14 Useful Tips for IIS Security

This article provides 14 really useful and practical tips for administering IIS servers. It mainly focusses the issue from the system/network administrators point of view and clearly explains all the tips with examples where ever required. Above all, this articles comes out of my own experiences with administering web servers at my academic institution.

A Web site is designed to provide seamless access to information in the most simple and accessible way possible. In recent years, however, the security problems caused by a growing number of hackers, attackers, viruses and worms have overshadowed accessibility. Microsoft's Internet Information Services (IIS) Web servers have been hit especially hard, although Apache Web servers have been popular targets, too.

Academic institutions especially have a difficult balancing to perform in trying to create good shaped, user-friendly sites while keeping their high profile servers secure from hackers. Moreover, the problem with such institutions is that they simply don't have enough budget allocated for technology and hence lack in security. This article will give an overview of tips that will be useful for system/network administrators all over the world (especially the ones administering Windows Servers running IIS).

1. Frame a good security policy

The first step to any security administrator is to form a strong security policy that clearly lists user privileges and access control information. Make sure that all the users are well aware of the security policy so that there will be no unintentional violation for you to worry about. Also, organizing a good security policy ensures that, if an attack happens, it will be easy to figure out which loophole was exploited in that attack thereby enabling prevention of the same attack in the future.

2. Keep your windows up to date

This is one of the most important duties of a windows system administrator. Moreover, this is one of the easiest steps that will make your life easy. Especially, never skip critical patches and updates. If you have more than one web server running (even if not), consider downloading the updates to a single dedicated non-server machine and push them to the web server internally. This way, you can avoid the web server from directly downloading updates from the internet and wasting its serving bandwidth.

3. Check your users/administrators/services list regularly

There was one time when i stepped into office and looked into my recent logs and to my astonishment i found a new user in my administrators group. By the time someone has gotten this far into your system, he or she has usually dropped in some little time bomb that either can eventually destroy your system or take up all of your bandwidth for the hacker's use. Hackers also generally try to form some kind of a backdoor into your system so that they can get access to your system even if you clean it up as much as you can. In this case, your only option would be formatting your entire hard disk and restoring it from an earlier back up (and at times bringing the server down during the process if you do not have any alternate machines to serve temporarily). Make it a part of your daily/weekly routine to check the list of services on the IIS server(s) and make sure as few as possible are running. You should memorize the ones that should be there. Here's one hint: Any service with the word "daemon" in its name probably isn't native to Windows and shouldn't be on an IIS server.

4. Regulate write access to the server

This step may sound simple. But there are environments (for example academic institutions) where there will be content coming in from various sources for various folders and hence regulating them is a must. A safe way to handle such situations is to put all the content in a different server and make your web server point to those directories.

5. Disable FTP/SMTP if you don't use them

FTP was designed for ease of file transfer, and if you enable authentication then all the usernames and passwords will be sent as plain unencrypted text. SMTP (email) is another service that provides user with write access. So you should disable these and thereby reduce a lot of easy fun for the hackers. Also, if you want remote FTP access to your server, you should consider using FTP over a secure protocol like FTPS (FTP with SSL). The golden rule is: "Never send passwords unencrypted over the network"

6. Check your upload scripts

Another major write operation to your web server is any script that allows the user to upload something into your server from a web page. This is a potentially critical vulnerability if the implementation of the upload script is not so good, then there is a potential risk that the hacker might upload an executable script (asp or asp.net script or even some viruses) and execute it on your server. So be sure to double check the scripts that contain file upload modules. A good practice is to always put the uploaded files in a separate place and make your web server point to it so that even if any scripts are run, it does not affect your web server.

7. Monitor and audit the server

All the logs in the web server should be stored in a separate area. All the logs, including raw access logs, operating system logs, database server logs should be monitored and checked frequently. Never postpone an actions to be taken on suspected log entries. Log files tend to give all the information about an attempt of an attack, and even of a successful attack, but most of the times these are ignored.  If one notices strange activity from the logs, this should immediately be escalated so the issue can be investigated to see what is happening.

8. Implement complex password rules

Never compromise user ease/convenience for security. No matter what the users feel, always implement complex password rules. If some user has a dictionary word as his or her password then it becomes easy for the attacker to perform a brute force attack to gain access into your server. Provide your users with hints for choosing a safe password.

9. Check *.bat and *.exe files regularly

The windows world is known for virus attacks in the form of executables. So make sure you include checking of new/strange *.bat and *.exe files in your daily/weekly routine. These files might in turn do some modifications to the registry, add/delete some keys thereby collapsing your entire system.

10. Use the IIS Lockdown tool

There are some nice benefits to this tool. There are some drawbacks, however, so use it cautiously. If your Web server interacts with other servers, test the lockdown tool to make sure it is configured so that connectivity to backend services is not lost.

11. Use network scanners

There are various free network scanners available that can scan your system against a huge database for known vulnerabilities. So, make sure you test your web server against such scanners. Few example scanners include Nessus and Acunetix Scanner.

12. Use NTFS security

By default, your NTFS drives are open to Everyone/Full Control until you lock them down. The key is to not lock yourself out. Everyone should be unclicked for all levels of access. Administrator needs full control, your backdoor admin account (if you have one) needs full control, and System and Services each need a level of access, depending on each file. The most important folder is System32, and as few permissions as possible should be allowed on that folder. Using NTFS permissions on a Web server can help lock down the files and applications that Web surfers do not need to be able to access.

13. Use TCP Port Blocking

Though this is another tough issue. If you clearly know the list of ports that will be accessed by legitimate users, then you can dig into your network card's TCP/IP binding and block the unused ports. You must double check this as you might lock yourself down (especially if you are logged in remotely) or you might lock the web server down. For latest listing of standard TCP ports, click here

14. Use IP based filtering

If you are sure about where the requests are going to come from for your server, then make sure you have a security device that does IP based filtering. This will be really helpful as hackers will not be able to get to your server when they try to hit random IP Addresses.

Summing it all up, being a system administrator is no piece of cake in this era. This job is becoming more of an art than a science. So, it is very important for a system administrator to be precautious. And apart from that, it is one of the primary duties of the system/network administrator to act as early as possible to any potential threat for security of your network.

By Gayathri S   Popularity  (1646 Views)