Re: REPOST: IIS4 Security Advice

From: x y (jamescagney90210@excite.com)
Date: 05/16/02 

From: "x y" <jamescagney90210@excite.com>
Date: Thu, 16 May 2002 08:23:07 -0400

"Killer Squid" <killersquid2002@yahoo.co.uk> wrote in message
news:3eedf231.0205160323.346228a6@posting.google.com...
> Hi,
>
> We have developed an Intranet application that runs happily on a web farm
> via Cisco Load balancers. The web servers run NT4.0 SP6a, IIS4, Oracle
> Client 8.1.7 and Redback Gateway 3.5.3 Tier 2 (an OLE DB provider).
>
> We are looking to open up access to a "trusted client", and want to ensure
> that the web servers are as secure as possible without interfering with
the
> running of the application.
>
> As a starting point, we intend to apply the latest cumulative patch for
IIS
> (10 April 2002), and then try the IIS Lockdown Tool. Any comments on
either
> of these?

Well, I assume you know you need more than the latest IIS security patch,
but also windows 2000 patches and service packs [latest is SP2, should be
installed first before other patches], and there are some components that
are usually not considered part of IIS but need to be patched anyways, such
as Index Server. www.microsoft.com/security will let you search for all
required updates for each technology you are running [e.g. one search for
win 2000, one for IIS, one for Index Server, etc.]

The link above will also have a checklist of other things suggested to
secure your system. IISlockdown will take care of a lot of them. I think
one of the recommendations is usually to create a separate partition/drive
for the IIS web files and nothing else. Another one is to enable auditing
of files and registry keys at the root of HKLM and below, especially all
failed access and successful deletion, etc. After installing iislockdown
including urlscan, you will want to modify your urlscan.ini file to tighten
some things up [like make sure allow action and allow extension are being
used instead of deny], and loosen other things up [like allowing certain
special file extensions that might be required by your app]. After you
restart IIS, you should check the urlscan.log file from time to time to see
what is being blocked and see whether valid client requests are being
blocked accidentally.

Other suggested security tools are www.gfi.com LANguard file integrity
checker, www.mynetwatchman.com software [both are free], have a software and
hardware firewall starting with Sygate and Netgear at the inexpensive end,
etc. etc.

None of these resources tell you much about application security, though.
Hopefully your programmers or someone over them is someone expert at current
security issues and how to resolve them in a web app. Authentication
methods and permissions are two things to consider... SQL injection is a
common type of problem... .asp pages should be careful not to return
sensitive information to the user... applications that pass sensitive
variables like user ID or account number in the URL are a frequent cause of
hacking... etc. etc. The books Incident Response and Hacking Exposed vol 3
are two good introductions to security that deal a little with this sort of
thing.

Depending on your security needs, you may want to consider setting up one or
more firewalls into a DMZ to protect your web servers from your network
and/or vice versa.

Once everything is set up, I like to use the command
NETSTAT -AN>>c:\netstat.txt or NETSTAT -A>>C:\netstat.txt and also
fport>>c:\fport.txt to capture the currently open IP ports and what
services are listening on them. This may help you if you suspect that a
hacker has compromised your server and installed some service or software on
it. Fport is free for download from foundstone.com along with a lot of
other useful security goodies. www.sysinternals.com also has useful free
tools for researching possible intrusions and setting up correct file
permissions, such as pstools [including psloggedon], process explorer,
regmon and filemon.

Relevant Pages

  • RE: NT/IIS decoy
    ... Does anyone know how to hide or mask the identity of a IIS 4.0 or 5.0 server ... Principal Security Consultant ... Best Individual Income Protection Provider 2001 - Health Insurance Magazine ...
    (Pen-Test)
  • Re: iis config
    ... IISlockdown including URLscan and hfnetchk and signing up for the microsoft ... security patches newsletter and installing patches as soon as they come out] ... If you're planning on doing your own security, ... on your server, this may be a false alarm. ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS6 on W2k3 DCs
    ... How many times in big server land do I see folks that don't have backups ... >But Small Business Server 2003 runs with IIS on our domain controller. ... >Where's MY security risks these days? ... >>By referring to numerous security guides written specifically for NT4 ...
    (Focus-Microsoft)
  • Re: SBS 2003 After Service Pack 1 for SBS
    ... Controllers" groups have been added to the new CERTSVC_DCOM_ACCESS security ... we can have Certificate Services update the DCOM security settings ... down time for the server - probably over a weekend. ... Then please run command "iisreset" to refresh IIS ...
    (microsoft.public.windows.server.sbs)
  • [NT] Cumulative Patch for Internet Information Services
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... security patches released for IIS 4.0 since Windows NT 4.0 Service Pack ... encoding transfer mechanism via Active Server Pages in IIS 4.0 and 5.0. ... attacker who exploited this vulnerability could overrun heap memory on the ...
    (Securiteam)