On This Page
Introduction
This document lists some recommendations and best practices to improve the security of a server on the Web running Internet Information Services (IIS) 5.
Important: The purpose of this article is to give instructions for configuring a baseline level of security on IIS 5 servers. Additional advanced settings are provided in the complete IIS 5 security checklist on the Microsoft TechNet Security Web site.
Internet Information Services 5 Settings
|
Secure Windows 2000
|
|
Run the IIS Lockdown Tool
|
|
Customize UrlScan configuration
|
|
Set appropriate ACLs on virtual directories
|
|
Set appropriate IIS Log file ACLs
|
|
Enable logging
|
|
Disable or remove all sample applications
|
|
Remove the IISADMPWD virtual directory
|
|
Remove unused script mappings
|
|
Harden metabase permissions
|
|
Harden ASP.NET configuration
|
Microsoft Internet Information Services 5 Security Checklist Details
Secure Windows 2000
Refer to the Windows 2000 Server Baseline Security Checklist for information about securing the base platform on which IIS will be hosted.
Run the IIS Lockdown Tool
The IIS Lockdown Tool is a configurable utility that asks you to specify the application role played by your IIS server. It will then remove any functionality that is not required for the particular Web server role. You should thoroughly test any changes before implementing them in a production environment.
Customize UrlScan Configuration
The IIS Lockdown Tool installs UrlScan. UrlScan is an ISAPI filter that screens and analyzes requests IIS receives them. When properly configured, UrlScan is effective at reducing the exposure to potential Internet attacks. The default configuration of UrlScan offers significant improvement over the default configuration of IIS, IIS; however, Microsoft recommends further refining the UrlScan configuration to more closely restrict Web requests while still allowing your application to function. Ideally, only requests for file extensions used by your application will be allowed. You should thoroughly test any changes before implementing them in a production environment.
Set appropriate ACLs on virtual directories
The IIS Lockdown tool improves file permissions; however, you should further refine these permissions for your specific application. Although this procedure is somewhat application-dependent, Some rules of thumb apply:
CGI (.exe, .dll, .cmd, .pl)
|
Everyone (X) Administrators (Full Control) System (Full Control)
|
Script files (.asp)
|
Everyone (X) Administrators (Full Control) System (Full Control)
|
Include files (.inc, .shtm, .shtml)
|
Everyone (X) Administrators (Full Control) System (Full Control)
|
Static content (.txt, .gif, .jpg, .html)
|
Everyone (R) Administrators (Full Control) System (Full Control)
|
Recommended default ACLs by file type.
Rather than setting ACLs on each file, you are better off creating new directories for each file type, setting ACLs on the directory, and allowing the ACLs to inherit to the files. For example, a directory structure might look like this:
• |
C:\inetpub\wwwroot\myserver\static (.html)
|
• |
C:\inetpub\wwwroot\myserver\include (.inc)
|
• |
C:\inetpub\wwwroot\myserver\script (.asp)
|
• |
C:\inetpub\wwwroot\myserver\executable (.dll)
|
• |
C:\inetpub\wwwroot\myserver\images (.gif, .jpeg)
|
Also, be aware that two directories need special attention:
• |
C:\inetpub\ftproot (FTP server)
|
• |
C:\inetpub\mailroot (SMTP server)
|
The ACLs on both these directories are Everyone (Full Control) and should be overridden with something tighter, depending on your level of functionality. Place the folder on a different volume than the IIS server if you're going to support Everyone (Write), or use Windows 2000 disk quotas to limit the amount data that can be written to these directories.
Set appropriate IIS Log file ACLs
Make sure the ACLs on the IIS-generated log files (%systemroot%\system32\LogFiles) are:
• |
Administrators (Full Control)
|
• |
System (Full Control)
|
• |
Everyone (RWC)
|
This is to help prevent malicious users from deleting the files to cover their tracks.
Enable logging
Logging is paramount when you want to determine whether your server is being attacked. You should use W3C Extended Logging format by following this procedure:
1.
|
Load the Internet Information Services tool.
|
2.
|
Right-click the site in question, and choose Properties from the context menu.
|
3.
|
Click the Web Site tab.
|
4.
|
Check the Enable Logging check box.
|
5.
|
Choose W3C Extended Log File Format from the Active Log Format drop-down list.
|
6.
|
Click Properties.
Click the Extended Properties tab, and set the following properties:
• |
Client IP Address
|
• |
User Name
|
• |
Method
|
• |
URI Stem
|
• |
HTTP Status
|
• |
Win32 Status
|
• |
User Agent
|
• |
Server IP Address
|
• |
Server Port
|
|
The latter two properties are useful only if you host multiple Web servers on a single computer. The Win32 Status property is useful for debugging purposes. When you examine the log, look out for error 5, which means access denied. You can find out what other Win32 errors mean by entering net helpmsg err on the command line, where err is the error number you are interested in.
Disable or remove all sample applications
Samples are just that, samples; they are not installed by default and should never be installed on a production server. Note that some samples install so that they can be accessed only from http://localhost, or 127.0.0.1; however, they should still be removed.
The following table lists the default locations for some of the samples.
IIS Samples
|
\IISSamples
|
c:\inetpub\iissamples
|
IIS Documentation
|
\IISHelp
|
c:\winnt\help\iishelp
|
Data Access
|
\MSADC
|
c:\program files\common files\system\msadc
|
Sample files included with Internet Information Services 5.
Remove the IISADMPWD virtual directory
This directory allows you to reset Windows NT and Windows 2000 passwords. It is designed primarily for intranet scenarios and is not installed as part of IIS 5. However, i but it is not removed when an IIS 4 server is upgraded to IIS 5. It should be removed if you don't use an intranet or if you connect the server to the Web. Refer to Microsoft Knowledge Base article 184619 for more information about this functionality.
Remove unused script mappings
IIS is preconfigured to support common filename extensions such as .asp and .shtm files. When IIS receives a request for a file of one of these types, the call is handled by a DLL. The IIS Lockdown Tool removes unneeded script mappings; however, your application may allow you to further refine the configuration. If you don't use some of these extensions or functionality, you should remove the mappings by following this procedure:
1.
|
Open Internet Services Manager.
|
2.
|
Right-click the Web server, and choose Properties.
|
3.
|
Click Master Properties
|
4.
|
Select WWW Service, click Edit, click HomeDirectory, and then click Configuration
|
Remove these references:
Web-based password reset
|
.htr
|
Internet Database Connector (all IIS 5 Web sites should use ADO or similar technology)
|
.idc
|
Server-side Includes
|
.stm, .shtm, and .shtml
|
Internet Printing
|
.printer
|
Index Server
|
.htw, .ida and .idq
|
Note: Internet Printing can be configured through Group Policy as well as via the Internet Services Manager. If there is a conflict between the Group Policy settings and those in the Internet Service Manager, the Group Policy settings take precedence. If you remove Internet Printing via the Internet Services Manager, be sure to verify that it won't be re-enabled by either local or domain group policies. (The default Group Policy neither enables nor disables Internet Printing.) In the MMC Group Policy snap-in, click Computer Configuration, click Administrative Templates, click Printing, and then click Web-based Printing.
Note: Unless you have a mission-critical reason to use the .htr functionality, you should remove the .htr extension.
Harden Metabase Permissions
Security and other IIS configuration settings are maintained in the IIS Metabase file. The default file permissions could allow an attacker to directly edit the Metabase file. The NTFS permissions on the IIS Metabase file (and the backup Metabase file) should be hardened to ensure that attackers cannot modify the IIS configuration in any way. Microsoft recommends removing all file permissions to the Metabase, and granting Full Control to only Administrators and SYSTEM.
Harden ASP.NET Configuration
If the .NET Framework has been installed on the system, download and install the latest version of the .NET Framework and any service packs. Review the configuration of the .NET Framework, and ASP.NET in particular, to ensure ASP.NET does not increase your vulnerability to attack.
© 2001 Microsoft Corporation. All rights reserved.
|
相关推荐
Microsoft Baseline Security Analyzer for X86 检测系统漏洞
Microsoft Baseline Security Analyzer(MBSA)是一款简单易用的工具,帮助IT专业人员检测其小型和中型商业应用的安全性,将用户系统与微软安全建议(Microsoft security recommendations)进行比对,并给出特定的...
The Microsoft Baseline Security Analyzer provides a streamlined method of identifying common security misconfigurations. MBSA 2.1 adds Windows Vista and Windows Server 2008 compatibility.
针对IT专业人士的安全,推出了Baseline这款安全检测程序,大部分的微软软件检测器都包含在内,除了检测漏洞之外,还提供了详细的解决方案以及补丁下载地址,包括一个图形模式及命令行模式的界面,可以执行本地和远程...
Network Security Baseline Cisco 交换机安全 路由器安全
开源安全基线扫描工具
The IT Baseline Protection Manual contains standard security safeguards, implementation advice and aids for numerous IT configurations which are typically found in IT systems today. This information ...
Microsoft Azure Security Center (IT Best Practices – Microsoft...Customize and perform operating system security baseline assessments Leverage integrated threat intelligence to identify known bad actors
Security check of system baseline.服务器基线检查工具。基于python3造的对linux、windows服务器做基线核查的轮子。
信息安全_数据安全_Consumer IoT Security Creating a Baseline Standard 基础设施 安全人才 信息安全研究 安全体系 自动化
阅读理解DuReader清单 简介 1.任务说明 机器阅读理解(机器阅读理解)是指让机器阅读文本,然后回答和阅读内容相关的问题。阅读理解是自然语言处理和人工智能领域的重要前沿课题,对于提升机器的智能水平,使机器...
数据,预训练模型,baseline下载 baseline得分:0.92591306557
BSI_Baseline_Protection_Manual_-_How_to_measure_IT-Security.pdf
sqlplanbaseline,绑定执行计划,固定执行计划,使用baseline固定执行计划
reid-strong-baseline-demo.py
还要确保将.Net 5.0和.Net Core 3.1安装到您的解决方案上(如果您打算通过IIS进行托管,则也可以安装主机捆绑包) 安装NuGet软件包 在Kentico Admin(WebApp / Mother)解决方案上,安装以下NuGet软件包 可选安装 ...
TVOC测试过程中通过Baseline的设置来提高污染空气的测试速度,更好的对不同环境进行测试适应
Microsoft Baseline Security Analyzer(MBSA)工具允许用户扫描一台或多台基于 Windows 的计算机,以发现常见的安全方面的配置错误。MBSA 将扫描基于 Windows 的计算机,并检查操作系统和已安装的其他组件(如:...
baseline settings 系统安全方面的。