Securing Your Microsoft IIS Web Server

Seminar Slides from "Microsoft IIS Security" February 6, 2002 

Microsoft Resources (Administration, Hot Fixes, White Papers, Tools, etc): http://www.microsoft.com/technet/security/web.asp

Best Practice Notes (details in the Seminar Slides):

• Physical Security
  • server should be in a locked, controlled access room
  • console should be left locked or logged off unless in use
  • control remote access to the console
  • rename Administrator account and use very strong passwords
• Installation Overview - requirements and recommendation
  • hardware raid controller - install OS on raid 1, data on raid 5
  • while offline: start clean, format NTFS partition, install OS, patch it (use hfnetchk.asp), harden it (ACL's)
  • only install those components of IIS you  need (not samples, docs, FP extensions,etc) 
  • remove unneeded subsystems (posix, os2, win16 (optional), dos (optional))
• Configuring IIS
  • delete default web, unused extension mappings, samples
  • locate web service on separate volume from OS & on a single purposed system
  • shut off all unneeded ports, services
  • get an SSL certificate if sensitive data housed or authenticated access to web pages
  • consider IP Filtering, urlscan
• Testing the Security
  • run a network security scan of the system to check its status
  • NBTSTAT, NETSTAT commands to check bios, active ports 
• Logging, monitoring, administering the system
  • turn on event logging, don't roll over often or at all 
  • IIS logs should be moved from default location and copied frequently
  • turn on selected security auditing as needed
  • check out free monitor tools at sysinternals.com, foundstone.com
• Backup and Disaster Recovery
  • backup your data, registry, metadata separately and frequently, emergency repair disk,  keep off-site copies of all backups
  • keep a removable disk copy of your SSL certificate, know the password
  • develop recovery procedures and test them

Guidelines for Securing Web-Based Communications using SSL Certificates

Navigate to the Resources Link at left for access to the SANS "Step by Step" Security documents.  These are licensed pdf documents available to all University of Iowa constituents.  (There are Windows 2000 and NT 4.0 operating system versions.) 

Managing your IIS System

A freeware version of the "OpenSSH for Windows" package is available, based on the cygwin openssh utilities.  This package is primarily for secure administration of IIS servers. It runs on Windows 9x, ME, NT, 2000, but *not* currently on XP.  See http://www.networksimplicity.com/openssh/

Automating Administration for IIS 5.0: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/iis/maintain/optimize/autoadm2.asp

Documentation and Online Resources

The Center for Internet Security (CIS) has recently published Benchmark and Scoring Tools for Windows 2000 systems. The Benchmark is a compilation of security configuration actions and settings that "harden" Windows 2000 operating systems. It is a CIS Level-I benchmark – the prudent level of minimum due care for operating system security.

The SANS Reading Room has a large collection of papers on Windows and Windows 2000 security.

UI Home | UI A-Z Search | UI Phonebook/Email | Contact Us

Copyright © The University of Iowa. All rights reserved.