Re: REPOST: IIS4 Security Advice
From: Killer Squid (killersquid2002@yahoo.co.uk)
Date: 05/17/02
- Next message: Jeff Cochran: "Re: I want to become a Certified CA"
- Previous message: Mostro Di Biscottos: "defacement"
- In reply to: x y: "Re: REPOST: IIS4 Security Advice"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: killersquid2002@yahoo.co.uk (Killer Squid) Date: 17 May 2002 08:57:28 -0700
x y,
Thanks for the list of ideas. Luckily, our web site is not going to be
directly exposed to the Internet, but rather to a third-party over a
leased line.
We have the SP6a service pack on (Windows NT4.0), and the NT security
will be implemented by the Network Team here.
As far as IIS is concerned, I have applied the latest cumulative
security patch, deleted all web sites and directories apart form our
application's (in MMC, and the file system).
I set minimal permissions on the Master WWW Service (Permissions -
None, Access - Log Access only, IP Restrictions - all denied except 3
groups), and cascaded them down.
Set the Default Web Site to additionally have Read and Script Access.
Set 1 sub-directory to have Execute access (but not Read).
Then went through much the same with MTS - setting it to use the
IWAM_<Machine> user, setting roles for the packages we use - only
allowing the IUSR_<Machine> to access the components (called from .asp
pages)... etc
Anyway, the application still works, which is a pleasant surprise ;-)
So, I want to look at URLScan next week, and then get into the NTFS
security issues for the local "Web Application" and "Web Anonymous
Users" groups with the Network guys.
Any other hints or tips?
Thanks again for your post - a great help.
Patrick
"x y" <jamescagney90210@excite.com> wrote in message news:<uZEIMYN$BHA.1692@tkmsftngp05>...
<snip>
> Well, I assume you know you need more than the latest IIS security patch,
> but also windows 2000 patches and service packs [latest is SP2, should be
> installed first before other patches], and there are some components that
> are usually not considered part of IIS but need to be patched anyways, such
> as Index Server. www.microsoft.com/security will let you search for all
> required updates for each technology you are running [e.g. one search for
> win 2000, one for IIS, one for Index Server, etc.]
>
> The link above will also have a checklist of other things suggested to
> secure your system. IISlockdown will take care of a lot of them. I think
> one of the recommendations is usually to create a separate partition/drive
> for the IIS web files and nothing else. Another one is to enable auditing
> of files and registry keys at the root of HKLM and below, especially all
> failed access and successful deletion, etc. After installing iislockdown
> including urlscan, you will want to modify your urlscan.ini file to tighten
> some things up [like make sure allow action and allow extension are being
> used instead of deny], and loosen other things up [like allowing certain
> special file extensions that might be required by your app]. After you
> restart IIS, you should check the urlscan.log file from time to time to see
> what is being blocked and see whether valid client requests are being
> blocked accidentally.
>
> Other suggested security tools are www.gfi.com LANguard file integrity
> checker, www.mynetwatchman.com software [both are free], have a software and
> hardware firewall starting with Sygate and Netgear at the inexpensive end,
> etc. etc.
>
> None of these resources tell you much about application security, though.
> Hopefully your programmers or someone over them is someone expert at current
> security issues and how to resolve them in a web app. Authentication
> methods and permissions are two things to consider... SQL injection is a
> common type of problem... .asp pages should be careful not to return
> sensitive information to the user... applications that pass sensitive
> variables like user ID or account number in the URL are a frequent cause of
> hacking... etc. etc. The books Incident Response and Hacking Exposed vol 3
> are two good introductions to security that deal a little with this sort of
> thing.
>
> Depending on your security needs, you may want to consider setting up one or
> more firewalls into a DMZ to protect your web servers from your network
> and/or vice versa.
>
> Once everything is set up, I like to use the command
> NETSTAT -AN>>c:\netstat.txt or NETSTAT -A>>C:\netstat.txt and also
> fport>>c:\fport.txt to capture the currently open IP ports and what
> services are listening on them. This may help you if you suspect that a
> hacker has compromised your server and installed some service or software on
> it. Fport is free for download from foundstone.com along with a lot of
> other useful security goodies. www.sysinternals.com also has useful free
> tools for researching possible intrusions and setting up correct file
> permissions, such as pstools [including psloggedon], process explorer,
> regmon and filemon.
- Next message: Jeff Cochran: "Re: I want to become a Certified CA"
- Previous message: Mostro Di Biscottos: "defacement"
- In reply to: x y: "Re: REPOST: IIS4 Security Advice"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
