Re: How to secure IIS?

From: Karl Levinson [x y] mvp (levinson_k@despammed.com)
Date: 03/02/03 

From: "Karl Levinson [x y] mvp" <levinson_k@despammed.com>
Date: Sun, 2 Mar 2003 10:02:49 -0500

For your situation, the most secure solution will only take you a minute to
do: just configure your personal and/or network firewall so that 127.0.0.1
is the only IP address that is able to access TCP ports 80 and 443 on your
computer. If you didn't want to do anything else, that alone would keep
your IIS pretty safe. [Though you'd still really want to consider hardening
XP as well, because even if you don't install IIS, there are still a number
of easy attacks you may be vulnerable to.]

If you think Windows 98 is secure, you're mistaken. Win98 is exceptionally
easy to attack, if there's no firewall... and PWS is known to leak memory,
so that it needs constant reboots. Unless you have a firewall, very
possibly you've been hacked but Win98 has no log files that would let you
know this.

You're fairly secure if you 1) get patches from www.windowsupdate.com, 2)
run IISlockdown that includes URLScan from
www.microsoft.com/technet/security [this automates most of the things in the
IIS security checklists] 3) install firewall and antivirus, such as the free
XP ICF firewall http://securityadmin.info/faq.htm#icf or the free
www.sygate.com firewall and www.grisoft.com antivirus. This shouldn't take
you too much time to do. How much work you do depends on how secure you
want to be. If you think securing your computer is a lot of work,
responding to an intrusion is more work.

More information is at:

http://securityadmin.info/faq.htm#harden

"Walter E." <wer25@yahoo.com> wrote in message
news:ppi8a.19969$aa.7240820@twister.socal.rr.com...
> Thank you, BB.
>
> This is truly daunting and discouraging. All this stuff to maintain a
simple
> website? I'll just dual-boot my old PWS with FP2000 on Win98.
>
> Well, not your fault, of course. Just a reflection on the complexity of
> modern life.
>
> Walter
> www.rationality.net
>
>
> "BB" <Bernard_at_3exp.com> wrote in message
> news:#8XTruH4CHA.2332@TK2MSFTNGP10.phx.gbl...
> > Start reading
> >
> > Security
> >
> > 1) Start
> > To get the latest info regarding Microsoft products.
> > Microsoft Security
> > www.microsoft.com/security/
> >
> > and remember to subscribe the security bulletin, this give you first
> > hand information about security issue related to Microsoft products.
> >
> > Check your system patch status
> >
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
> current.asp
> > select your product and latest service packs you have, then hit the 'go'
> > button
> >
> >
> > 2) Securing IIS Server
> > IIS Tools and Checklists
> >
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
> tools/tools.asp
> >
> > Use MBSA and HFNetChk
> >
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
> tools/tools/hfnetchk.asp
> >
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
> tools/Tools/MBSAhome.asp
> >
> > HOW TO Install and Use the IIS Lockdown Wizard
> > http://support.microsoft.com/?id=325864
> >
> > List of Services Needed to Run a Secure IIS Computer
> > http://support.microsoft.com/?id=189271
> >
> >
> > IIS 4.0
> > Practical Recommendations for Securing Internet-Connected Windows NT
> Systems
> > http://support.microsoft.com/?id=164882
> >
> > Baseline Security Procedures for IIS 4.0 Server Builds
> >
>
http://www.microsoft.com/windows2000/community/centers/iis/articles/021206.a
> sp
> >
> >
> > IIS 5.0
> > Resources for Securing Internet Information Services
> > http://support.microsoft.com/?id=282060
> >
> > IIS 5 HiSecWeb Potential Risks and the IIS Lockdown Tool
> > http://support.microsoft.com/?id=316347
> >
> > Microsoft TechNet - Make your web server secure
> >
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
> tools/chklist/wsrvsec.asp
> >
> > Building and Configuring More Secure Web Sites
> >
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht
> ml/openhack.asp
> >
> >
> > 3) Extra
> > Securing your IIS server is only part of you security policy or plan. IT
> > security cover few
> > areas, including network, application, physical and etc. You need to
have
> > security policy
> > on network, such as firewall and intrusion detection system (IDS),
> antivirus
> > program, password
> > policy, log auditing and etc.
> >
> > Windows Update
> > http://windowsupdate.microsoft.com
> >
> > Securing Windows
> > http://securityadmin.info/faq.htm#harden
> >
> > Security Recommendation Guides -- National Security Agency --
> > http://nsa1.www.conxion.com/
> >
> > SAN
> > http://www.sans.org
> >
> >
> >
> >
> >
> >
> > "Walter E." <wer25@yahoo.com> wrote in message
> > news:wt68a.19310$aa.6292758@twister.socal.rr.com...
> > > I am switching from win98se to XP. Therefore I am losing my old PWS 4
> and
> > > will have to use IIS.
> > >
> > > I only use a web server plus FrontPage 2002 to develop and upload to
my
> > > webhost a single website from time to time.
> > >
> > > The old PWS was impervious to attack (nobody bothered), whereas IIS
> seems
> > to
> > > be susceptible to all kinds of malware and attacks.
> > >
> > > What is the minimum I need to do to secure my IIS in view of my
limited
> > > activities? I use AVG virus checker and Zone Alarm Pro. Is that enough
> > > protection?
> > >
> > > Thanks for any help
> > >
> > > Walter
> > >
> > >
> >
> >
>
> 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.449 / Virus Database: 251 - Release Date: 1/27/2003