Note This document is adapted from " Designing Secure Web-Based Applications for Microsoft Windows 2000 ", Microsoft Press, ISBN: 0735609950.

Those of you familiar with the Internet Information Server 4 checklist will notice that this list is much shorter than that checklist. This is due to two reasons:

• Many of the Windows 2000 system-wide settings are configurable through the provided security template (hisecweb.inf); there is no need to manually configure Registry settings.
• Some of the less-secure default settings in Microsoft Windows NT 4 and Internet Information Server 4 are disabled by default in Windows 2000 and IIS 5.

The rest of this document is broken into the following parts:

• General security considerations
• Windows 2000 security considerations
• IIS 5 security considerations

General Security Considerations

The material in this section covers general security issues.

Read Your Corporate Security Policy

Having a security policy is paramount. You need ready answers to questions like

• How do we react to a break-in?
• Where are the backups stored?
• Who is allowed to access the server?

Good sources of policy information can be found at SANS Institute ; Baseline Software, Inc. ; and Practical Unix & Internet Security (O'Reilly Books, 1996).

Subscribe to the Microsoft Security Notification Service

You can stay abreast of Microsoft-related security issues and fixes by subscribing to the Microsoft Security Notification Services at http://www.microsoft.com/technet/security/bulletin/notify.asp . You'll get automatic notification of security issues by e-mail.

You should also consider placing a shortcut to the Microsoft Security Advisor Program on your desktop. To do so, follow these steps:

1. Open Internet Explorer.
2. Navigate to http://www.microsoft.com/technet/security/bulletin/notify.asp .
3. Choose Add To Favorites from the Favorites menu.
4. Check the Make Available Offline check box.
5. Click Customize.
6. Click Next in the Offline Favorite Wizard.
7. Select the Yes option button and specify to download pages two links deep from this page.
8. Click Next.
9. Select the I Would Like To Create A New Schedule option button, and click Next.
10. Accept the default settings, and click Next.
11. Click Finish.
12. Click OK.
13. Choose Organize Favorites from the Favorites menu.
14. Select the Microsoft TechNet Security shortcut in the Organize Favorites dialog box.
15. Click Properties.
16. Click the Download tab of the Microsoft TechNet Security Properties dialog box.
17. Uncheck the Follow Links Outside Of This Page's Web Site check box.
18. Click OK and then Close.

You can now drag the Microsoft TechNet Security shortcut from your Favorites menu to your desktop. A small red mark will appear on the icon when there is new security news.

Important You MUST stay on top of new security issues as they arise. This cannot be stressed enough.

Windows 2000 Security Considerations

The material in this section covers security issues specific to Windows 2000.

Review, Update, and Deploy the Provided Hisecweb.inf Security Template

We've included a security template, named Hisecweb.inf, as a baseline applicable to most secure Web sites. The template configures basic Windows 2000 systemwide policy.

Hisecweb.inf can be downloaded from:Â
http://support.microsoft.com/support/misc/kblookup.asp?id=Q316347

Perform these steps to use the template:

1. Copy the template to the %windir%\security\templates directory.
2. Open the Security Templates tool, and look over the settings.
3. Open the Security Configuration And Analysis tool, and load the template.
4. Right-click the Security Configuration And Analysis tool, and choose Analyze Computer Now from the context menu.
5. Wait for the work to complete.
6. Review the findings, and update the template as necessary.
7. Once you're happy with the template, right-click the Security Configuration And Analysis tool and choose Configure Computer Now from the context menu.

Configure IPSec Policy

You should seriously consider setting an Internet Protocol Security (IPSec) packet-filtering policy on every Web server. This policy provides an extra level of security if your firewalls are breached. Multiple levels of security technology are often considered a good practice.

In general, you should block all TCP/IP protocols other than those you explicitly want to support and the ports you want to open. You can use the IPSec administration tool or the IPSecPol command line tool to deploy IPSec policy.

Secure the Telnet Server

If you plan to use the Telnet server included with Windows 2000, you should consider restricting the users who can access the service. To do this, perform the following steps:

1. Open the Local Users And Groups tool.
2. Right-click the Group node, and choose New Group from the context menu.
3. Enter TelnetClients in the Group name box.
4. Click Add, and add the users who are to have telnet access to the computer.
5. Click Create and then Close

When the TelnetClients group exists, the Telnet service will allow only those users defined in the group to have access to the server.

Disable NetBIOS over TCP/IP

To prevent attackers from executing NetBIOS Adapter Status command against a server and revealing through this command the name of the currently logged on user that could be maliciously used by attacker, disable NetBIOS over TCP on public connections of the server.

To disable NetBT:

1. Click Start, point to Settings, and then click Network and Dial-up Connections.
2. Click the network connection on which you want to disable NetBIOS over TCP, and then click Properties on the File menu.
3. Click Internet Protocol (TCP/IP), click Properties, click Advanced, and then click the WINS tab.
4. Click Disable NetBIOS over TCP/IP.
5. Click OK, click OK, and then click OK.

Repeat this operation on all network connections on which you want to disable NetBIOS over TCP.

Warning   Before disabling NetBIOS over TCP administrators need to ensure that it doesn’t affect their management tools used to manage the server and other applications (if any) running on the server. For this purpose we highly recommend disabling NetBIOS over TCP on a server in test environment before disabling it on the production servers.

IIS 5 Security Considerations

The material in this section covers security issues specific to Internet Information Services 5.

Set Appropriate ACLs on Virtual Directories

Although this procedure is somewhat application-dependent, some rules of thumb apply, as described in Table F-1. File Type 
Access Control Lists

Recommended default ACLs by file type.

Rather than setting ACLs on each file, you're better off creating new directories for each file type, setting ACLs on the directory, and allowing the ACLs to inherit to the files. For example, a directory structure might look like this:

• c:\inetpub\wwwroot\myserver\static (.html)
• c:\inetpub\wwwroot\myserver\include (.inc)
• c:\inetpub\wwwroot\myserver\script (.asp)
• c:\inetpub\wwwroot\myserver\executable (.dll)
• c:\inetpub\wwwroot\myserver\images (.gif, .jpeg)

Also, be aware that two directories need special attention:

• c:\inetpub\ftproot (FTP server)
• c:\inetpub\mailroot (SMTP server)

The ACLs on both these directories are Everyone (Full Control) and should be overridden with something tighter depending on your level of functionality. Place the folder on a different volume than the IIS server if you're going to support Everyone (Write), or use Windows 2000 disk quotas to limit the amount data that can be written to these directories.

Set Appropriate IIS Log File ACLs

Make sure the ACLs on the IIS-generated log files (%systemroot%\system32\LogFiles) are

• Administrators (Full Control)
• System (Full Control)
• Everyone (RWC)

This is to help prevent malicious users deleting the files to cover their tracks.

Enable Logging

Logging is paramount when you want to dtermine whether your server is being attacked. You should use W3C Extended Logging format by following this procedure:

1. Load the Internet Information Services tool.
2. Right-click site in question, and choose Properties from the context menu.
3. Click the Web Site tab.
4. Check the Enable Logging check box.
5. Choose W3C Extended Log File Format from the Active Log Format drop-down list.
6. Click Properties.
7. Click the Extended Properties tab, and set the following properties:

• Client IP Address
• User Name
• Method
• URI Stem
• HTTP Status
• Win32 Status
• User Agent
• Server IP Address
• Server Port

The latter two properties are useful only if you host multiple Web servers on a single computer. The Win32 Status property is useful for debugging purposes. When you examine the log, look out for error 5, which means access denied. You can find out what other Win32 errors mean by entering net helpmsg err on the command line, where err is the error number you are interested in.

Set IP Address/DNS Address Restrictions

This is not a common option to set, but if you want to restrict your Web sites to certain users this is one option available to you. Note that if you enter Domain Name System (DNS) names IIS has to do a DNS lookup, which can be time-consuming.

Executable Content Validated for Trustworthiness

It's difficult to know whether executable content can be trusted. One small test is to use the DumpBin tool to see whether the executable calls certain APIs. DumpBin is included with many Win32 developer tools. For example, use the following syntax if you want to see whether a file named MyISAPI.dll calls RevertToSelf :

dumpbin /imports MyISAPI.dll | find "RevertToSelf"

If no result appears on screen, MyISAPI.dll does not call RevertToSelf directly. It might call the API through LoadLibrary , in which case you could use a similar command to search for this, too.

Update Root CA Certificates at the IIS Server

This is a two-step process: The first step is adding any new root certificate authority (CA) certificates you trust—most notably, any new root CA certificates you have created by using Microsoft Certificate Services 2.0. The second step is removing all root CA certificates you don't trust. Note that if you do not know the name of the company that issued the root certificate, you should not trust them!

All root CA certificates used by IIS reside in the computer's machine store. You can access this store by following these steps:

1. Open the Microsoft Management Console (MMC).
2. Choose Add/Remove Snap-in from the Console menu, and click Add.
3. Select Certificates and click Add.
4. Click the Computer Account option button.
5. Click Next.
6. Select the machine in question.
7. Click Finish.
8. Click Close and then click OK.
9. Expand the Certificates node.
10. Expand Trusted Root Certification Authorities.
11. Select Certificates.

The right pane will show the entire root CA certificates currently trusted. You can delete multiple certificates if you want.

Note: Do not remove Microsoft or VeriSign roots. They are used extensively by the operating system.

Disable or Remove All Sample Applications

Samples are just that, samples; they are not installed by default and should never be installed on a production server. Note that some samples install so that they can be accessed only from http://localhost, or 127.0.0.1; however, they should still be removed.

Table F-2 lists the default locations for some of the samples. Sample 
Virtual Directory 
Location

Sample files included with Internet Information Server 5.

Disable or Remove Unneeded COM Components

Some COM components are not required for most applications and should be removed. Most notably, consider disabling the File System Object component, but note that this will also remove the Dictionary object. Be aware that some programs might require components you're disabling. For example, Site Server 3.0 uses File System Object. The following command will disable File System Object:

regsvr32 scrrun.dll /u

Remove the IISADMPWD Virtual Directory

This directory allows you to reset Windows NT and Windows 2000 passwords. It's designed primarily for intranet scenarios and is not installed as part of IIS 5, but it is not removed when an IIS 4 server is upgraded to IIS 5. It should be removed if you don't use an intranet or if you connect the server to the Web. Refer to Microsoft Knowledge Base article Q184619 for more info about this functionality.

Remove Unused Script Mappings

IIS is preconfigured to support common filename extensions such as .asp and .shtm files. When IIS receives a request for a file of one of these types, the call is handled by a DLL. If you don't use some of these extensions or functionality, you should remove the mappings by following this procedure:

1. Open Internet Services Manager.
2. Right-click the Web server, and choose Properties from the context menu.
3. Master Properties
4. Select WWW Service | Edit | HomeDirectory | Configuration

Remove these references: If you don't use... 
Remove this entry:

Note: Internet Printing can be configured via group policy as well as via the Internet Services Manager. If there is a conflict between the group policy settings and those in the Internet Service Manager, the group policy settings take precedence. If you remove Internet Printing via the Internet Services Manager, be sure to verify that it won’t be re-enabled by either local or domain group policies. (The default group policy neither enables nor disables Internet Printing). In the MMC Group Policy snap-in, check Computer Configuration | Administrative Templates | Printing |Web-based Printing.

Note: Unless you have a mission-critical reason to use the .htr functionality, you should remove .htr extension.

Check and Querystring Input in Your ASP Code

Many sites use input from a user to call other code or build SQL statements directly. In other words, they're treating the input as valid, well-formed, nonmalicious input. This should not be so; there are a number of attacks where user input is treated incorrectly as valid input and the user could gain access to the server or cause damage. You should always check each input and query string before passing it on to another process or method call that might use an external resource such as the file system or a database.

You can perform text checking with the JScript V5 and VBScript V5 regular expression capabilities. The following example code will strip a string of all invalid characters (characters that are not 0-9a-zA-Z or _):

Set reg = New RegExp 
reg.Pattern = "\W+" ' One or more characters which 
' are NOT 0-9a-zA-Z or '_' 
strUnTainted = reg.Replace(strTainted, "")

The following sample will strip all text after a | operator:

Set reg = New RegExp 
reg.Pattern = "^(.+)\|(.+)" ' Any character from the start of 
' the string to a | character. 
strUnTainted = reg.Replace(strTainted, "$1")

Also, be careful when opening or creating files by using Scripting File System Object. If the filename is based on the user's input, the user might attempt to open a serial port or printer. The following JScript code will strip out invalid filenames:

var strOut = strIn.replace(/(AUX|PRN|NUL|COM\d|LPT\d)+\s*$/i,"");

The pattern syntax in the Version 5 script engines is the same as that in Perl 5.0. Refer to the V5 scripting engine documentation at http://msdn.microsoft.com/scripting/default.htm for further detail andhttp://msdn.microsoft.com/workshop/languages/clinic/scripting051099.asp for examples.

Disable Parent Paths

The Parent Paths option allows you to use ".." in calls to functions such as MapPath . By default, this option is enabled, and you should disable it. Follow this procedure to disable the option:

1. Right-click the root of the Web site, and choose Properties from the context menu.
2. Click the Home Directory tab.
3. Click Configuration.
4. Click the App Options tab.
5. Uncheck the Enable Parent Paths check box.

Disable IP Address in Content-Location

The Content-Location header can expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) firewall or proxy server. Refer to Knowledge Base article Q218180 for further information about disabling this option.