Securing Internet Information Services 5.0 and 5.1
On This Page
Introduction
Web servers are frequent targets for various types of security attacks. Some of these attacks are serious enough to cause significant damage to business assets, productivity, and customer relationships—and all attacks are inconvenient and frustrating. The security of your Web servers is vital to the success of your business.
This document explains how to begin the process of securing a Web server that is running Internet Information Services (IIS) 5.0 on the Microsoft® Windows® 2000 Server, Standard Edition operating system, or Internet Information Services 5.1 on the Microsoft® Windows® XP operating system. First, this section describes some of the most common threats that affect Web servers. Then, this document provides prescriptive guidance for making your Web server more secure against such attacks.
This document provides the following guidance for increasing the security of your Web server:
| • | Reducing the attack surface, or the extent to which your server is exposed to potential attackers, of your Web server |
| • | Configuring accounts and permissions for the users and groups that access your Web site |
| • | Making the IIS metabase and log files more secure against access by unauthorized users |
| • | Configuring Secure Sockets Layer (SSL) on your Web server IMPORTANT: All of the step-by-step instructions that are included in this document were developed by using the Start menu that appears by default when you install your operating system. If you have modified your Start menu, the steps might differ slightly. |
After you complete the steps in this document, your Web server will still have significant protection from the following types of attacks that sometimes threaten Internet-facing servers:
| • | Profiling attacks that gather information about your Web site, which can be reduced by blocking unneeded ports and disabling unneeded protocols. |
| • | Denial-of-service attacks that flood your Web server with requests, which can be minimized by applying security patches and software updates. |
| • | Unauthorized access by a user without the correct permissions, which can often be thwarted by configuring Web and NTFS permissions. |
| • | Arbitrary execution of malicious code on your Web server, which can be minimized by preventing access to system tools and commands. |
| • | Elevation of privileges that allows a malicious user to use a high-privileged account to run programs, which can be minimized by using least-privileged service and user accounts. |
| • | Damage from viruses, worms, and Trojan horses, which can be contained by disabling unneeded functionality, using least-privileged accounts, and promptly applying the latest security patches. |
Note: Because securing a Web server is a complex and ongoing process, complete security cannot be guaranteed.
Before You Begin
This section explains the system requirements and describes the characteristics of the example Web server used in this document.
System Requirements
The Web server used as an example in this document has the following system requirements:
| • | The operating system is installed on an NTFS partition. For information about NTFS, search for "NTFS" in Help and Support Center for Windows Server 2003. |
| • | Required patches and updates for Windows 2000 Server or Windows XP have been applied to the server. |
| • | The server is running either Windows 2000 Server, with Service Pack 4 installed, or Windows XP, with Service Pack 1 installed. IMPORTANT: If Service Pack 1 or Service Pack 4 is not installed on a particular computer or if you do not know whether it is installed, you can go to the Windows Update page on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkID=22630 and have Windows Update scan your computer for available updates. If Service Pack 1 or Service Pack 4 shows up as an available update, install any required service pack before proceeding with the procedures in this document. |
The information in this document can help you take the first steps toward configuring a more secure Web server. However, to make your Web server as secure as possible, you need to understand the behavior of the applications that run on the server. This document does not contain information about configuring specific applications for security.
Web Server Characteristics
The Web server that is used as an example in this document has the following characteristics:
| • | Is running either IIS 5.0 (for Windows 2000 Server) or IIS 5.1 (for Windows XP). |
| • | Hosts one Internet-facing Web site. |
| • | Is a dedicated Web server. |
| • | Is behind a firewall that allows traffic only on HTTP Port 80 and HTTPS Port 443. |
| • | Permits anonymous access to the Web site. |
| • | Serves HTML and ASP pages. |
| • | Does not support FTP (file uploading and downloading), SMTP (e-mail), or NNTP (newsgroup) protocols. |
| • | Does not use Internet Security and Acceleration Server. |
| • | Requires the administrator to log on locally to administer the Web server. |
In addition to the preceding requirements, the following conditions in the example exist:
| • | FrontPage® 2002 Server Extensions from Microsoft are not configured on the Web server. |
| • | Applications on the Web server do not require database connectivity. |
Reducing the Attack Surface of Your Web Server
Begin the process of securing your Web server by reducing its attack surface, for example, by enabling only those components, services, and ports that are necessary for your Web server to operate correctly.
This section provides the following step-by-step instructions for reducing the attack surface of your Web server:
| • | Running the IIS Lockdown Tool |
| • | Customizing the UrlScan configuration |
Running the IIS Lockdown Tool
Using the IIS Lockdown Tool, you can choose a specific server role, depending on the types of applications that your Web server hosts, and then improve security for that server by using customized templates that either disable or secure various features.
By running the IIS Lockdown Tool, you can automate much of the process of securing your Web server. However, remember that no tool replaces the need for timely installation of service packs and hot fixes.
Note: It is recommended that you read the documentation that accompanies the IIS Lockdown Tool before you run the tool.
This section provides the following step-by-step instructions for running the IIS Lockdown Tool:
| • | Installing the IIS Lockdown Tool |
| • | Determining whether your Web server serves dynamic content |
| • | Determining whether the IIS Lockdown Tool has already been run on your Web server |
| • | Running the IIS Lockdown Tool |
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: IIS Lockdown Tool, Internet Services Manager must be installed. |
| • | To install the IIS Lockdown Tool
|
| • | To determine whether your Web server serves dynamic content
|
| • | To determine whether the IIS Lockdown Tool has already been run on your Web server
|
If you have already run the IIS Lockdown Tool on your Web server, skip the remaining procedures in this section and go on to the "Configuring UrlScan Configuration" section.
Note: It is recommended that you review the remaining sections of this document to ensure that the IIS Lockdown Tool settings on your Web server provide the level of security that you require.
| • | To run the IIS Lockdown Tool
|
Verifying New Settings
Verify that the appropriate security settings for the IIS Lockdown Tool have been applied to your local computer.
| • | To verify changes made by the IIS Lockdown Tool
|
The following table shows the changes made by the IIS Lockdown Tool based on your changes, as well as the vulnerabilities minimized by locking down these items.
IIS Lockdown Tool Changes to Minimize Security Issues
| Page | Action | Security Issues Minimized |
Internet Services | Disabled FTP, SMTP, and NNTP services | Any running service is a potential point of attack. These services are particularly vulnerable. |
Script Maps | Disabled the following file extensions by mapping them to 404.dll: | idq, .ida: buffer overflow could allow an attacker to gain complete control of the server. |
Additional Security | Removed the following virtual directories: Removed the IISAdmin Web site Restricted anonymous access to system tools Restricted anonymous users from writing to Web content directories. Created two new local groups called Web Anonymous Users and Web Applications, and added Deny access control entries (ACEs) for these groups to the access control list (ACL) on key tools and directories. Added the default anonymous Internet user account, Added the default Web application identity, IWAM_ComputerName, to Web Applications. Disabled Web Distributed Authoring and Versioning (WebDAV). |
|
| • | To verify that the IIS Lockdown Tool configuration is in force on a Web server
|
If the log files are absent, or if they are present and their data and time stamps are earlier than those for oblt-log.log, the IIS Lockdown Tool configuration is in force on the Web server.
After running the IIS Lockdown Tool, you can re-enable a file name extension manually. This is preferable to re-running the IIS Lockdown Tool and remove its configuration.
| • | To manually remap file name extensions after running the IIS Lockdown Tool
|
Customizing UrlScan Configuration
UrlScan is installed when you run the IIS Lockdown Tool. UrlScan is an Internet Services Application Programming Interface (ISAPI) filter that protects a Web server from attacks by filtering and rejecting HTTP requests based on a set of rules. The rules apply to all sites hosted by the Web server. When correctly installed, UrlScan runs automatically whenever IIS is started.
You can change UrlScan rules by editing the UrlScan.ini file. This file must reside in the same directory as the UrlScan.dll file, which is the file that runs UrlScan.
This section provides the following step-by-step instructions for customizing UrlScan configuration:
| • | Customizing the UrlScan configuration |
| • | Verifying new UrlScan settings |
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: My Computer, UrlScan.ini file, Notepad, iisreset command. |
| • | To customize the UrlScan configuration
|
Verifying New Settings
Verify that the appropriate security settings for the UrlScan configuration have been applied to your local computer.
| • | To verify the UrlScan configuration
|
Disabling Unneeded Protocols
By preventing the use of unneeded protocols, you reduce the potential for attack.
This section provides the following step-by-step instructions for disabling unneeded protocols:
| • | Disabling SMB on an Internet-facing connection |
| • | Disabling NetBIOS over TCP/IP |
Disabling SMB and NetBIOS
Host enumeration attacks scan the network to determine the IP address of potential targets. To reduce the likelihood of successful host enumeration attacks against Internet-facing ports on your Web server, disable all network protocols except Transmission Control Protocol (TCP). Web servers do not require Server Message Block (SMB) or NetBIOS on their network adapters.
Note: When you disable SMB and NetBIOS, the server cannot function as a file server or a print server, no network browsing is possible, and you cannot manage the Web server remotely. If your server is a dedicated Web server that requires administrators to log on locally, these restrictions should not affect the operation of the server.
SMB uses the following ports:
| • | TCP port 139 |
| • | TCP and UDP port 445 (SMB Direct Host) |
NetBIOS uses the following ports:
| • | TCP and User Datagram Protocol (UDP) port 137 (NetBIOS name service) |
| • | TCP and UDP port 138 (NetBIOS datagram service) |
| • | TCP and UDP port 139 (NetBIOS session service) |
Disabling only NetBIOS is not sufficient to prevent SMB communication because if a standard NetBIOS port is unavailable, SMB uses TCP port 445 (known as the SMB Direct Host). You must disable NetBIOS and SMB separately.
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: My Computer, System Tools, Device Manager. |
| • | To disable SMB on an Internet-facing connection
|
| • | To disable NetBIOS over TCP/IP
|
Verifying New Settings
Verify that the appropriate security settings have been applied to your Web server.
| • | To verify that SMB is disabled
|
| • | To verify that NetBIOS is disabled
|
Disabling Null Sessions to Prevent Anonymous Logons
To prevent anonymous access, disable null sessions. These are unauthenticated or anonymous sessions established between two computers. If null sessions are not disabled, an attacker can connect to your server anonymously without being authenticated.
An attacker who establishes a null session can perform a variety of attacks, including enumeration techniques, which are used to collect system-related information from the target computer ? information that can greatly assist subsequent attacks. Information that can be returned over a null session includes domain and trust details, shares, user information (including groups and user rights), and registry keys.
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: Local Security Policy. |
| • | To disable null sessions
|
Verifying New Settings
Verify that the appropriate security settings for disabling null sessions have been applied to your local computer.
| • | To verify that null sessions are disabled
|
Configuring Accounts
You should remove unused accounts because an attacker might discover and use them. Always require strong passwords ? weak passwords increase the likelihood of a successful brute force or dictionary attack. Use accounts that run with least privilege. Otherwise, an attacker can use accounts with too much privilege to gain access to unauthorized resources.
This section provides the following step-by-step instructions for configuring accounts:
| • | Disabling unused accounts |
| • | Disabling null sessions to prevent anonymous access |
Disabling Unused Accounts
Unused accounts and their privileges can be used by an attacker to gain access to a server. You should periodically audit local accounts on the server and disable any accounts that are not being used. Disable accounts on a test server before you disable them on a production server to ensure that disabling an account does not adversely affect the way your application operates. If disabling the account does not cause any problems on the test server, disable the account on your production server.
Note: If you choose to delete an unused account instead of disabling it, be aware that you cannot recover a deleted account and that the Administrator account and the Guest account cannot be deleted. Also, be sure to delete the account on a test server before you delete it on your production server.
This section provides the following step-by-step instructions for disabling unused accounts:
| • | Disabling the Guest account |
| • | Renaming the Administrator account |
| • | Disabling the IUSR_ComputerName account |
Disabling the Guest Account
Anonymous connections to the server use the built-in Guest account. To restrict anonymous connections to the computer, keep this account disabled. The Guest account is disabled by default on Windows 2000.
Note: You cannot disable the Guest account on a domain controller.
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: My Computer. |
| • | To disable the Guest account
|
Renaming the Administrator Account
The default local Administrator account is a target for malicious use because of its elevated privileges on the computer. To improve security, rename the default Administrator account and assign it a strong password.
Note: You cannot rename the local Administrator account on a domain controller.
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: My Computer. |
| • | To rename the Administrator account and assign a strong password
|
Renaming the IUSR_ComputerName Account
The default anonymous Internet user account, IUSR_ComputerName, is created during IIS installation. The value of ComputerName is the NetBIOS name of your server at IIS installation time.
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: My Computer. |
| • | To rename the IUSR account
|
Verifying New Settings
Verify that the appropriate security settings have been applied to your local computer.
| • | To verify that an account is disabled
|
| • | To verify that an account is renamed
|
Securing Files and Directories
Use strong access controls to protect sensitive files and directories. In most situations, an approach that allows access to specific accounts is more effective than one that denies access to specific accounts. Set access at the directory level whenever possible. As files are added to the folder they inherit permissions from the folder, so you need to take no further action.
This section provides the following step-by-step instructions for securing files and directories:
| • | Relocating and setting permissions for IIS log files |
| • | Configuring IIS metabase permissions |
Relocating and Setting Permissions for IIS Log Files
To increase the security of the IIS log files, you should relocate them to a nonsystem drive that has been formatted to use the NTFS file system. This location should not be the same as the location of your Web site content.
This section provides the following step-by-step instructions for relocation and setting permissions for IIS log files:
| • | Moving the location of the IIS log files to a nonsystem partition |
| • | Setting ACLs on IIS log files |
| • | Verifying new settings |
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: My Computer, Internet Services Manager. |
| • | To move the location of the IIS log files to a nonsystem partition
|
Note: If you already have IIS log files in their original location at C:\WINNT\System32\logfiles, you must move these files to the new location manually. IIS does not move those files for you.
| • | To set ACLs on IIS log files
|
Verifying New Settings
Verify that the appropriate security settings have been applied to your local computer.
| • | To verify that log files are moved and secured
|
Configuring IIS Metabase Permissions
The IIS metabase is a binary file that contains most IIS configuration information. Only members of the Administrators group and the LocalSystem account should have Full Control access to the metabase. It is important that you audit all attempts to access the metabase by the Everyone group.
This section provides the following step-by-step instructions for configuring IIS metabase permissions:
| • | Restricting access to the MetaBase.bin file |
| • | Auditing access to the MetaBase.bin file |
| • | Disabling the FileSystemObject component |
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: My Computer. |
| • | To restrict access to the MetaBase.bin file
|
| • | To audit access to the MetaBase.bin file
|
Verifying New Settings
Verify that the appropriate security settings for auditing and restricting access to the MetaBase.bin file have been applied to your local computer.
| • | To verify restricted access to the MetaBase.bin file
|
Disabling the FileSystemObject Component
ASP, Windows Script Host, and other scripting applications use the FileSystemObject (FSO) component to create, delete, gain information about, and manipulate drives, folders, and files. Consider disabling the FSO component, but be aware that this will also remove the Dictionary object. Also, verify that no other programs require this component.
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: Command prompt. |
| • | To disable the FileSystemObject component
|
Securing Web Sites and Virtual Directories
Relocate Web root directories and virtual directories to a nonsystem partition to protect against directory traversal attacks, which allow an attacker to execute operating system programs and tools. Because it is not possible to traverse across drives, relocating Web site content to another drive offers added protection against these attacks.
This section provides the following step-by-step instructions for securing Web sites and virtual directories:
| • | Moving your Web site to a nonsystem drive |
| • | Disabling the parent paths setting |
| • | Configuring Web site permissions |
Moving Your Web Site to a Nonsystem Drive
Do not use the default \inetpub\wwwroot directory as the location for your Web site content. For example, if your system is installed on the C: drive, consider moving your site and content directory to the D: drive in order to mitigate the risks associated with directory traversal attacks, in which an attacker attempts to browse the directory structure of a Web server.
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: Internet Services Manager, command prompt. |
| • | To move your Web site to a nonsystem drive
|
Verifying New Settings
Verify that the appropriate security settings have been applied to your local computer.
| • | To verify that Web site content has been moved to a nonsystem drive or folder
|
Disabling the Parent Paths Setting
This IIS metabase setting prevents the use of parent paths in script and application calls. Disabling parent paths helps guard against directory traversal attacks. The following example shows a parent path in an ASP file:
<!--#include file="../<filename.ext>"-->
When parent paths are disabled, the ASP file should contain path statements in the following format:
<!--#include virtual="/<virtual path>/<filename.ext>"-->
where <virtual path> is the name of the virtual directory where the file resides on your Web server.
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: Internet Services Manager. |
| • | To disable parent paths
|
Verifying New Settings
Verify that the appropriate security settings have been applied to your local computer.
| • | To verify that parent paths are disabled
|
Configuring Web Site Permissions
You can configure your Web server's access permissions for specific sites, directories, and files. These permissions apply to all users regardless of their specific access rights.
Configuring Permissions on File System Directories
Internet Information Services relies on NTFS permissions for securing individual files and directories from unauthorized access. Unlike Web site permissions, which apply to all users, you can use NTFS permissions to precisely define which users can access your content and how those users are allowed to manipulate that content.
Access control lists (ACLs) indicate which users or groups have permission to access or modify a particular file. Instead of setting ACLs on each file, consider creating new directories for each file type, setting ACLs on each directory, and allowing the ACLs to inherit to the files.
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: My Computer. |
| • | To copy Web site content into a separate folder
|
| • | To set permissions on physical directories
|
Configuring Permissions on Virtual Directories
Most users do not require access to all content on your Web server. To protect the content on your Web server, you must configure appropriate access permissions on your Web server's virtual directories.
| • | To set permissions on virtual directories
|
Verifying New Settings
Verify that the appropriate security settings have been applied to your local computer.
| • | To verify that write access is denied to physical and virtual directories
|
Configuring Secure Sockets Layer on Your Web Server
Configure Secure Sockets Layer (SSL) security features on your Web server to verify the integrity of your content, verify the identity of users, and encrypt network transmissions. SSL security relies on a server certificate that allows users to authenticate your Web site before they transmit personal information, such as a credit card number.
This section provides the following step-by-step instructions for configuring SSL on your Web server:
| • | Obtaining and install a server certificate |
| • | Enforcing and enabling SSL connections on your Web server |
Obtaining and Installing a Server Certificate
Certificates are issued by non-Microsoft organizations called certification authorities (CAs). The server certificate is typically associated with your Web server, specifically with the Web site where you have configured SSL. You must generate a request for a certificate, send the request to the CA, and then install the certificate after you receive it from the CA.
Certificates require a pair of encryption keys, one public and one private, to enforce security. When you generate a request for a server certificate, you actually generate the private key. The server certificate you receive from the CA contains the public key.
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: Internet Services Manager, Web Server Certificate Wizard. |
| • | To generate a request for a server certificate
|
| • | To submit a request for a server certificate
|
When you receive the certificate from your CA, you are ready to install the certificate on your Web server.
| • | To install a server certificate
|
Verifying New Settings
Verify that the appropriate security settings have been applied to your local computer.
| • | To verify that a certificate is installed on a Web server
|
Enabling and Enforcing SSL Connections on Your Web Server
After you have installed the server certificate, you must enable SSL connections on your Web server. Then, you must enforce SSL connections.
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: Internet Services Manager MMC snap-in. |
| • | To enable SSL connections on your Web server
|
| • | To enforce SSL connections
|
Verifying New Settings
Verify that the appropriate security settings have been applied to your local computer.
| • | To verify SSL connections on your Web server
|
Related Information
For more information about securing IIS 5.0 and IIS 5.1, see the following:
| • | "From Blueprint to Fortress: A Guide to Securing IIS 5.0" on the TechNet Web site at http://go.microsoft.com/fwlink/?LinkId=22688. |
| • | "Secure Internet Information Services 5 Checklist" on the TechNet Web site at |
| • | Microsoft Security Bulletin Search on the TechNet Web site at |
For more information about IIS 5.0 and IIS 5.1, see the following:
| • | Internet Information Services (IIS) Security Center on the TechNet Web site at |
| • | Windows 2000 Web and Application Services technology center on the Microsoft Web site at |
| • | Internet Information Services 5.1 on the Microsoft Web site at |