IIS Lockdown

Installing Windows 2000 or Windows NT 4.0 (with the Option Pack) renders IIS operational under its default security settings. Some of these default settings can result in security exposures, as the CodeRed Worm showed.

Microsoft has created two tools that let you better control IIS configuration and operation: IIS Lockdown and URLScan (which is included in IIS Lockdown 2.1). IIS Lockdown 2.1 offers the following capabilities:

• disables or removes unnecessary IIS services and components
• secures system files and Web content directories beyond the default settings
• installs URLScan to filter HTTP requests

I show you how to use IIS Lockdown 2.1 to perform the first two bulleted items. Note that the information I present here is for IIS Lockdown 2.1 specifically. Previous versions of the utility operate quite differently.

IIS Lockdown Caveats
IIS Lockdown alters the behavior of IIS, so the tool is likely to conflict with applications that depend on certain IIS features. For example, you must give special consideration to installing IIS Lockdown and URLScan on servers that support Microsoft Exchange 2000 Server, Exchange Server 5.5, or Microsoft SharePoint Portal Server (formerly code-named Tahoe). Two Microsoft articles outline difficulties you might encounter and how to work around them: "XADM: Known Issues and Fine Tuning When You Use the IIS Lockdown Wizard in an Exchange 2000 Environment" (http://support.microsoft.com/default.aspx?scid=kb;en-us;q309677) and "SPS: IIS Lockdown Tool Affects SharePoint Portal Server" (http://support.microsoft.com/default.aspx?scid=kb;en-us;q309675). You should also search the Microsoft Knowledge Base before implementing either IIS Lockdown or URLScan to make sure you have the most up-to-date information about any problems pertaining to your type of installation. After you've read the latest Microsoft articles and considered their suggestions, install IIS Lockdown on a test server and perform rigorous testing to verify that features required by your applications, both proprietary and commercial, are still available and functioning. Finally, you should perform a full system backup to speed system recovery in the event that testing results in an extreme loss of functionality.

Installation
You can obtain IIS Lockdown 2.1 from the IIS Lockdown Tool (version 2.1) download site (http://www.microsoft.com/downloads/release.asp?releaseid=33961). After you download iislockd.exe to your system, you can double-click the filename in Windows Explorer or click Start, Run and type

iislockd

to extract the files to a temporary directory and launch the IIS Lockdown Wizard. However, if you have multiple servers to protect, extracting the files to a permanent working directory as I outline in the steps below is best.

You should be aware that the IIS Lockdown self-extracting executable and the standalone executable inside the self-extracting executable have the same name. This duplicate naming causes problems if you try to download the self-extracting executable and unpack it into the same directory. Avoid these problems by performing these installation steps:

1. Download iislockd.exe to a temporary directory.
2. From the temporary directory, open a command prompt and execute the command

iislockd.exe /q /c
/t:c:\IISLockdown

to extract the IIS Lockdown files. The /q switch places the installation in quiet mode, and the /c switch instructs IIS Lockdown to perform only the file extraction and works in conjunction with the /t switch, which specifies the temporary working directory to which you would like to extract the files. Enclose the directory name in double quotes if it contains spaces (e.g., /t:"c:\IIS Lockdown"). Web Table 1 lists the files that iislockd.exe places into the specified directory. (You can access Web Table 1 at http://www.windowswebsolutions.com, InstantDoc ID 24480.)Notice that iislockd.exe contains the files for URLScan, which I don't cover in detail in this article. IIS Lockdown doesn't install any menu or desktop shortcuts, so you must launch the tool from Windows Explorer; Start, Run; or a command line.

Operation
IIS Lockdown operation is fairly straightforward. When you launch iislockd.exe, the Internet Information Services Lockdown Wizard steps you through the lockdown process. After an opening dialog box and an End User License Agreement (EULA) dialog box, the wizard prompts you to select the type of server you want to secure, as Figure 1 shows. Select the server template that most closely matches your server configuration. For this article, I used the Static Web server template. Select the View template settings check box to see a series of dialog boxes that present configuration options for your server type. If the check box isn't selected, the wizard will bypass these dialog boxes and take you straight to the URLScan installation.

Click Next to see the Internet Services dialog box (which Web Figure 1 shows)—the first of the actual IIS Lockdown configuration pages. IIS Lockdown can disable or remove the four IIS services: HTTP, FTP, SMTP, and Network News Transport Protocol (NNTP). How do you know which services you require? The server template you chose gives you some hints, and personal experience and lab testing your environment and applications are also helpful. The IIS service options in the Internet Services dialog box are in one of three states:

• Enabled—The option is selected, and the check box has a checkmark. Clearing the check box will disable the service.
• Enabled, disabling recommended—The option isn't selected, and the check box doesn't have a checkmark. Leaving the check box cleared will disable the service.
• Disabled, not selectable—If an option is shaded and its check box has no checkmark, you can't alter the service because the service isn't installed or the server template you've chosen requires the service.

   Previous  [1]  2  3  Next