Subject:      Re: Secured IIS Project - IIS 4.0 Secure Script
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM


-----BEGIN PGP SIGNED MESSAGE-----

I've completed v1.0 of SecuredIIS.vbs, a Visual Basic script;
http://ntbugtraq.ntadvice.com/download/SecuredIIS.zip

which, using Windows Scripting Host, implements many of the
recommendations from the;

Microsoft Internet Information Server 4.0 Security Checklist
http://www.microsoft.com/technet/itsolutions/security/tools/iischk.asp

plus additional things I felt were prudent.

The intent of this script is that it be given to owners of, and run
on, IIS 4.0 servers which have been installed accepting the defaults.
It should operate identically on NT 4.0 machines which have installed
IIS 4.0 from the NT 4.0 Option Kit using the "Typical" installation
of NTOK.

Machines which were upgraded from IIS 2.0 (original NT installation),
or IIS 3.0 may have remnants left behind which we'd like to remove
(anyone noticing anything on such machines, please drop me a note).

The basic system used for testing here is;

NT 4.0 (no IIS)
NT 4.0 SP6a 128-bit
IE 4.0 SP2 (typical)
NT 4.0 Option Kit (typical)
MDAC_TYP (MDAC 2.1 upgrade)
NT 4.0 SP6a 128-bit

This setup creates an SMTP server, FTP server, Index Server, Windows
Scripting Host (required for the script to work, but part of a
default installation of NTOK), and FrontPage extensions.

The script isn't intended to ask questions or provide options. If
someone has sufficient knowledge to know what they want, or don't
want, from their installation then they should be reading the
Security Checklist above or altering their installation via the NTOK
Setup program. Those that don't know, or don't want to know, can just
double-click on the script and know that the most common security
configurations are being done for them.

The script also doesn't incorporate any Hotfix checking. This will
come as part of a (near) future version.

Version 1.0 does the following;

Remove FTP Services and any virtual directories
Remove the IISADMPWD virtual web directory
Remove all IIS Samples
Disable FrontPage on the Default Web Site
Remove SMTP Services and any virtual directories
Disable Parent Paths
Remove Script Mappings for;
 .cer
 .cdx
 .htr
 .htw
 .ida
 .idc
 .idq
 .stm
 .shtm
 .shtml
Remove SMTP Service
Remove FTP Service
Remove RDS Registry keys
Set Jet ODBC to safe Sandbox mode
Disable automatic NetBIOS shares
Disable 8.3 DOS file generation
Remove the Optional, OS/2 and Posix subsystems
Hides the last logon name
Establishes a logon notice
Removes the Shutdown button from Logon dialog
Restricts Anonymous access
Deletes physical directories associated with;
 SMTP Service
 FTP Service
 IIS Samples
 IIS Password Change directory

This version is being offered up for testing purposes only. Please be
aware that there is no option to stop the process once it has been
started.

Suggestions, additions, comments should be sent to
Russ.Cooper@rc.on.ca. Some remnants of the SMTP and FTP service
remain after running the script, primarily in the Content Index
Service. I'm still checking into how best to handle this (or whether
its a problem at all).

I'm currently working v2.0 which will incorporate support for Windows
2000.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2

iQCVAwUBO12dbBBh2Kw/l7p5AQEVLgP/dyglsXpQEM7sVJSwxGlq4ehnMkR193X8
IBMd/e8YB2QFpJ5kVaF1VXmrP+Jh8roF4SF1XifL9EWdxiBSJoDjEpg12tVOv0Jp
sGPfl2cJW8ILOdqPbX/8sPsYlOr3V1OCvZ/Jmphk3C/YL0qHmfVKnU+khG1lPGJF
O+4Sm+LOX2E=
=/zp4
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
Delivery co-sponsored by Trend Micro
============================================================================
TREND MICRO REAL-TIME VIRUS ALERTS
If you would like to know about a virus outbreak before CNN and ZDNet get
Trend Micro Virus Info Feed FREE. Simply copy and paste a small piece of
code to give your visitors a real-time top 10 list and the latest virus
advisories. Setup takes just 10 minutes and requires no server-side code on
your Web site. All content is updated automatically from Trend Micro's Web
site.
http://www.antivirus.com/banners/tracking.asp?si=8&bi=237&ul=/syndication/
vinfo/
----------------------------------------------------------------------------