Windows Security - SANS ©2001 1Internet Information Server IIS Security Security Essentials The SANS Institute In this section we are going to cover some of the key aspects that need to
Trang 1Windows Security - SANS ©2001 1
Internet Information Server
(IIS) Security
Security Essentials The SANS Institute
In this section we are going to cover some of the key aspects that need to be addressed in order to have a secure web server using IIS It is important to note that a system is only as secure as its weakest link and therefore any web server must be built on a secure and hardened Windows 2000 system Securing Windows 2000 is not covered in this section but has been covered in a previous module So before you install IIS make sure that you spend the time to properly harden your base operating system Once you have a secure operating system configured, you can then move ahead with this module on securing IIS
Trang 2IIS Security - SANS ©2001 2
Are you or Aren’t you?
One lesson from
CodeRed is that many
users did not know if
they were, or were not
running IIS Check
both installed
programs and then
use the task manager
to doublecheck.
Also, some people are beginning to upgrade their internal systems to XP Professional While XP appears to have some substantial improvements over the older Windows operating systems, don’t tune out!! Before you think that everything’s OK, take a look at this slide! This is the Windows Components installation wizard available through the Add/Remove Programs applet in the Control Panel The IIS engine has always been more or less available at the desktop level as a product called
“Personal Web Server” which was typically installed if a user installed FrontPage The actual server engine was a scaled down IIS engine Now, however, we have a full IIS server available!! Good Group Policy rules through your Active Directory will prevent users from activating the IIS engine
as will good installation controls The key is to be aware of what’s happening on your systems, even your user desktops!
Trang 3IIS Security - SANS ©2001 3
If you are Running IIS
(and know you are running IIS)
• This document is relevant for the
implementation of an IIS 5.0 server
running on a Windows 2000 SP2 server
• Anything other than IIS 5.0 running on
Windows 2000 SP2 system will require
further customized hardening
• This document does not discuss
hardening the code used for the
particular web site
The information contained in this module applies only to IIS 5.0 Server running on a Windows 2000 SP2 server If you are running your web server on a different operating system or using a different version of the web server it will require further customization Also, this module addresses the known vulnerabilities and security issues that exist today Since new vulnerabilities and exposures are found on a daily basis, just because your system is secure today does not mean that it will be secure tomorrow Any system, especially one that is accessible from the Internet, will require constant care and feeding to make sure that it stays secure
Also, this module only looks at hardening the web server application itself, it does not look at securing the web site or the actual web pages or code that the site is hosting Writing secure web applications is beyond the scope of this document but must be addressed in order to have a secure site
Finally, the steps outlined in this module should not be performed on a production system because certain changes could have unexpected results Therefore, the steps should be performed on a development server and the development server should be backed up prior to making any changes Once everything has been tested, the changes should be made to the production server The
production server should also be backed up before any changes are made
Trang 4IIS Security - SANS ©2001 4
Agenda
• This module will cover the security
concerns with the implementation
off IIS 5.0 and Windows 2000 SP2
on a clean formatted machine
• We will than cover:
– Installation – Common security vulnerabilities
This module will assume that Windows 2000 has already been installed on a clean formatted system and that it has been properly secured Service Pack 2 (the most recent Service Pack as of this writing) should also be applied prior to installing the web server This module is not meant as a step-by-step guide for installing and configuring a web server It is meant to serve as a guide for
addressing some of the key security concerns with running an IIS server
Before a web server goes into production, it should be tested from a security perspective and have a vulnerability and security assessment performed to make sure all key issues have been addressed Once the system goes live it should be monitored on a regular basis because even though it is secure today it might not be secure tomorrow
Trang 5IIS Security - SANS ©2001 5
OS/IIS Installation and Hardening
• Install the 2000 OS from a clean verified media
source
• Use a 4 GB NTFS partition for the OS
• Under component Services Installation Area
– Uncheck Indexing Services
– Check Terminal Services
– Uncheck Script Debugger
– Under Details for Accessories and Utilities, Uncheck Accessibility
Wizard, Communications, Games, and Multimedia– Under Details for IIS Service, Uncheck FrontPage extensions,
documentation, and Internet Services Manager– Select Remote Administration mode for Terminal Services
– Select that this computer is “Not a part of a domain”
– Change the CD-Rom drive letter to Z
When installing IIS you should always start with original CDs If you download a copy or obtain a copy from another source you increase your chances of having security issues because you cannot be guaranteed that the software is clean and does not have any back doors
The OS partition should be kept separate from the data and application partitions This way problems
in one area have less of a chance of impacting the other For example the operating system needs a certain amount of hard drive space to operate properly If all of the hard drive space is consumed, then the system will crash If the data, application and operating system are all on the same partition, an attacker can write large amounts of data to the system, use up all of the disk space and crash the system.The boot partition needs to be NTFS, so that security can be enabled on files and directories, and auditing turned on It is important to remember that with NTFS, you will be unable to boot to a DOS prompt should the need arise The use of applications such as ERDCommander should be purchased to assist if such a need ever were to arise
When installing the operating system and IIS, under components services installation area, the
following options should be selected or unselected
Uncheck Indexing Services
Check Terminal Services
Uncheck Script Debugger
Under Details for Accessories and Utilities, Uncheck Accessibility Wizard, Communications, Games, and Multimedia
Under Details for IIS Service, Uncheck FrontPage extensions, documentation, and Internet Services Manager
Select Remote Administration mode for Terminal Services
Trang 6IIS Security - SANS ©2001 6
Right Click the C drive in
My Computer Click on
Security > Remove the
Everyone Group > Add
both the Administrator
and System groups, give
full control to both
OS/IIS Installation and Hardening (2)
To change the security permissions on the system, select the C:\ drive under My Computer and right click on it From the Local Disk Properties dialog box, select the Security tab The Everyone group should be removed The Everyone group includes literally everyone It is a common misperception that the Everyone group includes everyone in the specific domain This is not the case The Everyone group does encompass anyone in the domain but also includes anyone in the world who can get to the system, not just authenticated users The Administrators and SYSTEM group should
be given access and in most cases should be given Full Control Users or Authenticated Users can then be added as a specific group, but remember to enforce a principle of least privilege Users should be given the minimal access they need to do their job and nothing else If necessary,
additional groups should be created with fewer privileges and users should be added to those groups
Trang 7IIS Security - SANS ©2001 7
OS/IIS Installation and Hardening (3)
• Audit the following
– Create files/write data
– Create folders/Append
data – Delete subfolders and files
– Delete change permissions
it is critical to have auditing turned on
The key events that must be audited are:
Create files/write data
Create folders/Append data
Delete subfolders and files
Delete change permissions
Take ownership
You can turn on additional features but remember the more events that you audit could have a direct impact on the performance of your system and resources that are available Since there are many vulnerabilities with Microsoft’s Indexing Service (including buffer overflows) and since this machine will not be used for file services, Indexing is not needed and should be disabled and therefore no associated auditing events are turned on
After hitting Apply you will get a message stating that auditing is not turned on That is ok, we will
be turning this feature on later in the module
Trang 8IIS Security - SANS ©2001 8
Encryption and OS Patch Setup
• Install the High Encryption Pack for
Windows 2000
• Do not reboot when complete
• Run KEYMIGRT.exe
• Set the system’s paging file’s
Minimum/Maximum size as equal
• Reboot
Remember when it comes to security there is no silver bullet In order to have a secure system you must use defense in depth With defense in depth you have multiple mechanisms protecting your system and one of those must be encryption First, you should install the High Encryption Pack for Windows 2000 Since you will be making other changes, do not reboot the system at this time
Run KEYMIGRT.exe after installing the High Encryption Pack It is necessary to run this utility to upgrade the encryption of the private keys used by IIS SSL from 40-bit RC4 to 168-bit 3DES The upgraded key is the Master key which encrypts IIS’s private keys as well as the private keys of all the services which use public/private keys on this server
The system’s pagefile values for minimum and maximum should also be set to the same value At this point, the system needs to be rebooted so that the changes can take effect
Trang 9IIS Security - SANS ©2001 9
Encryption and OS Patch Setup (2)
• Install SP2 for 2000
• Install all of the latest hot fixes
–hfnetchk.exe can be used to determine a list of required fixes
When Microsoft finds a vulnerability with a system they usually release a patch (hotfix) to fix the problem A hotfix will secure the system against that specific vulnerability After several hotfixes have been released, Microsoft will usually put out a Service Pack which fixes all of the
vulnerabilities and problems up to that point You should stay up-to-date on the latest Service Packs and hotfixes to make sure your system stays secure Before installing a hotfix or a Service Pack it should be run on a test system, and the production system should be backed up prior to installation Service Packs and hotfixes have both been known to cause problems or crash systems At the time
of this writing, Service Pack 2 is the latest service pack for Windows 2000
Once SP2 is installed, all of the current hotfixes should be applied Microsoft’s Network Hot Fix Checker (hfnetchk.exe) can be downloaded for free from Microsoft’s web site
(http://www.microsoft.com/technet/security/default.asp) This command line utility will retrieve a list of current hotfixes from Microsoft’s site as an XML file, compare the current list of hotfixes with your system, and provide a list of fixes that should be installed The specific hotfixes can then be downloaded and applied
Trang 10IIS Security - SANS ©2001 10
Configuring Services
• Disable all network protocols
except for TCP/IP
– disable NetBIOS over TCP/IP
• Set a fixed IP Address for the
server
In order to have a secure system you must adhere to a principle of least privilege This approach sets
up a system with the least amount of privileges needed for it to function properly and nothing else From a network protocol standpoint, any protocol that is not needed should be disabled For most networks only TCP/IP is needed and/or recommended If you require another protocol such as SNA
or IPX/SPX, there are additional steps that must be taken from a configuration standpoint
Note that a web server strictly uses TCP/IP protocols – HTTP/HTTPS, possibly FTP or SMTP It has no need for Microsoft’s NetBIOS protocol, used for file and print sharing and some Windows networking functions As NetBIOS has a number of vulnerabilities, you should disable NetBIOS over TCP/IP on your web server This may prevent any remote administration of the web server that uses NetBIOS (i.e., connecting to a shared drive over the network), but the inconvenience of having
to administer the server from the console is far outweighed by the security advantages of turning off NetBIOS
Since the server will need to be accessible, it should be given a static IP address If dynamic
addresses were used people could have difficulty connecting to the server because the address could potentially change
To provide additional levels of protection, TCP/IP filtering could also be used by an administrator to prevent attackers from trying to gain access through other ports that are not secured
Trang 11IIS Security - SANS ©2001 11
Configuring Services
• Alerter
• DHCP Client
• DNS Client
• License Logging Agent
• Distributed Link Tracking Client
• Distributed Link Tracking Server
• Distributed Transaction Coordinator
Alerter
DHCP Client
DNS Client
License Logging Agent
Distributed Link Tracking Client
Distributed Link Tracking Server
Distributed Transaction Coordinator
Trang 12IIS Security - SANS ©2001 12
Configuring Terminal Services
or low level of encryption would be needed until the hardware can be upgraded to handle the proper level
Trang 13IIS Security - SANS ©2001 13
IIS 5.0 Configuration
• Stop the default web site in ISM
These slides now cover some of the key things that need to be done to secure and configure an IIS 5.0 server This portion does not discuss how to implement your web site or how to write or create secure HTML To start configuring IIS, you need to start the Internet System Manager (ISM) The first thing you should do is stop the default web site which is included when you install IIS
The ISM is used to perform a lot of the configuration and to see what IIS is doing and what it is running
Trang 14IIS Security - SANS ©2001 14
zEdit the Master properties
for the WWW Service
–Enable logging
–Use W3C Extended Log
File Format
–Change the New Log Time
Period to When the File
occurring on your network and to be able to detect attacks in a timely manner, auditing must be turned on To do this, select the Enable Logging checkbox near the bottom of the dialog box Under Active log format, select W3C Extended log file format Click Properties and change the New Log Time period to when the file reaches 50 MB Under Extended Properties, add checks for Cookies and Referrer
Trang 15IIS Security - SANS ©2001 15
– Note: It is best to remove all
mappings and add back the ones
needed for the final website
– asa, asp, bat, cdx, cer, htr,
.htw, ida, idc, idq, printer, shtm,
.shtml, stm
– Note: At a minimum htr, idc, and
.printer should be removed unless
absolutely required
Under Application Configuration, click on the App Mappings tab and remove all unnecessary application mappings By removing unneeded mappings, an administrator has taken the steps to eliminate a large number of exploits present in IIS One general recommendation is to remove all mappings and add back the ones needed for the final website
The general mappings are: asa, asp, bat, cdx, cer, htr, htw, ida, idc, idq, printer, shtm, shtml, and stm At a minimum, htr, idc, and printer should be removed unless absolutely required as these all have known buffer overflow exploits