.gif)
Improving Web Application Security: Threats and Countermeasures J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan
Microsoft Corporation
Published: June 2003
Applies to:
- Internet Information Services (IIS) version 5.0
- Microsoft Windows® 2000 operating system
See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.
See the Landing Page for the starting point and a complete overview of Improving Web Application Security: Threats and Countermeasures.
Contents
How to Use This Checklist
Patches and Updates
IISLockdown
Services
Protocols
Accounts
Files and Directories
Shares
Ports
Registry
Auditing and Logging
Sites and Virtual Directories
Script Mappings
ISAPI Filters
IIS Metabase
Server Certificates
Machine.config
Code Access Security
Other Check Points
Dos and Don'ts
How to Use This Checklist
This checklist is a companion to Chapter 16, "Securing Your Web Server." Use it to help implement a secure Web server, or as a quick evaluation snapshot of the corresponding chapter.
This checklist should evolve with steps that you discover to secure your Web server.
Patches and Updates
| Check | Description |
.gif) | MBSA is run on a regular interval to check for latest operating system and components updates. |
| The latest updates and patches are applied for Windows, IIS server, and the .NET Framework. (These are tested on development servers prior to deployment on the production servers.) |
| Subscribe to the Microsoft Security Notification Service at http://www.microsoft.com/technet/security/bulletin/notify.asp. |
IISLockdown
| Check | Description |
| IISLockdown has been run on the server. |
| URLScan is installed and configured. |
Services
| Check | Description |
| Unnecessary Windows services are disabled. |
| Services are running with least-privileged accounts. |
| FTP, SMTP, and NNTP services are disabled if they are not required. |
| Telnet service is disabled. |
| ASP .NET state service is disabled and is not used by your applications. |
Protocols
| Check | Description |
| WebDAV is disabled if not used by the application OR it is secured if it is required. For more information, see Microsoft Knowledge Base article 323470, "How To: Create a Secure WebDAV Publishing Directory." |
| TCP/IP stack is hardened. |
| NetBIOS and SMB are disabled (closes ports 137, 138, 139, and 445). |
Accounts
| Check | Description |
| Unused accounts are removed from the server. |
| Windows Guest account is disabled. |
| Administrator account is renamed and has a strong password.. |
| IUSR_MACHINE account is disabled if it is not used by the application. |
| If your applications require anonymous access, a custom least-privileged anonymous account is created. |
| The anonymous account does not have write access to Web content directories and cannot execute command-line tools. |
| ASP.NET process account is configured for least privilege. (This only applies if you are not using the default ASPNET account, which is a least-privileged account.) |
| Strong account and password policies are enforced for the server. |
| Remote logons are restricted. (The "Access this computer from the network" user-right is removed from the Everyone group.) |
| Accounts are not shared among administrators. |
| Null sessions (anonymous logons) are disabled. |
| Approval is required for account delegation. |
| Users and administrators do not share accounts. |
| No more than two accounts exist in the Administrators group. |
| Administrators are required to log on locally OR the remote administration solution is secure. |
Files and Directories
| Check | Description |
| Files and directories are contained on NTFS volumes. |
| Web site content is located on a non-system NTFS volume. |
| Log files are located on a non-system NTFS volume and not on the same volume where the Web site content resides. |
| The Everyone group is restricted (no access to \WINNT\system32 or Web directories). |
| Web site root directory has deny write ACE for anonymous Internet accounts. |
| Content directories have deny write ACE for anonymous Internet accounts. |
| Remote IIS administration application is removed (\WINNT\System32\Inetsrv\IISAdmin). |
| Resource kit tools, utilities, and SDKs are removed. |
| Sample applications are removed (\WINNT\Help\IISHelp, \Inetpub\IISSamples). |
Shares
| Check | Description |
| All unnecessary shares are removed (including default administration shares). |
| Access to required shares is restricted (the Everyone group does not have access). |
| Administrative shares (C$ and Admin$) are removed if they are not required (Microsoft Management Server (SMS) and Microsoft Operations Manager (MOM) require these shares). |
Ports
| Check | Description |
| Internet-facing interfaces are restricted to port 80 (and 443 if SSL is used). |
| Intranet traffic is encrypted (for example, with SSL) or restricted if you do not have a secure data center infrastructure. |
Registry
| Check | Description |
| Remote registry access is restricted. |
| SAM is secured (HKLM\System\CurrentControlSet\Control\LSA\NoLMHash).
This applies only to standalone servers. |
Auditing and Logging
| Check | Description |
| Failed logon attempts are audited. |
| IIS log files are relocated and secured. |
| Log files are configured with an appropriate size depending on the application security requirement. |
| Log files are regularly archived and analyzed. |
| Access to the Metabase.bin file is audited. |
| IIS is configured for W3C Extended log file format auditing. |
Sites and Virtual Directories
| Check | Description |
| Web sites are located on a non-system partition. |
| "Parent paths" setting is disabled. |
| Potentially dangerous virtual directories, including IISSamples, IISAdmin, IISHelp, and Scripts virtual directories, are removed. |
| MSADC virtual directory (RDS) is removed or secured. |
| Include directories do not have Read Web permission. |
| Virtual directories that allow anonymous access restrict Write and Execute Web permissions for the anonymous account. |
| There is script source access only on folders that support content authoring. |
| There is write access only on folders that support content authoring and these folder are configured for authentication (and SSL encryption, if required). |
| FrontPage Server Extensions (FPSE) are removed if not used. If they are used, they are updated and access to FPSE is restricted. |
Script Mappings
| Check | Description |
| Extensions not used by the application are mapped to 404.dll (.idq, .htw, .ida, .shtml, .shtm, .stm, idc, .htr, .printer). |
| Unnecessary ASP.NET file type extensions are mapped to "HttpForbiddenHandler" in Machine.config. |
ISAPI Filters
| Check | Description |
| Unnecessary or unused ISAPI filters are removed from the server. |
IIS Metabase
| Check | Description |
| Access to the metabase is restricted by using NTFS permissions (%systemroot%\system32\inetsrv\metabase.bin). |
| IIS banner information is restricted (IP address in content location disabled). |
Server Certificates
| Check | Description |
| Certificate date ranges are valid. |
| Certificates are used for their intended purpose (for example, the server certificate is not used for e-mail). |
| The certificate's public key is valid, all the way to a trusted root authority. |
| The certificate has not been revoked. |
Machine.config
| Check | Description |
| Protected resources are mapped to HttpForbiddenHandler. |
| Unused HttpModules are removed. |
| Tracing is disabled <trace enable="false"/> |
| Debug compiles are turned off.
| <compilation debug="false" explicit="true" defaultLanguage="vb"> |
|
Code Access Security
| Check | Description |
| Code access security is enabled on the server. |
| All permissions have been removed from the local intranet zone. |
| All permissions have been removed from the Internet zone. |
Other Check Points
| Check | Description |
| IISLockdown tool has been run on the server. |
| HTTP requests are filtered. URLScan is installed and configured. |
| Remote administration of the server is secured and configured for encryption, low session time-outs, and account lockouts. |
Dos and Don'ts
- Do use a dedicated machine as a Web server.
- Do physically protect the Web server machine in a secure machine room.
- Do configure a separate anonymous user account for each application, if you host multiple Web applications,
- Do not install the IIS server on a domain controller.
- Do not connect an IIS Server to the Internet until it is fully hardened.
- Do not allow anyone to locally log on to the machine except for the administrator.