Checklist: Securing Your Web Server

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

patterns & practices Developer Center

Improving Web Application Security: Threats and Countermeasures

J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan

Microsoft Corporation

Published: June 2003

Applies to:

  • Internet Information Services (IIS) version 5.0
  • Microsoft Windows® 2000 operating system

See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.

See the Landing Page for the starting point and a complete overview of Improving Web Application Security: Threats and Countermeasures.

Contents

How to Use This Checklist Patches and Updates IISLockdown Services Protocols Accounts Files and Directories Shares Ports Registry Auditing and Logging Sites and Virtual Directories Script Mappings ISAPI Filters IIS Metabase Server Certificates Machine.config Code Access Security Other Check Points Dos and Don'ts

How to Use This Checklist

This checklist is a companion to Chapter 16, "Securing Your Web Server." Use it to help implement a secure Web server, or as a quick evaluation snapshot of the corresponding chapter.

This checklist should evolve with steps that you discover to secure your Web server.

Patches and Updates

Check Description
Ff648198.z02bthcm01(en-us,PandP.10).gif MBSA is run on a regular interval to check for latest operating system and components updates.
Ff648198.z02bthcm01(en-us,PandP.10).gif The latest updates and patches are applied for Windows, IIS server, and the .NET Framework. (These are tested on development servers prior to deployment on the production servers.)
Ff648198.z02bthcm01(en-us,PandP.10).gif Subscribe to the Microsoft Security Notification Service at http://www.microsoft.com/technet/security/bulletin/notify.asp.

IISLockdown

Check Description
Ff648198.z02bthcm01(en-us,PandP.10).gif IISLockdown has been run on the server.
Ff648198.z02bthcm01(en-us,PandP.10).gif URLScan is installed and configured.

Services

Check Description
Ff648198.z02bthcm01(en-us,PandP.10).gif Unnecessary Windows services are disabled.
Ff648198.z02bthcm01(en-us,PandP.10).gif Services are running with least-privileged accounts.
Ff648198.z02bthcm01(en-us,PandP.10).gif FTP, SMTP, and NNTP services are disabled if they are not required.
Ff648198.z02bthcm01(en-us,PandP.10).gif Telnet service is disabled.
Ff648198.z02bthcm01(en-us,PandP.10).gif ASP .NET state service is disabled and is not used by your applications.

Protocols

Check Description
Ff648198.z02bthcm01(en-us,PandP.10).gif WebDAV is disabled if not used by the application OR it is secured if it is required. For more information, see Microsoft Knowledge Base article 323470, "How To: Create a Secure WebDAV Publishing Directory."
Ff648198.z02bthcm01(en-us,PandP.10).gif TCP/IP stack is hardened.
Ff648198.z02bthcm01(en-us,PandP.10).gif NetBIOS and SMB are disabled (closes ports 137, 138, 139, and 445).

Accounts

Check Description
Ff648198.z02bthcm01(en-us,PandP.10).gif Unused accounts are removed from the server.
Ff648198.z02bthcm01(en-us,PandP.10).gif Windows Guest account is disabled.
Ff648198.z02bthcm01(en-us,PandP.10).gif Administrator account is renamed and has a strong password..
Ff648198.z02bthcm01(en-us,PandP.10).gif IUSR_MACHINE account is disabled if it is not used by the application.
Ff648198.z02bthcm01(en-us,PandP.10).gif If your applications require anonymous access, a custom least-privileged anonymous account is created.
Ff648198.z02bthcm01(en-us,PandP.10).gif The anonymous account does not have write access to Web content directories and cannot execute command-line tools.
Ff648198.z02bthcm01(en-us,PandP.10).gif ASP.NET process account is configured for least privilege. (This only applies if you are not using the default ASPNET account, which is a least-privileged account.)
Ff648198.z02bthcm01(en-us,PandP.10).gif Strong account and password policies are enforced for the server.
Ff648198.z02bthcm01(en-us,PandP.10).gif Remote logons are restricted. (The "Access this computer from the network" user-right is removed from the Everyone group.)
Ff648198.z02bthcm01(en-us,PandP.10).gif Accounts are not shared among administrators.
Ff648198.z02bthcm01(en-us,PandP.10).gif Null sessions (anonymous logons) are disabled.
Ff648198.z02bthcm01(en-us,PandP.10).gif Approval is required for account delegation.
Ff648198.z02bthcm01(en-us,PandP.10).gif Users and administrators do not share accounts.
Ff648198.z02bthcm01(en-us,PandP.10).gif No more than two accounts exist in the Administrators group.
Ff648198.z02bthcm01(en-us,PandP.10).gif Administrators are required to log on locally OR the remote administration solution is secure.

Files and Directories

Check Description
Ff648198.z02bthcm01(en-us,PandP.10).gif Files and directories are contained on NTFS volumes.
Ff648198.z02bthcm01(en-us,PandP.10).gif Web site content is located on a non-system NTFS volume.
Ff648198.z02bthcm01(en-us,PandP.10).gif Log files are located on a non-system NTFS volume and not on the same volume where the Web site content resides.
Ff648198.z02bthcm01(en-us,PandP.10).gif The Everyone group is restricted (no access to \WINNT\system32 or Web directories).
Ff648198.z02bthcm01(en-us,PandP.10).gif Web site root directory has deny write ACE for anonymous Internet accounts.
Ff648198.z02bthcm01(en-us,PandP.10).gif Content directories have deny write ACE for anonymous Internet accounts.
Ff648198.z02bthcm01(en-us,PandP.10).gif Remote IIS administration application is removed (\WINNT\System32\Inetsrv\IISAdmin).
Ff648198.z02bthcm01(en-us,PandP.10).gif Resource kit tools, utilities, and SDKs are removed.
Ff648198.z02bthcm01(en-us,PandP.10).gif Sample applications are removed (\WINNT\Help\IISHelp, \Inetpub\IISSamples).

Shares

Check Description
Ff648198.z02bthcm01(en-us,PandP.10).gif All unnecessary shares are removed (including default administration shares).
Ff648198.z02bthcm01(en-us,PandP.10).gif Access to required shares is restricted (the Everyone group does not have access).
Ff648198.z02bthcm01(en-us,PandP.10).gif Administrative shares (C$ and Admin$) are removed if they are not required (Microsoft Management Server (SMS) and Microsoft Operations Manager (MOM) require these shares).

Ports

Check Description
Ff648198.z02bthcm01(en-us,PandP.10).gif Internet-facing interfaces are restricted to port 80 (and 443 if SSL is used).
Ff648198.z02bthcm01(en-us,PandP.10).gif Intranet traffic is encrypted (for example, with SSL) or restricted if you do not have a secure data center infrastructure.

Registry

Check Description
Ff648198.z02bthcm01(en-us,PandP.10).gif Remote registry access is restricted.
Ff648198.z02bthcm01(en-us,PandP.10).gif SAM is secured (HKLM\System\CurrentControlSet\Control\LSA\NoLMHash).

This applies only to standalone servers.

Auditing and Logging

Check Description
Ff648198.z02bthcm01(en-us,PandP.10).gif Failed logon attempts are audited.
Ff648198.z02bthcm01(en-us,PandP.10).gif IIS log files are relocated and secured.
Ff648198.z02bthcm01(en-us,PandP.10).gif Log files are configured with an appropriate size depending on the application security requirement.
Ff648198.z02bthcm01(en-us,PandP.10).gif Log files are regularly archived and analyzed.
Ff648198.z02bthcm01(en-us,PandP.10).gif Access to the Metabase.bin file is audited.
Ff648198.z02bthcm01(en-us,PandP.10).gif IIS is configured for W3C Extended log file format auditing.

Sites and Virtual Directories

Check Description
Ff648198.z02bthcm01(en-us,PandP.10).gif Web sites are located on a non-system partition.
Ff648198.z02bthcm01(en-us,PandP.10).gif "Parent paths" setting is disabled.
Ff648198.z02bthcm01(en-us,PandP.10).gif Potentially dangerous virtual directories, including IISSamples, IISAdmin, IISHelp, and Scripts virtual directories, are removed.
Ff648198.z02bthcm01(en-us,PandP.10).gif MSADC virtual directory (RDS) is removed or secured.
Ff648198.z02bthcm01(en-us,PandP.10).gif Include directories do not have Read Web permission.
Ff648198.z02bthcm01(en-us,PandP.10).gif Virtual directories that allow anonymous access restrict Write and Execute Web permissions for the anonymous account.
Ff648198.z02bthcm01(en-us,PandP.10).gif There is script source access only on folders that support content authoring.
Ff648198.z02bthcm01(en-us,PandP.10).gif There is write access only on folders that support content authoring and these folder are configured for authentication (and SSL encryption, if required).
Ff648198.z02bthcm01(en-us,PandP.10).gif FrontPage Server Extensions (FPSE) are removed if not used. If they are used, they are updated and access to FPSE is restricted.

Script Mappings

Check Description
Ff648198.z02bthcm01(en-us,PandP.10).gif Extensions not used by the application are mapped to 404.dll (.idq, .htw, .ida, .shtml, .shtm, .stm, idc, .htr, .printer).
Ff648198.z02bthcm01(en-us,PandP.10).gif Unnecessary ASP.NET file type extensions are mapped to "HttpForbiddenHandler" in Machine.config.

ISAPI Filters

Check Description
Ff648198.z02bthcm01(en-us,PandP.10).gif Unnecessary or unused ISAPI filters are removed from the server.

IIS Metabase

Check Description
Ff648198.z02bthcm01(en-us,PandP.10).gif Access to the metabase is restricted by using NTFS permissions (%systemroot%\system32\inetsrv\metabase.bin).
Ff648198.z02bthcm01(en-us,PandP.10).gif IIS banner information is restricted (IP address in content location disabled).

Server Certificates

Check Description
Ff648198.z02bthcm01(en-us,PandP.10).gif Certificate date ranges are valid.
Ff648198.z02bthcm01(en-us,PandP.10).gif Certificates are used for their intended purpose (for example, the server certificate is not used for e-mail).
Ff648198.z02bthcm01(en-us,PandP.10).gif The certificate's public key is valid, all the way to a trusted root authority.
Ff648198.z02bthcm01(en-us,PandP.10).gif The certificate has not been revoked.

Machine.config

Check Description
Ff648198.z02bthcm01(en-us,PandP.10).gif Protected resources are mapped to HttpForbiddenHandler.
Ff648198.z02bthcm01(en-us,PandP.10).gif Unused HttpModules are removed.
Ff648198.z02bthcm01(en-us,PandP.10).gif Tracing is disabled <trace enable="false"/>
Ff648198.z02bthcm01(en-us,PandP.10).gif Debug compiles are turned off.
<compilation debug="false" explicit="true" defaultLanguage="vb">

Code Access Security

Check Description
Ff648198.z02bthcm01(en-us,PandP.10).gif Code access security is enabled on the server.
Ff648198.z02bthcm01(en-us,PandP.10).gif All permissions have been removed from the local intranet zone.
Ff648198.z02bthcm01(en-us,PandP.10).gif All permissions have been removed from the Internet zone.

Other Check Points

Check Description
Ff648198.z02bthcm01(en-us,PandP.10).gif IISLockdown tool has been run on the server.
Ff648198.z02bthcm01(en-us,PandP.10).gif HTTP requests are filtered. URLScan is installed and configured.
Ff648198.z02bthcm01(en-us,PandP.10).gif Remote administration of the server is secured and configured for encryption, low session time-outs, and account lockouts.

Dos and Don'ts

  • Do use a dedicated machine as a Web server.
  • Do physically protect the Web server machine in a secure machine room.
  • Do configure a separate anonymous user account for each application, if you host multiple Web applications,
  • Do not install the IIS server on a domain controller.
  • Do not connect an IIS Server to the Internet until it is fully hardened.
  • Do not allow anyone to locally log on to the machine except for the administrator.

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

© Microsoft Corporation. All rights reserved.