Peel off the extra service layers to create an impenetrable public Internet server
Running any service on a computer attached to the Internet requires careful planning. While providing the required service, you need to ensure that you aren't providing other services that crackers can use as entry points into your network. Furthermore, you need to take steps to lockdown the required service as much as possible. This guide helps you perform both of these hardening tasks on a Windows NT 4.0 server running IIS 4.0. I show you how to turn your Web server into a bastion host—a host computer that you make directly available to the public network and that's designed to screen the rest of the network from security exposures.
(Don't use hardening techniques on an internal file and print server or domain controller—DC; the techniques remove some services that these servers need to function.)
To build a UNIX Web server, you usually start with a base installation of the OS and add only the necessary services, thereby limiting the server's functionality and complexity to the minimum required. For an NT Web server, you work backwards from a complete installation to remove all but what you need. In other words, you peel away the outer layers of software and services until you're left with nothing but a hard inner core of NT and IIS. By removing or locking down all unnecessary functions on your Web server, you protect your server not only from today's known attacks but also from attacks that will be developed in the future. For example, if someone manages to use a new type of attack, or exploit, to somehow make the IUSR_computername account execute a file that isn't in the server's \wwwroot directory, that attempt won't compromise your machine because you'll have explicitly locked down permissions on that account.
Install NT
Start with a fresh installation of the English-language version of NT Server 4.0. (Microsoft is notoriously slow to release patches for foreign-language versions.) Don't attempt to harden
an existing production Web server; unpredictable results will occur. If you want to harden an existing Web site, set up a new server and migrate the Web site's application and data to the new box after you've completed the steps in this guide.
Use NTFS on all partitions. Install only one copy of the OS on the server. If you ever need another copy of the OS on the server for troubleshooting, install it only when necessary and remove it afterward to limit the server's exposure to attacks. Choose the standalone server role, not the PDC or BDC role. Install the server as a workgroup member, not a domain member. You want only local accounts on this machine to limit exposure to your production NT domain. You'll remove most of the functionality that would let this server communicate in a domain infrastructure. You won't be able to use normal NT drive mapping or other trusted host-type features that are commonly used in NT domains.
After installing the OS, download NT 4.0 Service Pack 6a (SP6a) at http://www.microsoft.com/ntserver/nts/downloads/recommended/sp6/allsp6.asp and install it. Then, download Microsoft Internet Explorer (IE) 5.01 SP2 at http://www.microsoft.com/ windows/ie/download/ie501sp2.htm and install it. Don't install Active Desktop—you're trying to keep the installation as simple as possible by limiting it to the software necessary for Web functionality.
Install the NT 4.0 Option Pack, and choose custom installation. Install only the items that Figure 1 shows. (Clear all other items.)
After you install the Option Pack, install applicable updates. Keeping up-to-date with service packs and hotfixes is a full-time job. Microsoft has withdrawn some hotfixes a few days after releasing them because the fixes introduced bigger security holes than they fixed. Other hotfixes have been known to break a server. When a new fix becomes available, you must assess your level of exposure and decide how soon to implement the fix. A lab with a similarly configured Web server on which you can test the fix is extremely helpful in making such calls. However, unless you're facing a clear and present danger, I suggest waiting a few days after Microsoft releases a hotfix and monitoring the security mailing lists and newsgroups to see what results others have with the fix. Figure 2 lists the service packs and hotfixes I had installed as of August 2000. For more complete information, see http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/current.asp? productid=16&servicepackid=7.
Move your \wwwroot directory to a separate partition or disk from the OS. Choose the default setting, local administration, for Microsoft Transaction Server (MTS). Microsoft Data Access Components (MDAC) has created holes that have given crackers access to many IIS servers. Later, I show you how to edit the registry to close these holes. For now, install the latest compatible version of MDAC (release to manufacturing—RTM—version 2.6 as of this writing) at http://www.microsoft.com/data/download.htm?rld=377.
Configure NT
Now that you've installed most of the necessary software, you can start configuring it. First, on all partitions, change the default setting that gives everyone full control. Use File Manager to recursively set permissions on each partition's root directory to give administrators full control and the system full control. You'll further refine the NTFS permissions later.
To protect the server console, set up the screen saver for the administrator's profile. Open the Control Panel Display applet, click the Screen Saver tab, and select the Password protection check box.
Previous
Register
