Home > Articles

This chapter is from the book

Installation

The first step in setting up a secure IIS is to ensure that the system on which it is being installed is secure. This includes locking out all extra accounts, tightening down who has access to what, ensuring the hard drive is formatted with NTFS, and more. This chapter will review the security precautions that must be met before and during the secure installation of IIS.

Preinstall Checklist

Before installing IIS, the system must be configured securely and all extra components that could cause unauthorized access must be removed. The following lists the preventative measures you need to take and describes each one in detail.

Ensure that the hard drive is formatted using NTFS.

Windows .NET Server can be installed using FAT32 or NTFS file systems. While the FAT32 is thought to be the faster of the two, NTFS is much more secure. This is because NTFS allows the user to control every aspect of a system's security, all the way down to the file level. Using NTFS, an Administrator can set permissions on a file such as read only, no access, or full access. Using these permissions an Administrator can also log who tries to access what files and whether or not they were successful. This type of micromanagement may seem overly cautious, but it is the best way to repair a computer after it has been compromised is to use the details provided by the logging ability of NTFS.

Install the IIS behind closed doors and isolated from the Internet.

While this may seem paranoid, a hacker can scan a computer within 15 minutes or less of it being connected to the Internet for the first time. While IIS can be locked down fairly securely, during the time it takes to lock it down a hacker could have the time to install a Trojan, which would make any further attempts to secure the IIS meaningless.

In addition, another common belief among computer security experts is that the biggest threat to the security of a computer comes from inside the trusted domain, rather than from outside (i.e., the Internet). In high security environments, it is essential to build the IIS system within a controlled environment. Otherwise, the system could be compromised.

Install IIS in its own domain with no trusts.

When Windows .NET Server is installed, it should be in its own domain and have no other trusts with other domains. This prevents a hacker from relaying an attack farther into a network in case the computer running IIS is compromised.

Install IIS on a standalone server that is responsible for no other services.

Installing additional programs on an IIS (e.g., SQL Server or Exchange) will create more opportunities for a hacker to breach the security of the network. IIS has programming errors that lead to vulnerabilities, as do all programs. By adding programs to the server, a computer's chance of having a weakness grows exponentially. This is because many of these programs interact with each other and can escalate an individual, low-level security weakness into multiple, severe weaknesses.

Partition the hard drive so each service (e.g., WWW, FTP) is on its own volume.

By partitioning the hard drive so each service has its own volume or drive, a hacker can be stopped from using path traversing weaknesses that are a result of Unicode or other types of vulnerabilities. Simple commands such as "/.../" have been known to provide hackers with the ability to travel up the folder structure and give them access to sensitive files such as the boot.ini or script files. Using different drives stops the hacker at the root of the drive.

Ensure TCP/IP is the only protocol installed on the computer.

The Internet uses TCP/IP as its primary method of data transfer. Although there are situations where other protocols (e.g., IPX) may be necessary, adding these protocols increases the risk by adding complexity to the security policy.

Ensure IP routing is, and remains, disabled.

Microsoft has built a VPN solution into its operating system. However, this and other technologies require that the gateway device from the Internet to the internal network be able to pass data. Windows .NET Server has this ability, but it should be disabled if the computer is to be an IIS server. When enabled, the chance for a successful hack is greatly increased because a hacker can pass data into a network and internal computers can pass data directly out of a network.

Ensure file and print sharing for Microsoft networks is installed for NNTP or SMTP services.

If SMTP or NNTP will be installed, the Server service will be required. Thus, file and print sharing for Microsoft networks must be installed. If it is not, the Server service will not show up in the available services.

Unattended Installation

Once the requisite security measures have been met, it is time to install the IIS server. The best option for maintaining security is to use an unattended installation. This is because the only way to set up the FTPROOT and WWWROOT folders on different drives is to configure an Unattended Install file and allow the installation wizard to use it to set up and configure the IIS. Figure 13.1 illustrates an example of an Unattended Installation file that will install the IIS software on the C: drive, FTPROOT on E:, and WWWROOT on F:. As you can see, this installation file that was saved on the C: drive places the ROOT folders in an INETPUB directory. Although not a serious security risk, it is better to use a less obvious name.

Figure 13.1Figure 13.1 A sample Unattended Installation file.

Once the file has been created and put in an easily referenced location, start the install by following the subsequent instructions.

  1. Click Start Programs Accessories Command Prompt to open a MS-DOS window.

  2. Type sysocmgr/I:%windir%\inf\sysoc.inf /u:a:\iis5.txt replacing a:\iis5.txt with the drive, directory, and file name that you use to save the Unattended Install file, as shown in Figure 13.2.

    Figure 13.2Figure 13.2 C:\WINDOWS\System32\command.com.

  3. After pressing Enter, you will see a series of windows (after a Please wait window, shown in Figure 13.3) informing you of the status of the installation.

    Figure 13.3Figure 13.3 Brief window before the installation wizard starts.

    TIP

    In order to install IIS, you will need to have a Windows CD-ROM or an image of the CD available to the destination computer.

  4. As the IIS installer loads the program, you will see several screens, one of which is shown in Figure 13.4, describing the status of the installation.

    Figure 13.4Figure 13.4 IIS Installation window.

Following is a list of many of the status messages you will see.

  • Building file list

  • Examining installed files

  • Copying files

  • Installing Internet Information Services

Once the installation is complete, the Windows Component Wizard window will close and you will be at the screen from which you originally started.

Post-Installation

Once the IIS has been successfully installed, the real work begins. At this point, the program is installed; however, there are many holes to seal and procedures that need to be accomplished to securely lock down the server installed.

User Accounts

The first thing that should be done is to remove the "Everyone" and "Guests" groups from the folders containing the IIS files. This is because IIS allows these groups full control of the publication directory (i.e., C:\Inetpub). These accounts, in combination with the knowledge that a typical installation places the Inetpub directory on the same drive as the key system files, can be used by hackers to gain unauthorized access to the files residing on the system.

To remove these dangerous groups, perform the following steps:

  1. Find the Inetpub directory.

  2. Right-click on the Inetpub folder and click Properties.

  3. Click on the Security tab, shown in Figure 13.5.

    Figure 13.5Figure 13.5 Inetpub folder properties.

  4. Click on the group or user to delete and then click Remove.

The next user issue that needs attention is that of the IUSR_computername account. This default account is created during the installation of IIS. It is used by anonymous Web users to request information from the host computer. Therefore, this account needs special consideration and its privilege should be closely reviewed. In the case the IIS is to be used within a secure network only, it is recommended that the account be disabled. This would force all users to supply a valid user name and password before requesting information from the server.

To adjust the privileges:

  1. Click Start Settings Control Panel Administrative Tools Computer Management Local Users and Groups Users and right-click on the IUSR_computername account.

  2. In the IUSR_computername Properties window, ensure that the User cannot change password option is checked as well as Password never expires.

  3. If the IIS is to be used in a secure network only, also check Account is disabled. See Figure 13.6.

    Figure 13.6Figure 13.6 IUSR_computername Properties window.

  4. Click OK to save the changes.

  5. Next click Local Users and Groups Users and double-click the Guests group.

  6. Highlight the IUSR_computername account and click Remove. See Figure 13.7.

    Figure 13.7Figure 13.7 Removing IUSR_computername from Guest accounts.

In addition to these rights, the account should only be listed as a local account, not a domain-wide account, and it must have the right to log on locally. These settings are set up upon installation and should not need adjustment. However, you should remove the right to Access this computer from the network and the Log on as a batch job rights that are enabled.

To change account rights:

  1. Click Start Settings Control Panel Administrative Tools Local Security Policy Local Policies.

  2. Double-click on the right to be adjusted.

  3. Click on the IUSR_computername account and click Remove. See Figure 13.8.

    Figure 13.8Figure 13.8 Removing the Access this computer from the network right for the IUSR_computername account.

  4. Click OK or Apply to save the changes.

Once the existing accounts have been altered or removed to maximize security, it is recommended that you create two new groups: IISUsers and IISAdmins. Once created, they can be populated with individual accounts. By controlling permissions and rights at the group level, it becomes easier to monitor and adjust who has rights to what resources. If the server is to host several client sites, you should create an IISAdmins group for each site and use the IISUsers account to hold the IUSR_computername account and any other accounts that are to be used exclusively for Web read-only access. These groups can then be used to assign individual accounts with separate rights.

Once these groups are created add the IUSR_computername account to the IISUsers group and any administrative accounts to the IISAdmin account. These groups will be used to control the NTFS permissions that are set on each file and folder on a hard drive formatted with the NTFS.

Services

During the installation of both Windows and IIS, numerous services are also installed that are not needed by the OS or any of the software used on the computer. Services are actually small programs that run in the background. They usually run at a low level and communicate directly with the hardware layer. Similar to daemons that run in the *nix environment, services not only use up memory, they also increase the chance that a computer becomes vulnerable to a hacker attack. Table 13.1 lists the services that are not needed by a standalone Web server. Note that some of the services are required if the computer is to participate in a network.

Table 13.1. Services Not Needed by a Standalone Web Server

Service Name

Additional Notes

Alerter

 

ClipBook Server

 

Computer Browser

 

DHCP Client

 

Distributed File System

 

Distributed Link Tracking Systems

 

Client

 

Distributed Link Tracking Systems

 

Client

 

FTP Publishing Service

Disabled unless user's require FTP services

IPSEC policy agent Disabled unless IPSEC policies will be used

 

Licensing Logging Service

 

Logical Disk Manager Administrator

 

Service

 

Messenger

 

Net Logon

Disabled unless domain users are required to log on to the server, this service is required to communicate with the domain controller

Network DDE

 

Network DDE DSDM

 

Print Spooler

 

Remote Registry Service

 

Removable Storage

 

RPC Locator

Required if user is doing remote administration

RunAS Service

 

Server Service

Must be started if server will run the SMTP or NNTP service of IIS, for administration purposes

Task Scheduler

 

TCP/IP NetBIOS Helper

 

Telephony

 

Windows Installer

 


Once the service is installed, it is configured to run in one of three ways:

  • Automatic: Used when the service needs to be started during the OS boot or when a program is initialized.

  • Manual: Used when the service is not needed during typical day-to-day operations, but may be started with the execution of another program.

  • Disable: The service is turned off and configured to remain so even as an execution is attempted.

To uninstall or disable a service:

  1. Click Start Settings Control Panel Administrative Tools Services (Figures 13.913.11).

    Figure 13.9Figure 13.9 Windows .NET Server Services window.


    Figure 13.10Figure 13.10 FTP Publishing Services Properties window.


    Figure 13.11Figure 13.11 Network Connections Services Properties window.

  2. Right-click on the service to be adjusted.

  3. Select Stop to temporarily turn off the service (Note: The service will return to its default status as configured in Properties upon computer reboot).

  4. Select Properties to permanently adjust the service configuration.

  5. Under the Startup type menu, select the desired option.

    CAUTION

    Before disabling or stopping any service, check its dependencies to ensure that it is not required by any other services. If it is, the other services will not work properly. For example, the Internet Connection Firewall service requires the Network Connection service to run.

Securing the Metabase

One of the more commonly overlooked security risks involved with the operation of IIS is that of securing the metabase file. The metabase file is used by IIS in the same aspect as the registry is used by the operating system. It holds properties and settings that are used by IIS to control its operation.

The advantage of using the metabase file is threefold. For example, since the metabase file is exclusively used by IIS, its information can be accessed faster. In addition, because IIS is the only program that needs access to this file, the data in the metabase file can be made secure through encryption. The final advantage is that the metabase file can hold more detailed information than its counterpart, the registry.

While the data in the metabase file is safe from intruders, the file itself is not. In other words, if a hacker were to replace the original metabase file with a file of his or her own making, the hacker could shut down the IIS or compromise it by using another, less secure configuration.

In the case of the metabase file, the best security is obscurity. In other words, the file should be moved from its default location, \Winnt\system32\inetsrv, to another, less obvious location. The only change that needs to be made to the system to allow this action is to add a new key to the registry. To do this, follow the subsequent instructions.

CAUTION

The registry is a very sensitive part of the operating system. DO NOT make changes without knowing and understanding the outcome of these changes. In addition, you should ALWAYS make a backup of your registry the moment you open it, in case of a power loss or unrecoverable error.

  1. Turn off the IIS services.

  2. Move and/or rename the metabase.bin file.

  3. Click on Start Run, type regedit, and hit OK.

  4. Click File Export and save a copy of the registry to a safe location.

    CAUTION

    Ensure the backup registry file is stored in a location not normally accessed by the computer's users. If the registry backup is inadvertently double-clicked, its contents will overwrite any changes made in the registry since the date the backup file was created.

  5. Locate the key named HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\InetMgr\Parameters.

  6. With Parameters highlighted, click Edit New String value (Figure 13.12).

    Figure 13.12Figure 13.12 Creating a new registry key.

  7. When the New Value key appears, name it Metadata File.

  8. Double-click the Metadata File and enter the new location and name of the metabase.bin file, including the full path and file name.

  9. Close the registry.

This registry entry tells IIS where the configuration file is located when it starts up. Although this procedure will secure the file, it does assume that the registry is secure. If a hacker can gain access to the data stored in the registry through the unauthorized use of an Administrator or System account, the file can still be compromised.

Backing Up/Restoring the Metabase

In addition to securing the Metabase, it is important to make regular backups in case the system falls prey to an attack, or simply crashes. There are three ways that the Metabase.bin file can be saved, which include the following:

  • Secure: The secure method uses the IIS snap-in to perform a backup of the metabase.bin file, which is then encrypted with a password. Only those with the correct password will have access to the data in the file.

  • Insecure: This method uses the IIS snap-in to perform a regular backup of the metabase.bin file. Anyone can restore the data in this file to an existing IIS installation.

  • Legacy: This method uses third-party programs or a simple batch file to copy and replace the metabase.bin file.

The following describes how to perform a secure and insecure backup. If you wish to use a legacy program, consult that program documentation.

Secure Backup

  1. Open the Internet Services Manager by selecting Start Control Panel Administrative Tools Internet Information Services.

  2. Select the computer to back up.

  3. Click Action All Tasks Backup/Restore Configuration, shown in Figure 13.13.

    Figure 13.13Figure 13.13 Backup/Restore Configuration menu selection. <Anchor12>

  4. Click Create backup. See Figure 13.14.

    Figure 13.14Figure 13.14 IIS Configuration Backup/Restore window.

  5. Enter backup name, check Encrypt backup using password, and enter a strong password. See Figure 13.15.

    Figure 13.15Figure 13.15 Configuration Backup window.

Insecure Backup

  1. Open the Internet Services Manager by selecting Start Control Panel Administrative Tools Internet Information Services.

  2. Select the computer to back up.

  3. Click Action All Tasks Backup/Restore Configuration.

  4. Click Create backup.

  5. Enter backup name and select OK.

Restore from Backup

Inevitably, you will need to restore the settings. This is a relatively simple task, but can take some time and will require the restarting of IIS.

To restore the metabase.bin settings:

  1. Open the Internet Services Manager by selecting Start Control Panel Administrative Tools Internet Information Services.

  2. Select the computer to back up.

  3. Click Action All Tasks Backup/Restore Configuration.

  4. Click Restore.

  5. If required, enter password.

Using NTFS to Secure File Access

Once the accounts have been set up and the metabase.bin file made secure, the next step is to set up the NTFS permissions on the existing folders and files that were installed with the IIS.

This is a complicated process and takes a solid understanding of how IIS and Web users call upon and process files on the Web server. Table 13.2 provides us with an excellent map to securing the files used by IIS 5 or 6.

Table 13.2. Securing Files Used by IIS 5 or 6

Type of Data

Example Directories

Data Examples

NTFS File Permissions

IIS 5.0 Permissions

Static Content

\Inetpub\wwwroot\Images \Inetpub\wwwroot\home \lnetpub\ftproot\ftpfiles

HTML, Images, FTP downloads, etc.

Administrators (Full Control) System (Full Control) WebAdmins (Read & Execute, Write, Modify) Authenticated User (Read & Execute) Anonymous (Read & Execute)

Read

FTP Uploads (if required)

\Inetpub\ftproot\dropbox

Directory used as a place for users to store documents for review prior to the Admin making them available to everyone

Administrators (Full Control) WebAdmins or FTPAdmins (Read & Execute, Write, Modify) Specified Users (Write)

Write

Script Files

\Inetpub\wwwroot\scripts

.ASP

Administrators (Full Control) System (Full Control) WebAdmins (Read & Execute, Write, Modify) Anonymous: special access (Execute)

Scripts only

Other Executable and Include Files

\WebScripts\executables \WebScripts\Include

.exe, .dll, .cmd, .pl, .lnc, .shtml, .shtm

Administrators (Full Control) System (Full Control) WebAdmins (Read & Execute, Write, Modify) Authenticated Users: special access

(Execute) Anonymous: special access (Execute)

Scripts only or Scripts and Executables (Depending on necessity)

Metabase

\WINNT\system32\Inetsrv

MetaBase.bin

Administrators (Full Control) System (Full Control)

N/A


Once the user accounts and permissions for those accounts, services, and folder properties have been secured, it is time to move on to the IIS and its associated settings. The next few segments of this chapter describe in detail how to secure IIS Web and FTP servers.

Using the Internet Service Manager (ISM)

The ISM is actually an extension of the Microsoft Management Console (MMC). The MMC is simply a standard console used to control various services and programs. By standardizing the way programs are supervised, Windows .NET Server administrators can more effectively control their systems. To access the ISM click on Start Control Panel Administrative Tools Internet Information Services.

As illustrated in Figure 13.16, we have installed the WWW service and the FTP service. Each of these services is represented by a main folder under the IIS server (SETH4). By navigating the ISM tree, you can access the global properties of a service or the individual properties of each Web site or FTP site that the IIS contains.

Figure 13.16Figure 13.16 Internet Information Services

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020