Re: How to secure IIS?

From: Walter E. (wer25@yahoo.com)
Date: 03/02/03

  • Next message: Karl Levinson [x y] mvp: "Re: How to secure IIS?" 
    From: "Walter E." <wer25@yahoo.com>
Date: Sun, 02 Mar 2003 19:11:41 GMT

    Thank you very much, Karl

    >just configure your personal and/or network firewall so that 127.0.0.1
    > is the only IP address that is able to access TCP ports 80 and 443 on your
    > computer.

    Sounds great! Would that still allow me to upload to my webhost? I am using
    Zone Alarm Pro as a firewall. By any chance, could you give me a clue how to
    configure it so that only the localhost can access 80 and 443?

    Have a great day

    Walter
    www.rationality.net

    "Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
    news:OGk#OwM4CHA.1624@TK2MSFTNGP11.phx.gbl...
    > For your situation, the most secure solution will only take you a minute
    to
    > do: just configure your personal and/or network firewall so that
    127.0.0.1
    > is the only IP address that is able to access TCP ports 80 and 443 on your
    > computer. If you didn't want to do anything else, that alone would keep
    > your IIS pretty safe. [Though you'd still really want to consider
    hardening
    > XP as well, because even if you don't install IIS, there are still a
    number
    > of easy attacks you may be vulnerable to.]
    >
    > If you think Windows 98 is secure, you're mistaken. Win98 is
    exceptionally
    > easy to attack, if there's no firewall... and PWS is known to leak memory,
    > so that it needs constant reboots. Unless you have a firewall, very
    > possibly you've been hacked but Win98 has no log files that would let you
    > know this.
    >
    > You're fairly secure if you 1) get patches from www.windowsupdate.com, 2)
    > run IISlockdown that includes URLScan from
    > www.microsoft.com/technet/security [this automates most of the things in
    the
    > IIS security checklists] 3) install firewall and antivirus, such as the
    free
    > XP ICF firewall http://securityadmin.info/faq.htm#icf or the free
    > www.sygate.com firewall and www.grisoft.com antivirus. This shouldn't
    take
    > you too much time to do. How much work you do depends on how secure you
    > want to be. If you think securing your computer is a lot of work,
    > responding to an intrusion is more work.
    >
    > More information is at:
    >
    > http://securityadmin.info/faq.htm#harden
    >
    >
    > "Walter E." <wer25@yahoo.com> wrote in message
    > news:ppi8a.19969$aa.7240820@twister.socal.rr.com...
    > > Thank you, BB.
    > >
    > > This is truly daunting and discouraging. All this stuff to maintain a
    > simple
    > > website? I'll just dual-boot my old PWS with FP2000 on Win98.
    > >
    > > Well, not your fault, of course. Just a reflection on the complexity of
    > > modern life.
    > >
    > > Walter
    > > www.rationality.net
    > >
    > >
    > > "BB" <Bernard_at_3exp.com> wrote in message
    > > news:#8XTruH4CHA.2332@TK2MSFTNGP10.phx.gbl...
    > > > Start reading
    > > >
    > > > Security
    > > >
    > > > 1) Start
    > > > To get the latest info regarding Microsoft products.
    > > > Microsoft Security
    > > > www.microsoft.com/security/
    > > >
    > > > and remember to subscribe the security bulletin, this give you first
    > > > hand information about security issue related to Microsoft products.
    > > >
    > > > Check your system patch status
    > > >
    > >
    >
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
    > > current.asp
    > > > select your product and latest service packs you have, then hit the
    'go'
    > > > button
    > > >
    > > >
    > > > 2) Securing IIS Server
    > > > IIS Tools and Checklists
    > > >
    > >
    >
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
    > > tools/tools.asp
    > > >
    > > > Use MBSA and HFNetChk
    > > >
    > >
    >
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
    > > tools/tools/hfnetchk.asp
    > > >
    > >
    >
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
    > > tools/Tools/MBSAhome.asp
    > > >
    > > > HOW TO Install and Use the IIS Lockdown Wizard
    > > > http://support.microsoft.com/?id=325864
    > > >
    > > > List of Services Needed to Run a Secure IIS Computer
    > > > http://support.microsoft.com/?id=189271
    > > >
    > > >
    > > > IIS 4.0
    > > > Practical Recommendations for Securing Internet-Connected Windows NT
    > > Systems
    > > > http://support.microsoft.com/?id=164882
    > > >
    > > > Baseline Security Procedures for IIS 4.0 Server Builds
    > > >
    > >
    >
    http://www.microsoft.com/windows2000/community/centers/iis/articles/021206.a
    > > sp
    > > >
    > > >
    > > > IIS 5.0
    > > > Resources for Securing Internet Information Services
    > > > http://support.microsoft.com/?id=282060
    > > >
    > > > IIS 5 HiSecWeb Potential Risks and the IIS Lockdown Tool
    > > > http://support.microsoft.com/?id=316347
    > > >
    > > > Microsoft TechNet - Make your web server secure
    > > >
    > >
    >
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
    > > tools/chklist/wsrvsec.asp
    > > >
    > > > Building and Configuring More Secure Web Sites
    > > >
    > >
    >
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht
    > > ml/openhack.asp
    > > >
    > > >
    > > > 3) Extra
    > > > Securing your IIS server is only part of you security policy or plan.
    IT
    > > > security cover few
    > > > areas, including network, application, physical and etc. You need to
    > have
    > > > security policy
    > > > on network, such as firewall and intrusion detection system (IDS),
    > > antivirus
    > > > program, password
    > > > policy, log auditing and etc.
    > > >
    > > > Windows Update
    > > > http://windowsupdate.microsoft.com
    > > >
    > > > Securing Windows
    > > > http://securityadmin.info/faq.htm#harden
    > > >
    > > > Security Recommendation Guides -- National Security Agency --
    > > > http://nsa1.www.conxion.com/
    > > >
    > > > SAN
    > > > http://www.sans.org
    > > >
    > > >
    > > >
    > > >
    > > >
    > > >
    > > > "Walter E." <wer25@yahoo.com> wrote in message
    > > > news:wt68a.19310$aa.6292758@twister.socal.rr.com...
    > > > > I am switching from win98se to XP. Therefore I am losing my old PWS
    4
    > > and
    > > > > will have to use IIS.
    > > > >
    > > > > I only use a web server plus FrontPage 2002 to develop and upload to
    > my
    > > > > webhost a single website from time to time.
    > > > >
    > > > > The old PWS was impervious to attack (nobody bothered), whereas IIS
    > > seems
    > > > to
    > > > > be susceptible to all kinds of malware and attacks.
    > > > >
    > > > > What is the minimum I need to do to secure my IIS in view of my
    > limited
    > > > > activities? I use AVG virus checker and Zone Alarm Pro. Is that
    enough
    > > > > protection?
    > > > >
    > > > > Thanks for any help
    > > > >
    > > > > Walter
    > > > >
    > > > >
    > > >
    > > >
    > >
    > >
    >
    >
    > ---
    > Outgoing mail is certified Virus Free.
    > Checked by AVG anti-virus system (http://www.grisoft.com).
    > Version: 6.0.449 / Virus Database: 251 - Release Date: 1/27/2003
    >
    >