In order to continue in the effort to harden your popular server roles, let's take a look at how to secure your IIS file servers running Windows Server 2003.
Securing virtual directories
An Internet Information Server has a bit of virtual-directory security built into it. It has permissions for reading, writing, executing scripts and other basic privileges stored within a virtual directory. These permissions are also independent of file-system permissions. Incidentally, this has been true for every version of IIS since its inception. Here's a reminder of the available rights:
Make sure any virtual directories on your site have the proper permissions set. To set these rights, use the IIS Manager, found under Administrative Tools inside Control Panel. Once the applet is launched, expand the computer tree in the left pane and expand the node called Web Sites. All of the sites currently on that IIS machine are listed here. To set the permissions, right-click the name of a site and choose Properties. Then, click the Home Directory tab, and you'll be greeted with a screen similar to the following:
[IMAGE]
On this page, you can make the necessary adjustments to permissions based on what content you have on each Web site. You can also follow the same procedure for each virtual directory on a Web site to further fine-tune the "virtual" permissions that IIS gives you.
The IUSR account
As you might already know, users browsing Web content on your IIS machines are actually logging into a guest-like IUSR account on your machine or directory service. If they're using an account on the system, you can set permissions for that account on the file system to further reduce the chances of unauthorized access.
Out of the box, IIS 6.0 in Windows Server 2003 sets the following restrictions on the NTFS permissions given to the IUSR account:
Guarding ISAPI
Internet Services App
To continue reading for free, register below or login
To read more you must become a member of SearchEnterpriseDesktop.com
lication Programming Interface (ISAPI) is CGI's like-minded brother on the Windows platform. It allows for dynamic extensions to static HTML content and to technologies like Active Server Pages, .NET and other dynamic languages that use ISAPI filters to interact with IIS. Of course, this opens up a potential security hole.
You need to make sure that the only ISAPI filters configured on your system are those that are in use. (You can find ISAPI filters in the Properties sheet for any Web site.) For most systems, that would be the ASP.NET service. Look through your Web root directory and note the extensions on all of your content. Are there any that differ from .HTM? If not, make sure any filters that are listed in the Properties tab are removed.
Administrative and default pages
Lots of Web-based programs often come with sample files, instruction pages and installation scripts that assist you in setting up and using the programs easily. I used to own a Web-hosting business, and more than 75% of the scripts I used on a day-to-day basis -- whether they were ones that my customers needed installed or ones that I used to manage the systems -- came with install scripts and default pages that allowed accessing an account, a database or even worse -- a machine -- very easy to do.
IIS is no different than these other programs. Here's an action list of items to get rid of, assuming you're not actively using them:
About the author: Jonathan Hassell is an author, consultant and speaker residing in Charlotte, N.C. Jonathan's books include RADIUS and Learning Windows Server 2003 for O'Reilly Media and Hardening Windows for Apress. His work is seen regularly in popular periodicals such as Windows IT Pro magazine, SecurityFocus, PC Pro and Microsoft's TechNet Magazine. He speaks around the world on topics including networking, security and Windows administration. He can be reached at jhassell@gmail.com.
