A Web site is designed to provide seamless access to information in the most simple
and accessible way possible. In recent years, however, the security problems
caused by a growing number of hackers, attackers, viruses and worms have overshadowed
accessibility. Microsoft's Internet Information Services (IIS) Web servers have
been hit especially hard, although Apache Web servers have been popular targets,
too.
Academic institutions especially have a difficult balancing to perform in trying
to create good shaped, user-friendly sites while keeping their high profile servers
secure from hackers. Moreover, the problem with such institutions is that they
simply don't have enough budget allocated for technology and hence lack in security.
This article will give an overview of tips that will be useful for system/network
administrators all over the world (especially the ones administering Windows
Servers running IIS).
1. Frame a good security policy
The first step to any security administrator is to form a strong security policy
that clearly lists user privileges and access control information. Make sure
that all the users are well aware of the security policy so that there will be
no unintentional violation for you to worry about. Also, organizing a good security
policy ensures that, if an attack happens, it will be easy to figure out which
loophole was exploited in that attack thereby enabling prevention of the same
attack in the future.
2. Keep your windows up to date
This is one of the most important duties of a windows system administrator. Moreover,
this is one of the easiest steps that will make your life easy. Especially, never
skip critical patches and updates. If you have more than one web server running
(even if not), consider downloading the updates to a single dedicated non-server
machine and push them to the web server internally. This way, you can avoid the
web server from directly downloading updates from the internet and wasting its
serving bandwidth.
3. Check your users/administrators/services list regularly
There was one time when i stepped into office and looked into my recent logs and
to my astonishment i found a new user in my administrators group. By the time
someone has gotten this far into your system, he or she has usually dropped in
some little time bomb that either can eventually destroy your system or take
up all of your bandwidth for the hacker's use. Hackers also generally try to
form some kind of a backdoor into your system so that they can get access to
your system even if you clean it up as much as you can. In this case, your only
option would be formatting your entire hard disk and restoring it from an earlier
back up (and at times bringing the server down during the process if you do not
have any alternate machines to serve temporarily). Make it a part of your daily/weekly
routine to check the list of services on the IIS server(s) and make sure as few
as possible are running. You should memorize the ones that should be there. Here's
one hint: Any service with the word "daemon" in its name probably isn't
native to Windows and shouldn't be on an IIS server.
4. Regulate write access to the server
This step may sound simple. But there are environments (for example academic institutions)
where there will be content coming in from various sources for various folders
and hence regulating them is a must. A safe way to handle such situations is
to put all the content in a different server and make your web server point to
those directories.
5. Disable FTP/SMTP if you don't use them
FTP was designed for ease of file transfer, and if you enable authentication then
all the usernames and passwords will be sent as plain unencrypted text. SMTP
(email) is another service that provides user with write access. So you should
disable these and thereby reduce a lot of easy fun for the hackers. Also, if
you want remote FTP access to your server, you should consider using FTP over
a secure protocol like FTPS (FTP with SSL). The golden rule is: "Never send
passwords unencrypted over the network"
6. Check your upload scripts
Another major write operation to your web server is any script that allows the user
to upload something into your server from a web page. This is a potentially critical
vulnerability if the implementation of the upload script is not so good, then
there is a potential risk that the hacker might upload an executable script (asp
or asp.net script or even some viruses) and execute it on your server. So be
sure to double check the scripts that contain file upload modules. A good practice
is to always put the uploaded files in a separate place and make your web server
point to it so that even if any scripts are run, it does not affect your web
server.
7. Monitor and audit the server
All the logs in the web server should be stored in a separate area. All the logs,
including raw access logs, operating system logs, database server logs should
be monitored and checked frequently. Never postpone an actions to be taken on
suspected log entries. Log files tend to give all the information about an attempt
of an attack, and even of a successful attack, but most of the times these are
ignored. If one notices strange activity from the logs, this should immediately
be escalated so the issue can be investigated to see what is happening.
8. Implement complex password rules
Never compromise user ease/convenience for security. No matter what the users feel,
always implement complex password rules. If some user has a dictionary word as
his or her password then it becomes easy for the attacker to perform a brute
force attack to gain access into your server. Provide your users with hints for
choosing a safe password.
9. Check *.bat and *.exe files regularly
The windows world is known for virus attacks in the form of executables. So make
sure you include checking of new/strange *.bat and *.exe files in your daily/weekly
routine. These files might in turn do some modifications to the registry, add/delete
some keys thereby collapsing your entire system.
10. Use the IIS Lockdown tool
There are some nice benefits to this tool. There are some drawbacks, however, so
use it cautiously. If your Web server interacts with other servers, test the
lockdown tool to make sure it is configured so that connectivity to backend services
is not lost.
11. Use network scanners
There are various free network scanners available that can scan your system against
a huge database for known vulnerabilities. So, make sure you test your web server
against such scanners. Few example scanners include Nessus and Acunetix Scanner.
12. Use NTFS security
By default, your NTFS drives are open to Everyone/Full Control until you lock them
down. The key is to not lock yourself out. Everyone should be unclicked for all
levels of access. Administrator needs full control, your backdoor admin account
(if you have one) needs full control, and System and Services each need a level
of access, depending on each file. The most important folder is System32, and
as few permissions as possible should be allowed on that folder. Using NTFS permissions
on a Web server can help lock down the files and applications that Web surfers
do not need to be able to access.
13. Use TCP Port Blocking
Though this is another tough issue. If you clearly know the list of ports that will
be accessed by legitimate users, then you can dig into your network card's TCP/IP
binding and block the unused ports. You must double check this as you might lock
yourself down (especially if you are logged in remotely) or you might lock the
web server down. For latest listing of standard TCP ports, click here
14. Use IP based filtering
If you are sure about where the requests are going to come from for your server,
then make sure you have a security device that does IP based filtering. This
will be really helpful as hackers will not be able to get to your server when
they try to hit random IP Addresses.
Summing it all up, being a system administrator is no piece of cake in this era.
This job is becoming more of an art than a science. So, it is very important
for a system administrator to be precautious. And apart from that, it is one
of the primary duties of the system/network administrator to act as early as
possible to any potential threat for security of your network.