Securing Internet Information Services 5.0 • Chapter 11 485 Exercise 11.3 Setting FTP Site Permissions 1. Click Start | Programs | Administrative Tools. 2. Click the Internet Services Manager icon.This opens the Internet Information Services window, as was shown in Figure 11.5. 3. Right-click the FTP site that you want to manage, and click Properties.This opens the FTP site Properties page, as demonstrated in Figure 11.7. 4. Click the Home Directory tab within the FTP site Properties page. 5. Check to allow Read,Write, or both. 6. Click OK to save changes and exit the FTP site’s properties. Configuring NTFS Permissions When a user attempts to access your site,Web permissions or FTP permissions are verified first. Next, IIS verifies that the user also has the correct NTFS per- missions.These are the same NTFS permissions used in Windows 2000.When you combine NTFS and Web permissions, the most restrictive settings win. In other words, if a user has Read and Write Web permissions but only the Read NTFS permission, the user’s effective setting is Read. If the user has the Write www.syngress.com Figure 11.7 The Home Directory Tab of the FTP Site’s Properties 181_SerSec2e_11 9/5/01 1:59 PM Page 485 486 Chapter 11 • Securing Internet Information Services 5.0 FTP permission but only the Read NTFS permission, the user’s effective setting is also Read.The basic NTFS Permissions include: ■ Full Control User can view, run, change, delete, and change ownership of the file or directory. ■ Modify User can view, run, change, and delete the file or directory. ■ Read and Execute User can view the file and run the file or directory. ■ List Folder Contents User can list the contents of a folder (found only on folders, not files). ■ Read User can view the file. ■ Write User can view, run, and change the file. Whenever possible, you should use groups to assign permissions.Try to orga- nize the files on your server into directories.Assign permissions to groups at the directory level.This is much easier than trying to manage every file on a user-by- user basis.Always assign the minimum rights that will get the job done. Be careful when you are restricting the file system so that you don’t inadvertently lock out the System account or Administrator account.These two accounts should always have full control. Figure 11.8 shows the Security tab of a folder named New Folder.You can assign NTFS permissions using the following steps: 1. Right-click the file or folder to which you want to assign permissions. 2. Click the Security tab. 3. Click the Add button to choose the user or group to which you want to assign permissions. 4. Use the check boxes at the bottom to choose which permissions you will allow or deny the user or group that you selected. SECURITY ALERT! Windows 2000 automatically grants the Everyone group full control to all new drives. Any directories that you create on these drives will inherit this permission. Always change this permission to something more restrictive. Remember that if you remove the Everyone group, you must put a group in its place, or no one will be able to access the drive and only the owner of the drive will be able to assign access. www.syngress.com 181_SerSec2e_11 9/5/01 1:59 PM Page 486 Securing Internet Information Services 5.0 • Chapter 11 487 Using the Permissions Wizard The Permissions Wizard is a tool provided by IIS to synchronize NTFS and Web/FTP permissions.The Permissions Wizard provides limited choices for con- figuring your server. Basically, you can choose from three templates: public Web site, secure Web site, or public FTP site. For advanced configurations, you need to manually assign IIS permissions or create a new template for the Permissions Wizard to use. The Permissions Wizard uses templates to assign permissions. Permissions templates combine access control permissions, authentication methods, and IP address/domain name restrictions.You can use one of the default templates or use the IIS Permissions Wizard Template Maker to create a new template.The default templates are: ■ Secure Web Site Use this for restricted sites.Allows users with Windows 2000 accounts to view static and dynamic content. Administrators are assigned full control to the site. ■ Public Web Site Use this for Internet sites.Allows all users to browse static and dynamic content.This template allows Anonymous authentica- tion.Administrators are assigned full control to the site. ■ Public FTP Site Use this for Internet sites.Allows all users to down- load files via FTP. www.syngress.com Figure 11.8 The Security Properties of a Folder 181_SerSec2e_11 9/5/01 1:59 PM Page 487 488 Chapter 11 • Securing Internet Information Services 5.0 Always document your current permissions before you start making changes. That way, if you change the IIS permissions to an unacceptable state, it will be easier to recover. Remember that the Permissions Wizard sets both NTFS and Web/FTP permissions. If you want to set only one or the other, you need to assign permissions manually. To use the Permissions Wizard to set Web site permissions: 1. Open the Internet Services Manager (Start | Programs | Administrative Tools | Internet Services Manager). 2. Right-click the site to which you want to assign permissions (see Figure 11.9). 3. Choose All Tasks. 4. Click Permissions Wizard. 5. This will bring up the Permissions Wizard. Click Next to begin answering the wizard’s questions. (Steps 1 through 5 are the same for Web sites and FTP sites.The next steps are for securing Web sites and differ slightly from securing FTP sites.) www.syngress.com Figure 11.9 Accessing the Permissions Wizard 181_SerSec2e_11 9/5/01 1:59 PM Page 488 Securing Internet Information Services 5.0 • Chapter 11 489 6. You have two choices on the Security Settings window (see Figure 11.10): ■ Inherit all security settings This option will inherit rights from the parent site or virtual directory. ■ Select new security settings from a template Choose this option to set different permissions than those found on the parent site or virtual directory. In this example, select the second choice (settings from a template). Click Next to continue. 7. If you choose to select new settings from a template, you are given a screen to choose which template you want to apply.Your choices are public Web site or secure Web site.Any new templates that you have cre- ated will show up here as well.You can click each template for a description of what it allows (see Figure 11.11) Choose the template you want to install, and click Next. 8. After you select the template to be used, you must choose what to do with the NTFS permissions.The Permissions Wizard makes a recommen- dation on what setting you should have.You can choose to use the recom- mended settings only, merge the recommended settings with your current settings, or ignore the recommended settings. Not using the recom- mending setting could result in users not being able to access your site. www.syngress.com Figure 11.10 The Security Settings Window of the Permissions Wizard 181_SerSec2e_11 9/5/01 1:59 PM Page 489 490 Chapter 11 • Securing Internet Information Services 5.0 After choosing how to handle the NTFS permissions, click Next.This will bring up the Security Summary window, as shown in Figure 11.12. 9. Read the Security Summary window to verify that you selected the correct options. Click Next, and then click Finish to apply your new settings. Using the Permission Wizard Template Maker Microsoft provides the IIS Permissions Wizard Template Maker so that we can make our own security templates to be used with the Permissions Wizard.The www.syngress.com Figure 11.11 Selecting a Security Template Figure 11.12 Setting NTFS Permissions 181_SerSec2e_11 9/5/01 1:59 PM Page 490 Securing Internet Information Services 5.0 • Chapter 11 491 Template Maker is found in the Windows 2000 Resource Kit, <cdrom>:\apps\ iispermwizard\x86 directory\setup.exe. It is strongly recommended that you have a copy of the resource kit.You can purchase it in bookstores for $299.99, or you can get it on CD if you subscribe to Microsoft’s TechNet (www.microsoft.com/ technet). After installing the Template Maker, you can access it from Administrative Tools (Start | Programs | Administrative Tools | IIS Permissions Wizard Template Maker). Use the following steps to create your own custom templates: 1. Open IIS Permissions Wizard Template Maker (see Figure 11.13). 2. Click Next to start making your template. 3. This will bring up the Creating and Editing Templates window (see Figure 11.14). Choose whether you want to create a new Web or FTP template, or to edit an existing Web or FTP template. Click Next after you have made your selection. 4. You are now prompted to choose which authentication methods you want to support (see Figure 11.15).The defaults are Allow Anonymous Access and Integrated Windows Authentication.After choosing your authentication methods, click Next. www.syngress.com Figure 11.13 Creating IIS 5.0 Templates with the Permissions Wizard Template Maker 181_SerSec2e_11 9/5/01 1:59 PM Page 491 492 Chapter 11 • Securing Internet Information Services 5.0 5. Now you have to decide what access permissions to give your users (see Figure 11.16). Read Access and Script Access permissions are allowed by default. Check the permissions you want to give, and click Next when you are finished. 6. Next you must set any IP address or domain name restrictions (see Figure 11.17).You must choose what you want the default policy to do. The choices are Allow all access or Deny all access.After you set the default, you set any exceptions.The exceptions can be based on domain www.syngress.com Figure 11.14 Creating New Templates or Editing Existing Templates Figure 11.15 Deciding the Levels of Authentication Allowed 181_SerSec2e_11 9/5/01 1:59 PM Page 492 Securing Internet Information Services 5.0 • Chapter 11 493 name or IP address. Choose the default policy and add the exceptions, click Next. 7. Now that you have configured your template, you must give it a name and a description, as shown in Figure 11.18. Be sure to give your tem- plate a meaningful name. If multiple administrators will be creating tem- plates, you might want to list the name of the person who created the template in the template’s description.This way everyone will know www.syngress.com Figure 11.16 Choosing Users’ Permissions Figure 11.17 Domain Name or IP Address Restrictions 181_SerSec2e_11 9/5/01 1:59 PM Page 493 494 Chapter 11 • Securing Internet Information Services 5.0 whom to contact if they have any questions about the template.After naming and describing the template, click Next. 8. The last step is to save your template to the IIS metabase, as shown in Figure 11.19.After you click Finish, all your settings will be saved. Next time you go into the Permissions Wizard, your new template will be an option. www.syngress.com Figure 11.18 Naming Your Template and Giving It a Description Figure 11.19 The Congratulations Page of the IIS Template Maker 181_SerSec2e_11 9/5/01 1:59 PM Page 494 [...]... access the Web server only, or do they need to authenticate to the Web server and access remote servers? s Will our Web server be used solely as a Web server, or will it host other functions (such as WINS server, DNS server, mail server) ? If it will only provide Web services, we need to lock down the other features so that they can’t be exploited s To what extent should we audit our servers? The following... over the Web FTP Uses this server as an FTP server SMTP Uses this server as an Internet e-mail server (SMTP, POP3) NNTP Uses this computer as an Internet news (NNTP) server SSL Uses Secure Sockets Layer/Transport Layer Security (SSL/TLS) on this server Telnet Uses this computer as a telnet server OtherThanASP Allows files other than static files (.txt, html, gif, etc.) and Active Server Pages to be served... mapping (IIS 5 only) www.syngress.com 513 181 _SerSec2e_11 514 9/5/01 1:59 PM Page 514 Chapter 11 • Securing Internet Information Services 5.0 Figure 11.30 The IIS Security Planning Tool Using the Windows 2000 Internet Server Security Configuration Tool for IIS 5.0 The Internet Server Security Configuration tool is used to lock down an IIS 5.0 server running on Windows 2000. You can download it from Microsoft’s... locally to the Web server Using Basic Authentication Basic authentication is used to collect usernames and passwords It is widely used because most browsers and Web servers support it Basic authentication has several benefits: s It works through proxy servers s It is compatible with lower versions of Internet Explorer www.syngress.com 497 181 _SerSec2e_11 4 98 9/5/01 1:59 PM Page 4 98 Chapter 11 • Securing... template Table 11.4 The High-Security Web Server Template Options High-Security Web Server Template (hisecweb.inf) Account Policies Password Policy Setting Enforce password history Maximum password age Minimum password age Minimum password length 24 passwords remembered 42 days 2 days 8 characters Continued www.syngress.com 517 181 _SerSec2e_11 5 18 9/5/01 1:59 PM Page 5 18 Chapter 11 • Securing Internet Information... and FTP requests in the security context of a Windows 2000 user account.Windows 2000 requires a mandatory logon.This means that for someone to log on or access files on your server, he or she must have a user account For anonymous Web access to work, a Windows 2000 user account must exist.This account is used anytime that someone connects to your server anonymously IIS 5.0 creates a user account for... installed the Internet Server Security Configuration tool, you need to create your customized Web server template.This template will control how you can administer your server, what protocols will be supported, and what type of files your Web server will service To get started, open the default.htm file from the DataEntry folder Figure 11.31 shows the default page of the Internet Server Security Configuration... following settings: s Browser Internet Explorer 4.x, Internet Explorer 5.x, and Netscape s Client OS Windows 9.x/NT3.x/NT4.0,Windows 2000, and Mac/UNIX s Scenario Internet or intranet s Web Server IIS 4 (Windows NT 4.0), IIS 5 (Windows 2000 no Active Directory), and IIS 5 (Windows 2000, Active Directory) s Web Authorization Anonymous (with password sync enabled), anonymous (with password sync disabled), basic,Windows... authenticates both the client and the server. This helps prevent spoofing Kerberos allows users to access remote network resources not located on the IIS server NTLM restricts users to the information located on the IIS server only Kerberos is the preferred authentication method.The following are requirements for Kerberos to be used instead of NTLM: www.syngress.com 181 _SerSec2e_11 9/5/01 1:59 PM Page 501... down your IIS servers.The question section creates a template file (IISTemplate.txt by default) that is customized for your Web server. The deployment tool (IISConfig.cmd) uses your customized file and the security template file (hisecweb.inf) provided by Microsoft to configure your server After downloading and extracting the tool, you should have the following directories: www.syngress.com 181 _SerSec2e_11 . FTP. www.syngress.com Figure 11 .8 The Security Properties of a Folder 181 _SerSec2e_11 9/5/01 1:59 PM Page 487 488 Chapter 11 • Securing Internet Information Services 5.0 Always document your current permissions. sites.) www.syngress.com Figure 11.9 Accessing the Permissions Wizard 181 _SerSec2e_11 9/5/01 1:59 PM Page 488 Securing Internet Information Services 5.0 • Chapter 11 489 6. You have two choices on the Security Settings. Write www.syngress.com Figure 11.7 The Home Directory Tab of the FTP Site’s Properties 181 _SerSec2e_11 9/5/01 1:59 PM Page 485 486 Chapter 11 • Securing Internet Information Services 5.0 FTP permission but