Re: default scripts and manuals


David Wang [Msft] wrote:
I'm actually interested in what sort of things are in your 19 pages for
IIS6...

To be honest, very little for IIS itself. It's mainly disabling
unneeded services and accounts, restricting some rights for the
accounts that stay in place and adding an ipsec policy to restrict
network traffic. The latter is only done if there's more than one
server in the DMZ. Oh, and another thing we do is place a restricting
robots.txt

I can't post the whole thing since that's classified company
confidential. I got a lot of inspiration from this:
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/a14eeb71-c583-48b7-9d2c-083e81095d6e.mspx?mfr=true

The tricky bit is always getting the ASP application settings right,
often takes quite a few mails between me and the developers.


Jeroen
http://wijnands.blogspot.com

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

<jeroen.wijnands@xxxxxxxxx> wrote in message
news:1145629629.728099.197530@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Kevin1aB wrote:
Hello,
I have a LAN 2003 server running IIS for WSUS and DeskNow WebMessenger
jabber server. No public exposure for the IIS.
On a recent security audit by outside consultant, they recommended the
following:

... the default scripts and manual pages are installed and should be
removed
from IIS.

No being much of an IIS admin, can I get some direction to verify and
cleanup if needed?

Thanks In advance,

Kevin B
--
RHCE, Linux+ and MCP

I get the impression your auditor wasn't fully upto speed on IIS 6.0.
Previous versions of IIS came with a webadmin toolset, examples and
help. Vulnerabilities were often found in these components so everyone
disabled them or removed them.

On 6 it's nowhere near the issue it used to be. You can still add some
of these components but the default install is nice and clean.

As a comparision, I've done some hardening documentation for IIS
enviroments. On 4 the document was over a 100 pages, on 5 it was 54
pages and on 6 my document is 19 pages.

Jeroen
MCSA
http://wijnands.blogspot.com


.

Relevant Pages

  • Re: Integrated Security in a Workgroup?
    ... Bill ... Since these accounts are not created by me ... >> IIS will likely fail due to using the old password. ... >> rights. ...
    (microsoft.public.sqlserver.security)
  • Re: iusr and iwan account have wrong machine name
    ... but on the production server it either doesen't recognize the users or it ... the two machines I could find was the accounts with the wrong machine name. ... > IIS. ... > rights. ...
    (microsoft.public.inetserver.iis.security)
  • Re: hardware firewall
    ... >> The thread was about hosting IIS and restricting by IP to select users. ... >> No router was mentioned in this solution. ...
    (comp.security.misc)
  • Re: Newbie to IIS 6
    ... > IIS 6.0 provides some of the same functionality as URLScan and the IIS ... > extension that isn't explicitly granted, ... I still us URLScan for things like restricting ... > extensions, restricting http verbs, rejecting URLs with certain ...
    (microsoft.public.inetserver.iis)
  • Re: Newbie to IIS 6
    ... >> IIS 6.0 provides some of the same functionality as URLScan and the IIS ... >> extension that isn't explicitly granted, ... I still us URLScan for things like restricting ...
    (microsoft.public.inetserver.iis)