Securing Internet Information Services 6.0
On This Page
Introduction
Web servers are frequent targets for various types of security attacks. Some of these attacks are serious enough to cause significant damage to business assets, productivity, and customer relationships—and all attacks are inconvenient and frustrating. The security of your Web servers is vital to the success of your business.
This document explains how to begin the process of securing a Web server that is running Internet Information Services (IIS) 6.0 on the Microsoft® Windows Server™ 2003, Standard Edition operating system. First, this section describes some of the most common threats that affect Web server security. Then, this document provides prescriptive guidance about making your Web server more secure against such attacks.
IIS 6.0 takes a more proactive stance against malicious users and attackers by making the following changes from earlier versions of IIS:
| • | IIS 6.0 is not installed by default when you install Windows Server 2003, Standard Edition. |
| • | When IIS 6.0 is first installed, your Web server serves, or displays, only static Web pages (HTML), which reduces the risk posed by serving dynamic, or executable, content. |
| • | The World Wide Web Publishing Service (WWW service) is the only service that is enabled by default when IIS 6.0 is first installed. You can enable the specific services you need, when you need them. |
| • | ASP and ASP.NET are disabled by default when IIS 6.0 is first installed. |
| • | For additional protection, all of the default security configuration settings in IIS 6.0 meet or exceed the security configuration settings made by the IIS Lockdown Tool. The IIS Lockdown Tool, which was designed to reduce the attack surface of Web servers by disabling unnecessary features, runs on earlier versions of IIS. For more information about the IIS Lockdown Tool, see "Securing Internet Information Services 5.0 and 5." in the Security Guidance Kit. |
Because the default settings in IIS 6.0 disable many of the features that are commonly used by Web services, this document explains how to configure additional features of your Web server while reducing the extent to which your server is exposed to potential attackers.
This document provides the following guidance for increasing the security of your Web server:
| • | Reducing the attack surface, or the extent to which your server is exposed to potential attackers, of your Web server |
| • | Configuring user and group accounts for anonymous access |
| • | Securing files and directories from unauthorized access |
| • | Securing Web sites and virtual directories from unauthorized access |
| • | Configuring Secure Sockets Layer (SSL) on your Web server |
Important: All of the step-by-step instructions that are included in this document were developed by using the Start menu that appears by default when you install your operating system. If you have modified your Start menu, the steps might differ slightly.
After you complete the procedures in this document, your Web server will be able to serve dynamic content in the form of .asp pages, and it will still have significant protection from the following types of attacks that sometimes threaten Internet-facing servers:
| • | Profiling attacks that gather information about your Web site, which can be reduced by blocking unneeded ports and disabling unneeded protocols. |
| • | Denial-of-service attacks that flood your Web server with requests, which can be minimized by applying security patches and software updates. |
| • | Unauthorized access by a user without the correct permissions, which can often be thwarted by configuring Web and NTFS permissions. |
| • | Arbitrary execution of malicious code on your Web server, which can be minimized by preventing access to system tools and commands. |
| • | Elevation of privileges that allows a malicious user to use a high-privileged account to run programs, which can be minimized by using least-privileged service and user accounts. |
| • | Damage from viruses, worms, and Trojan horses, which can be contained by disabling unneeded functionality, using least-privileged accounts, and promptly applying the latest security patches. |
Note: Because securing a Web server is a complex and ongoing process, complete security cannot be guaranteed.
Before You Begin
This section explains the system prerequisites and the characteristics of the Web server that are described in this document.
System Requirements
The Web server that is used as an example in this document has the following system requirements:
| • | The server is running Windows Server 2003, Standard Edition. |
| • | The operating system is installed on an NTFS partition. For information about NTFS, search for "NTFS" in Help and Support Center for Windows Server 2003. |
| • | All of the required patches and updates for Windows Server 2003 have been applied to the server. To verify that the latest security updates are installed on your Web server, go to the Windows Update page on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=22630 and have Windows Update scan your server for available updates. |
| • | Windows Server 2003 security safeguards have been applied to the server. |
This document provides introductory information that can help you take the first steps to configure a more secure Web server. However, to make your Web server as secure as possible, you must understand the operation of the applications that run on the server. This document does not contain information about application-specific security configuration.
Web Server Characteristics
The Web server that is used as an example in this document has the following characteristics:
| • | The Web server is running IIS 6.0 in worker process isolation mode. |
| • | The Web server hosts one Internet-facing Web site. |
| • | The Web server is behind a firewall, which allows traffic on only HTTP Port 80 and HTTPS Port 443. |
| • | The Web server is a dedicated Web server, which is a server that is only being used as a Web server and not for other purposes, such as a file server, print server, or database server running Microsoft SQL Server™. |
| • | Anonymous access to the Web site is permitted. |
| • | The Web server serves HTML and ASP pages. |
| • | FrontPage® 2002 Server Extensions from Microsoft are not configured on the Web server. |
| • | The applications on the Web server do not require database connectivity. |
| • | The Web server does not support FTP (file uploading and downloading), SMTP (e-mail), or NNTP (newsgroup) protocols. |
| • | The Web server does not use Internet Security and Acceleration Server. |
| • | An administrator must log on locally to administer the Web server. |
Reducing the Attack Surface of the Web Server
Begin the process of securing your Web server by reducing its attack surface, or the extent to which your server is exposed to potential attackers. For example, enable only those components, services, and ports that are necessary for your Web server to operate correctly.
Disabling SMB and NetBIOS
Host enumeration attacks scan the network to determine the IP address of potential targets. To reduce the likelihood of successful host enumeration attacks against Internet-facing ports on your Web server, disable all network protocols except Transmission Control Protocol (TCP). Web servers do not require Server Message Block (SMB) or NetBIOS on their Internet-facing network adapters.
This section provides the following step-by-step instructions for reducing the attack surface of your Web server:
| • | Disabling SMB on an Internet-facing connection |
| • | Disabling NetBIOS over TCP/IP |
Note: When you disable SMB and NetBIOS, the server cannot function as a file server or a print server, no network browsing is possible, and you cannot manage the Web server remotely. If your server is a dedicated Web server that requires administrators to log on locally, these restrictions should not affect the operation of the server.
SMB uses the following ports:
| • | TCP port 139 |
| • | TCP and UDP port 445 (SMB Direct Host) |
NetBIOS uses the following ports:
| • | TCP and User Datagram Protocol (UDP) port 137 (NetBIOS name service) |
| • | TCP and UDP port 138 (NetBIOS datagram service) |
| • | TCP and UDP port 139 (NetBIOS session service) |
Disabling only NetBIOS will not prevent SMB communication because SMB uses TCP port 445 (known as the SMB Direct Host) if a standard NetBIOS port is unavailable. You must disable NetBIOS and SMB separately.
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: My Computer, System Tools, and Device Manager. |
| • | To disable SMB on an Internet-facing connection
|
| • | To disable NetBIOS over TCP/IP
|
Note: Screenshots in this document reflect a test environment and the information might differ from the information that is displayed on your screen.
The preceding procedure disables the SMB direct-hosted listener on TCP port 445 and UDP port 445. It also disables the Nbt.sys driver and requires that you restart the system.
Verifying New Settings
Verify that the appropriate security settings have been applied to your Web server.
| • | To verify that SMB is disabled
|
| • | To verify that NetBIOS is disabled
|
Selecting Only Essential IIS Components and Services
IIS 6.0 includes subcomponents and services in addition to the WWW service, such as the FTP service and the SMTP service. To minimize the risk of attacks that target specific services and subcomponents, it is recommended that you select only the services and subcomponents that your Web sites and Web applications need to run correctly.
The following table shows the recommended settings in Add or Remove Programs for IIS subcomponents and services on the Web server used as an example in this document.
Recommended settings for IIS subcomponents and services
| Subcomponent or Service | Default Setting | Web Server Setting |
Background Intelligent Transfer Service (BITS) server extension | Disabled | No change |
Common Files | Enabled | No change |
FTP Service | Disabled | No change |
FrontPage 2002 Server Extensions | Disabled | No change |
Internet Information Services Manager | Enabled | No change |
Internet Printing | Disabled | No change |
NNTP Service | Disabled | No change |
SMTP Service | Enabled | Disabled |
World Wide Web Service | Enabled | No change |
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: Add or Remove Programs. |
| • | To configure IIS components and services
|
Verifying New Settings
Verify that the appropriate security settings have been applied to your Web server.
| • | To verify that IIS components and services are selected
|
Enabling Only Essential Web Service Extensions
A Web server that serves dynamic content requires Web service extensions. Each type of dynamic content corresponds to a specific Web service extension. For security reasons, IIS 6.0 allows you to enable and disable individual Web service extensions, so only those extensions required by your content are enabled.
CAUTION: Do not enable all of the Web service extensions. Although doing so ensures the highest possible compatibility with existing Web sites and applications, the attack surface of your Web server is greatly increased. You might need to test your Web sites and applications individually to ensure that you enable only the Web service extensions that are necessary.
Suppose the Web server is configured to serve the Default.asp file as its default page. Although the default page is configured, you must enable the Active Server Pages Web service extension to view the .asp page.
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: Internet Information Services (IIS) Manager (Iis.msc). |
| • | To enable the Active Server Pages Web service extension
|
Verifying New Settings
Verify that the appropriate security settings have been applied to your Web server.
| • | To verify that the Active Server Pages Web service extension is enabled
|
Configuring Accounts
It is recommended that you remove unused accounts because an attacker might discover these accounts and use them to gain access to data and Web applications on your server. Always require strong passwords — weak passwords increase the likelihood of a successful brute force or dictionary attack, in which an attacker tries to guess passwords. Use accounts that run with least privilege. Otherwise, an attacker can gain access to unauthorized resources by using an account that runs with a high level of privilege.
This section provides the following step-by-step instructions for configuring accounts:
| • | Disabling unused accounts |
| • | Isolating applications by using application pools |
Disabling Unused Accounts
Unused accounts and their privileges can be used by an attacker to gain access to a server. You should periodically audit local accounts on the server and disable any accounts that are not being used. Disable accounts on a test server before you disable them on a production server to ensure that disabling an account does not adversely affect the way your application operates. If disabling the account does not cause any problems on the test server, disable the account on your production server.
Note: If you choose to delete an unused account instead of disabling it, be aware that you cannot recover a deleted account and that the Administrator account and the Guest account cannot be deleted. Also, be sure to delete the account on a test server before you delete it on your production server.
This section provides the following step-by-step instructions for deleting or disabling unused accounts:
| • | Disabling the Guest account |
| • | Renaming the Administrator account |
| • | Renaming the IUSR_ComputerName account |
Disabling the Guest Account
The Guest account is used when an anonymous connection is made to the Web server. During a default installation of Windows Server 2003, the Guest account is disabled. To restrict anonymous connections to your server, ensure that the Guest account remains disabled.
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: Computer Management |
| • | To disable the Guest account
|
Renaming the Administrator Account
The default local Administrator account is a target for malicious users because of its elevated privileges on the computer. To improve security, rename the default Administrator account and assign it a strong password.
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: My Computer. |
| • | To rename the Administrator account and assign a strong password
|
Caution: Do not use the Set Password menu item on the context menu to change the password unless you have forgotten the password and you do not have a password reset disk available. Using this method of changing the Administrator password might cause irreversible loss of information that is protected by this password.
Renaming the IUSR Account
The default anonymous Internet user account, IUSR_ComputerName, is created during IIS installation. The value of ComputerName is the NetBIOS name of your server when IIS is installed.
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: My Computer. |
| • | To rename the IUSR account
|
| • | To change the value for the IUSR account in the IIS metabase
|
Verifying New Settings
Verify that the appropriate security settings have been applied to your Web server.
| • | To verify that an account is disabled
|
| • | To verify that an account is renamed
|
Isolating Applications by Using Application Pools
Using IIS 6.0, you can isolate applications into application pools. An application pool is a group of one or more URLs that are served by a worker process or a set of worker processes. Using application pools can help improve the reliability and security of your Web server because each application operates independently of the others.
Every running process on a Windows operating system has a process identity, which determines how the process accesses the resources on the system. Every application pool also has a process identity, which is an account that runs with the minimum permissions your application requires. This process identity can be used to allow anonymous access to your Web site or applications.
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: My Computer. |
| • | To create an application pool
|
| • | To assign a Web site or application to an application pool
|
Verifying New Settings
Verify that the appropriate security settings have been applied to your Web server.
| • | To verify that an application pool was created
|
| • | To verify that a Web site or application is assigned to a specific application pool
|
Configuring Security for Files and Directories
Use strong access controls to help protect sensitive files and directories. In most situations, allowing access to specific accounts is more effective than denying access to specific accounts. Set access at the directory level whenever possible. As files are added to the folder, they inherit permissions from the folder, so you do not need to take further action.
This section provides the following step-by-step instructions for configuring security for files and directories:
| • | Relocating and setting permissions for IIS log files |
| • | Configuring IIS metabase permissions |
| • | Disabling the FileSystemObject component |
Relocating and Setting Permissions for IIS Log Files
To increase the security of the IIS log files, you should relocate the files to a non-system drive that is formatted to use the NTFS file system. This location should not be the same as the location of your Web site content.
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: My Computer and Internet Information Services (IIS) Manager (Iis.msc). |
| • | To move the location of the IIS log files to a non-system partition
|
Note: If you already have IIS log files in the original location at Windows\System32\Logfiles, you must move these files to the new location manually. IIS does not move those files for you.
| • | To set ACLs on IIS log files
|
Verifying New Settings
Verify that the appropriate security settings have been applied to your Web server.
| • | To verify that log files are moved and permissions are set
|
Configuring IIS Metabase Permissions
The IIS metabase is an XML file that contains most of the IIS configuration information.
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: My Computer and the MetaBase.xml file. |
| • | To restrict access to the MetaBase.xml file
|
Verifying New Settings
Verify that the appropriate security settings have been applied to your Web server.
| • | To verify restricted access to the MetaBase.xml file
|
Disabling the FileSystemObject Component
ASP, Windows Script Host, and other scripting applications use the FileSystemObject (FSO) component to create, delete, gain information about, and manipulate drives, folders, and files. Consider disabling the FSO component, but be aware that this will also remove the Dictionary object. Also, verify that no other programs require this component.
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: Command prompt. |
| • | To disable the FileSystemObject component
|
Securing Web Sites and Virtual Directories
Relocate Web root directories and virtual directories to a non-system partition to help protect against directory traversal attacks. These attacks allow an attacker to execute operating system programs and tools. Because it is not possible to traverse across drives, relocating Web site content to another drive offers added protection against these attacks.
This section provides the following step-by-step instructions for securing Web sites and virtual directories:
| • | Moving your Web site content to a nonsystem drive |
| • | Configuring Web site permissions |
Moving Your Web Site Content to a Nonsystem Drive
Do not use the default \Inetpub\Wwwroot directory as the location for your Web site content. For example, if your system is installed on the C: drive, consider moving your site and content directory to the D: drive in order to mitigate the risks associated with directory traversal attacks, in which an attacker attempts to browse the directory structure of a Web server. Be sure to verify that all virtual directories point to the new drive.
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: Internet Information Services (IIS) Manager (Iis.msc) and a command prompt. |
| • | To move your Web site content to a nonsystem drive
|
Verifying New Settings
Verify that the appropriate security settings have been applied to your Web server.
| • | To verify that Web site content has been moved to a nonsystem drive
|
| • | To delete your Web site content from the system drive
|
Verifying New Settings
Verify that the appropriate security settings have been applied to your Web server.
| • | To verify that Web site content has been deleted from the system drive
|
Configuring Web Site Permissions
You can configure access permissions for your Web server for specific sites, directories, and files. These permissions apply to all users regardless of their specific access rights.
Configuring Permissions on File System Directories
IIS 6.0 relies on NTFS permissions to help protect individual files and directories from unauthorized access. Unlike Web site permissions, which apply to anyone who tries to access your Web site, you can use NTFS permissions to define which users can access your content and how those users are allowed to manipulate that content. For improved security, use both Web site permissions and NTFS permissions.
Access control lists (ACLs) indicate which users or groups have permission to access or modify a particular file. Instead of setting ACLs on each file, create new directories for each file type, set ACLs on each directory, and then allow the files to inherit those permissions from the directory in which they reside.
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: My Computer and Internet Information Services (IIS) Manager (Iis.msc). |
| • | To move Web site content into a separate folder
|
Note: If you have created links to these pages, you must update the links to reflect the new location of the site content.
| • | To set permissions for Web content
|
If a child node belonging to the directory that has Web site permissions you have changed has also set the Web site permissions for a particular option, the permissions in the child node will override those you have set for the directory. If you want the Web site permissions at the directory level to apply to the child nodes, you must select those child nodes in the Inheritance Overrides box.
Verifying New Settings
Verify that the appropriate security settings have been applied to your Web server.
| • | To verify that write access is denied to Web site content directories
|
Configuring Secure Sockets Layer on Your Web Server
Configure Secure Sockets Layer (SSL) security features on your Web server to verify the integrity of your content, verify the identity of users, and encrypt network transmissions. SSL security relies on a server certificate that allows users to authenticate your Web site before they transmit personal information, such as a credit card number. Each Web site can have only one server certificate.
Obtaining and Installing a Server Certificate
Certificates are issued by non-Microsoft organizations called certification authorities (CAs). The server certificate is typically associated with your Web server, specifically with the Web site where you have configured SSL You must generate a request for a certificate, send the request to the CA, and then install the certificate after you receive it from the CA.
Certificates rely on a pair of encryption keys — one public and one private — to enforce security. When you generate a request for a server certificate, you are actually generating the private key. The server certificate you receive from the CA contains the public key.
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: Internet Information Services (IIS) Manager (Iis.msc) and Web Server Certificate Wizard. |
| • | To generate a request for a server certificate
|
| • | To submit a request for a server certificate
|
When you receive the certificate from your CA, you are ready to install the certificate on your Web server.
| • | To install a server certificate
|
Verifying New Settings
Verify that the appropriate security settings have been applied to your local computer.
| • | To verify that a certificate is installed on a Web server
|
Enforcing and Enabling SSL Connections on Your Web Server
After you install the server certificate, you must enforce SSL connections on your Web server. Then, you must enable SSL connections.
Requirements
| • | Credentials: You must be logged on as a member of the Administrators group on the Web server. |
| • | Tools: Internet Information Services (IIS) Manager (Iis.msc). |
| • | To enforce SSL connections
|
| • | To enable SSL connections on your Web server
|
Verifying New Settings
Verify that the appropriate security settings have been applied to your Web server.
| • | To verify SSL connections on your Web server
|
Related Information
For more information about securing IIS 6.0, see the following:
| • | "Security Enhancements in Internet Information Services 6.0" on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=22800. |
| • | "Configuring Application Isolation on Windows Server 2003 and Internet Information Services (IIS) 6.0" on the TechNet Web site at http://go.microsoft.com/fwlink/?LinkId=22801. |
| • | TechNet Webcast: Securing Internet Information Services (IIS) on the Microsoft Events and Webcasts Web site at http://go.microsoft.com/fwlink/?LinkId=22802. |
For more information about IIS 6.0, see the following:
| • | Internet Information Services (IIS) 6.0 Resource Kit on the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=22803. |
| • | Internet Information Services technology page on the TechNet Web site at http://go.microsoft.com/fwlink/?LinkId=22804. |
| • | "Technical Overview of Internet Information Services (IIS) 6.0" on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=22805. |