6 - 1 Windows Security - SANS ©2001 1 Internet Information Server (IIS) Security Security Essentials The SANS Institute In this section we are going to cover some of the key aspects that need to be addressed in order to have a secure web server using IIS. It is important to note that a system is only as secure as its weakest link and therefore any web server must be built on a secure and hardened Windows 2000 system. Securing Windows 2000 is not covered in this section but has been covered in a previous module. So before you install IIS make sure that you spend the time to properly harden your base operating system. Once you have a secure operating system configured, you can then move ahead with this module on securing IIS. 6 - 2 IIS Security - SANS ©2001 2 Are you or Aren’t you? One lesson from CodeRed is that many users did not know if they were, or were not running IIS. Check both installed programs and then use the task manager to doublecheck. Also, some people are beginning to upgrade their internal systems to XP Professional. While XP appears to have some substantial improvements over the older Windows operating systems, don’t tune out!! Before you think that everything’s OK, take a look at this slide! This is the Windows Components installation wizard available through the Add/Remove Programs applet in the Control Panel. The IIS engine has always been more or less available at the desktop level as a product called “Personal Web Server” which was typically installed if a user installed FrontPage. The actual server engine was a scaled down IIS engine. Now, however, we have a full IIS server available!! Good Group Policy rules through your Active Directory will prevent users from activating the IIS engine as will good installation controls. The key is to be aware of what’s happening on your systems, even your user desktops! 6 - 3 IIS Security - SANS ©2001 3 If you are Running IIS (and know you are running IIS) • This document is relevant for the implementation of an IIS 5.0 server running on a Windows 2000 SP2 server • Anything other than IIS 5.0 running on Windows 2000 SP2 system will require further customized hardening • This document does not discuss hardening the code used for the particular web site The information contained in this module applies only to IIS 5.0 Server running on a Windows 2000 SP2 server. If you are running your web server on a different operating system or using a different version of the web server it will require further customization. Also, this module addresses the known vulnerabilities and security issues that exist today. Since new vulnerabilities and exposures are found on a daily basis, just because your system is secure today does not mean that it will be secure tomorrow. Any system, especially one that is accessible from the Internet, will require constant care and feeding to make sure that it stays secure. Also, this module only looks at hardening the web server application itself, it does not look at securing the web site or the actual web pages or code that the site is hosting. Writing secure web applications is beyond the scope of this document but must be addressed in order to have a secure site. Finally, the steps outlined in this module should not be performed on a production system because certain changes could have unexpected results. Therefore, the steps should be performed on a development server and the development server should be backed up prior to making any changes. Once everything has been tested, the changes should be made to the production server. The production server should also be backed up before any changes are made. 6 - 4 IIS Security - SANS ©2001 4 Agenda • This module will cover the security concerns with the implementation off IIS 5.0 and Windows 2000 SP2 on a clean formatted machine • We will than cover: – Installation – Common security vulnerabilities This module will assume that Windows 2000 has already been installed on a clean formatted system and that it has been properly secured. Service Pack 2 (the most recent Service Pack as of this writing) should also be applied prior to installing the web server. This module is not meant as a step- by-step guide for installing and configuring a web server. It is meant to serve as a guide for addressing some of the key security concerns with running an IIS server. Before a web server goes into production, it should be tested from a security perspective and have a vulnerability and security assessment performed to make sure all key issues have been addressed. Once the system goes live it should be monitored on a regular basis because even though it is secure today it might not be secure tomorrow. 6 - 5 IIS Security - SANS ©2001 5 OS/IIS Installation and Hardening • Install the 2000 OS from a clean verified media source • Use a 4 GB NTFS partition for the OS • Under component Services Installation Area – Uncheck Indexing Services – Check Terminal Services – Uncheck Script Debugger – Under Details for Accessories and Utilities, Uncheck Accessibility Wizard, Communications, Games, and Multimedia – Under Details for IIS Service, Uncheck FrontPage extensions, documentation, and Internet Services Manager – Select Remote Administration mode for Terminal Services – Select that this computer is “Not a part of a domain” – Change the CD-Rom drive letter to Z When installing IIS you should always start with original CDs. If you download a copy or obtain a copy from another source you increase your chances of having security issues because you cannot be guaranteed that the software is clean and does not have any back doors. The OS partition should be kept separate from the data and application partitions. This way problems in one area have less of a chance of impacting the other. For example the operating system needs a certain amount of hard drive space to operate properly. If all of the hard drive space is consumed, then the system will crash. If the data, application and operating system are all on the same partition, an attacker can write large amounts of data to the system, use up all of the disk space and crash the system. The boot partition needs to be NTFS, so that security can be enabled on files and directories, and auditing turned on. It is important to remember that with NTFS, you will be unable to boot to a DOS prompt should the need arise. The use of applications such as ERDCommander should be purchased to assist if such a need ever were to arise. When installing the operating system and IIS, under components services installation area, the following options should be selected or unselected. Uncheck Indexing Services Check Terminal Services Uncheck Script Debugger Under Details for Accessories and Utilities, Uncheck Accessibility Wizard, Communications, Games, and Multimedia Under Details for IIS Service, Uncheck FrontPage extensions, documentation, and Internet Services Manager Select Remote Administration mode for Terminal Services Select that this computer is “Not a part of a domain” Change the CD-Rom drive letter to Z 6 - 6 IIS Security - SANS ©2001 6 Right Click the C drive in My Computer. Click on Security > Remove the Everyone Group > Add both the Administrator and System groups, give full control to both OS/IIS Installation and Hardening (2) To change the security permissions on the system, select the C:\ drive under My Computer and right click on it. From the Local Disk Properties dialog box, select the Security tab. The Everyone group should be removed. The Everyone group includes literally everyone. It is a common misperception that the Everyone group includes everyone in the specific domain. This is not the case. The Everyone group does encompass anyone in the domain but also includes anyone in the world who can get to the system, not just authenticated users. The Administrators and SYSTEM group should be given access and in most cases should be given Full Control. Users or Authenticated Users can then be added as a specific group, but remember to enforce a principle of least privilege. Users should be given the minimal access they need to do their job and nothing else. If necessary, additional groups should be created with fewer privileges and users should be added to those groups. 6 - 7 IIS Security - SANS ©2001 7 OS/IIS Installation and Hardening (3) • Audit the following – Create files/write data – Create folders/Append data – Delete subfolders and files – Delete change permissions – Take ownership When it comes to security, prevention is ideal but detection is a must. You will never be able to prevent all attacks on your system, so in cases where you can not prevent an attack you must be able to detect it in a timely manner. The only way that you can detect an attack and know what is occurring on your system, is if you audit key events and review them on a regular basis. Therefore, it is critical to have auditing turned on. The key events that must be audited are: Create files/write data Create folders/Append data Delete subfolders and files Delete change permissions Take ownership You can turn on additional features but remember the more events that you audit could have a direct impact on the performance of your system and resources that are available. Since there are many vulnerabilities with Microsoft’s Indexing Service (including buffer overflows) and since this machine will not be used for file services, Indexing is not needed and should be disabled and therefore no associated auditing events are turned on. After hitting Apply you will get a message stating that auditing is not turned on. That is ok, we will be turning this feature on later in the module. 6 - 8 IIS Security - SANS ©2001 8 Encryption and OS Patch Setup • Install the High Encryption Pack for Windows 2000 • Do not reboot when complete • Run KEYMIGRT.exe • Set the system’s paging file’s Minimum/Maximum size as equal • Reboot Remember when it comes to security there is no silver bullet. In order to have a secure system you must use defense in depth. With defense in depth you have multiple mechanisms protecting your system and one of those must be encryption. First, you should install the High Encryption Pack for Windows 2000. Since you will be making other changes, do not reboot the system at this time. Run KEYMIGRT.exe after installing the High Encryption Pack. It is necessary to run this utility to upgrade the encryption of the private keys used by IIS SSL from 40-bit RC4 to 168-bit 3DES. The upgraded key is the Master key which encrypts IIS’s private keys as well as the private keys of all the services which use public/private keys on this server. The system’s pagefile values for minimum and maximum should also be set to the same value. At this point, the system needs to be rebooted so that the changes can take effect. 6 - 9 IIS Security - SANS ©2001 9 Encryption and OS Patch Setup (2) • Install SP2 for 2000 • Install all of the latest hot fixes –hfnetchk.exe can be used to determine a list of required fixes When Microsoft finds a vulnerability with a system they usually release a patch (hotfix) to fix the problem. A hotfix will secure the system against that specific vulnerability. After several hotfixes have been released, Microsoft will usually put out a Service Pack which fixes all of the vulnerabilities and problems up to that point. You should stay up-to-date on the latest Service Packs and hotfixes to make sure your system stays secure. Before installing a hotfix or a Service Pack it should be run on a test system, and the production system should be backed up prior to installation. Service Packs and hotfixes have both been known to cause problems or crash systems. At the time of this writing, Service Pack 2 is the latest service pack for Windows 2000. Once SP2 is installed, all of the current hotfixes should be applied. Microsoft’s Network Hot Fix Checker (hfnetchk.exe) can be downloaded for free from Microsoft’s web site (http://www.microsoft.com/technet/security/default.asp). This command line utility will retrieve a list of current hotfixes from Microsoft’s site as an XML file, compare the current list of hotfixes with your system, and provide a list of fixes that should be installed. The specific hotfixes can then be downloaded and applied. 6 - 10 IIS Security - SANS ©2001 10 Configuring Services • Disable all network protocols except for TCP/IP – disable NetBIOS over TCP/IP • Set a fixed IP Address for the server In order to have a secure system you must adhere to a principle of least privilege. This approach sets up a system with the least amount of privileges needed for it to function properly and nothing else. From a network protocol standpoint, any protocol that is not needed should be disabled. For most networks only TCP/IP is needed and/or recommended. If you require another protocol such as SNA or IPX/SPX, there are additional steps that must be taken from a configuration standpoint. Note that a web server strictly uses TCP/IP protocols – HTTP/HTTPS, possibly FTP or SMTP. It has no need for Microsoft’s NetBIOS protocol, used for file and print sharing and some Windows networking functions. As NetBIOS has a number of vulnerabilities, you should disable NetBIOS over TCP/IP on your web server. This may prevent any remote administration of the web server that uses NetBIOS (i.e., connecting to a shared drive over the network), but the inconvenience of having to administer the server from the console is far outweighed by the security advantages of turning off NetBIOS. Since the server will need to be accessible, it should be given a static IP address. If dynamic addresses were used people could have difficulty connecting to the server because the address could potentially change. To provide additional levels of protection, TCP/IP filtering could also be used by an administrator to prevent attackers from trying to gain access through other ports that are not secured. [...]... the high security web template This can be downloaded from Microsoft's download web site Once it is installed, you should copy the resulting inf into the Security Templates directory (%windir% \security\ templates) This will be used to “lock down” and provide additional protection to the web server 6 - 18 High Security Web Template (2) In the MMC add: Security Configuration and Analysis Tool Security. .. be deleted 6 - 17 High Security Web Template • Download and install the high security web template from Microsoft – http://download.microsoft.com/download/win2000 srv/SCM/1.0/NT5/EN-US/hisecweb.exe – Copy the resulting inf into the %windir% \security\ templates directory IIS Security - SANS ©2001 18 Microsoft makes many resources available in order to provide a higher level of security One of the resources... Security Templates In the Security Configuration and Analysis tool –Choose Open Dbase and give an appropriate name to it –Load the hisecweb.inf IIS Security - SANS ©2001 19 To add the template, go to MMC and bring up the Add Standalone Snap-in dialog box Under Snapins, select Security Configuration and Analysis and Security Templates Save the newly created MMC Run the MMC Under the Security Configuration... are attackers using? – What vulnerabilities exist on your web server? – What are you doing to mitigate risk? IIS Security - SANS ©2001 24 IIS is a favorite target of attackers Because of its widespread use on the Internet and its flexibility as an application server (and because it is produced by Microsoft) IIS has received a great deal of security scrutiny Due to this scrutiny, IIS is much more secure... other scripts from public webservers, the IP addresses of other servers can be extracted This is possible even if a firewall is blocking port scanning 6 - 25 Revealing Script Code • Script source code can show security holes, IP addresses, usernames, and passwords • Code should be analyzed: –Source code –ASP –CGI scripts IIS Security - SANS ©2001 26 CGI scripts and Active Server Pages (ASP) contain scripting... Period to When the File Reaches 50 MB In Extended Properties –Add checks for Cookies and Referrer IIS Security - SANS ©2001 14 To turn on logging and enable other security measures, you need to edit the master properties of the WWW server This is done by using the WWW Service master properties for the WWW Server dialog box To start configuration, click on the Web Site tab In order to understand what is... enterprise server but a lot of these services are not needed for a web server, especially one that is going to be accessed from the Internet The fewer services that are running on the system, the fewer potential points of compromise Therefore the following services should be disabled: Alerter DHCP Client DNS Client License Logging Agent Distributed Link Tracking Client Distributed Link Tracking Server. .. for IIS security has been the rapid publication of its holes and exploits, just as the best thing for Windows NT/2000 security has been the L0pht (formerly www.l0pht.com, now defunct) It is impossible to secure a product without knowing how to attack it As a security administrator it is your responsibility to learn how to think like an attacker 6 - 24 Reconnaissance • Finding and profiling IIS servers:... Filename extensions SSL-Telnet and Netcat NBTSTAT URL Scanners WebReaper Error messages Content-Location HTTP header IIS Security - SANS ©2001 25 The URLs of public webservers are usually listed in search engines such as Yahoo and Lycos Hidden and non-public servers, such as intranet servers, can be located even if they are not advertised Example HTTP uses TCP port 80 and FTP uses ports 21 and 20 Port... sent between the client and the server to be protected by encryption, based on the server s maximum key length To provide proper protection, a server should utilize the highest possible encryption for its keys There is a trade off however The longer the keys the more resources will be needed and the bigger the strain on the computer system Therefore in some cases, if the server is suffering performance . 6 - 1 Windows Security - SANS ©2001 1 Internet Information Server (IIS) Security Security Essentials The SANS Institute In. site The information contained in this module applies only to IIS 5.0 Server running on a Windows 2000 SP2 server. If you are running your web server on