RE: IIS Locking down IIS
From: John Spencer (johns@model.com)Date: 01/03/02
- Previous message: dewt: "Re: Detecting WAP's"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 03 Jan 2002 14:12:27 -0800 From: John Spencer <johns@model.com> To: security-basics@securityfocus.com
Start here:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/default.asp
Then:
Use URLscan **Be careful & read the documentation, there are ways to
make it work with Frontpage -- just read the documentation!!
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/URLscan.asp
Lockdown Win2K using baseline server security checklist
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/w2ksvrcl.asp
Lockdown IIS 5.0 using both baseline & secure internet information
services checklist
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/iis5cl.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/iis5chk.asp
**Be careful with the security templates. I found it best to review the
templates, use the configure & analysis tool, review the analysis logs &
create your own template from scratch to be certain nothing happens that you
don't specify
Use the IIS lockdown tool in advanced mode
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/locktool.asp
**Again, read the documentation thoroughly to understand everything you are
disabling & be careful not to disable anything you need
Familiarize yourself with Win2K access control methodologies
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/windows2000serv/reskit/distsys/part2/dsgch12.asp
Read security bulletins and apply all recommended patches
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/current.asp
Use hfnetchk.exe to verify all hotfixes are applied
http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;q303215
Subscribe to mailing lists related to Win2K & IIS security:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/notify.asp
http://www.securityfocus.com/cgi-bin/subscribe.pl
***ALWAYS install IIS to a non-default location. The only way to do this is
to perform an unattended Windows component installation:
1) Create an answer file on c:\ named iis.txt
EX:
[Components]
iis_www = on
iis_common = on
[InternetServer]
PathWWWRoot=I:\Inetpub\Wwwroot
2) Execute the following command
sysocmgr /i:%windir%\inf\sysoc.inf /u:c:\iis.txt
Additional reading on Security, IIS & Win2K
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/acs/reskit/acrkch12.asp
**Security for Admins & developers
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/iis/reskit/iis50rg/iischp9.asp
**Security resource guide for IIS 5.0
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/iis/deploy/depovg/securiis.asp
**Guide to Securing IIS 5.0
http://66.129.1.101/top20.htm **San's top 20 security holes
www.cisecurity.org **Center for Internet
Security
www.sans.org **SANS Institute
http://nsal.www.conxion.com **National security agency
security recommendation guides
www.microsoft.com/windows2000/downloads/critical **Current critical
hotfixes
On top of all this I recommend inserting a firewall between IIS & the
Internet. The best firewall is Checkpoint FW1, an inexpensive alternative
is IPTables or IPChains (which are also very good but require more expertise
to configure correctly).
Better alternatives to IIS:
Apache
IPlanet
John Spencer, CCSA, SCSA, RHCE
Systems Administrator
Model Technology --A Mentor Graphics Company
johns@model.com
**Opinions expressed here do not necessarily express the opinions of
Mentor Graphics or its subsidiaries.
- Previous message: dewt: "Re: Detecting WAP's"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
