Now, remove all services that aren't integral to running your Web server. Your goal is to remove services that you know are vulnerable to attack and services that aren't necessary and might provide points of ingress for future attacks. If you're trying out a new configuration or Web application, I suggest disabling the services one by one and testing between each change. I've had good luck disabling these Control Panel Services applet services, but you might need to adjust this list for your situation: Alerter, ClipBook Server, Computer Browser, DHCP Client, Directory Replicator, FTP Publishing Service, License Logging Service, Messenger, Net Logon, Network DDE, Network DDE DSDM, Network Monitor, Plug and Play (disable after all hardware configuration), Remote Access Server, Remote Procedure Call (RPC) Locator, Schedule, Server, Simple Services, Spooler, TCP/IP NetBIOS Helper, and Telephony Service.
If you don't use these services, disable them as well: SNMP Service, SNMP Trap, and UPS. These services are required: EventLog, MSDTC,
NTLM Support Security Provider, Protected Storage, Remote Procedure Call (RPC) Service, Workstation (you'll disable this service later), and WWW.
I strongly urge you not to use the FTP server that comes with IIS but rather to install SSH Communications Security's SSH Secure Shell to provide encrypted file transfers. (I discuss SSH more later.)
If you're using SNMP, perform these steps to set a strong password in the community string:
- Open the Control Panel Network applet.
- Click the Services tab, then select SNMP.
- Click Properties, then click the Security tab.
- Under Accepted Community Names, select public.
- Click Edit, then enter a strong password (e.g., something with at least three character sets, such as 5%c&&1De). Click OK twice.
To turn on the functionality for locking out the Administrator account over the network, use the Microsoft Windows NT Server 4.0 Resource Kit's Passprop utility to run the command
passprop /adminlockout /complex
This command stops intruders from brute forcing the password over the network.
Configure IIS
Many recent reconnaissance techniques and other exploits use sample files that default installations leave, so remove all the IIS and related sample directories that Table 1 lists. Also remove all the IIS extension mappings listed in Table 2 that you aren't using. To remove the extension mappings, follow these steps:
- In Internet Service Manager (ISM), right-click the computer name, then select Properties.
- Click Edit under Master Properties.
- Click the Home Directory tab, then click Configuration.
- Select the extensions that you want to remove, then click Remove.
If you aren't sure whether you'll use an extension, remove it, then add it later if you need to.
For the remaining extensions, consider limiting the HTTP verbs that the extension will accept. Instead of using all the verbs (i.e., DELETE, GET, HEAD, PUT, and TRACE), use only GET for static Web pages and PUT if you have forms on your site. You want to explicitly allow only the minimum actions needed per extension and hopefully remove dangerous verbs such as DELETE.
Disable rather than delete the Default Web Site—it might be useful for upgrading the server, and applications might point to the Default Web Site. In ISM, right-click Default Web Site, then select Properties. Select Directories, Security, then click Anonymous Access & Authentication Control. Click Edit, then clear all the check boxes, as Figure 3 shows. The system will warn you that you're shutting off all access; click Yes to continue. Perform the same steps for the Administrative Web Site.
Configure the Network
To allow only needed TCP/IP ports, open the Control Panel Network applet and double-click Protocols. Select TCP/IP Protocol, click Properties, then click Advanced. Select the Enable Security option, then click Configure. In the TCP Ports section of the resulting TCP/IP Security dialog box, select the Permit Only option, then add port 80 for HTTP, port 443 for Secure Sockets Layer (SSL), and port 22 for SSH. In the UDP Ports section of the dialog box, select the Permit Only option, then add port 161 and port 162, both for SNMP. In the IP Protocols section of the dialog box, select the Permit Only option, then add protocol 6 and protocol 8. Click OK to accept the additions. If for some reason you need to Web surf from the box (which I strongly discourage), you must also add port 53 in the UDP Ports section.
In addition to restricting the allowed ports, you need to make sure that the server is using only TCP/IP protocols—specifically, only those needed for client Web requests and remote administration through SSH. In the Control Panel Network applet, click Protocols, then remove all the protocols except TCP/IP. You also need to unbind NetBIOS from TCP/IP. In the Control Panel Network applet, click the Bindings tab, right-click NetBIOS Interface, then click Disable.
Remove Commonly Exploited Files from Path
To prevent crackers from using any new attack to execute files on your Web server, you need to ensure that intruders can't easily access on your server those files that would let them copy their cracking toolkits. To safeguard your files, you can move them and set their ACLs to allow only Administrator access.
Create a directory on the server's C drive, then move these files from the \system32 directory to the new directory: arp.exe, at.exe, atsvc.exe, cacls .exe, cmd.exe, command.com, cscript .exe, debug.exe, edit.com, edlin.exe, finger.exe, ftp.exe, ipconfig.exe, nbtstat .exe, net.exe, netstat.exe, nslookup.exe, ping.exe, posix.exe, qbasic.exe, rcp.exe, rdisk.exe, regedt32.exe, regedit.exe, rexec.exe, route.exe, rsh.exe, runonce .exe, secfixup.exe, syskey.exe, telnet.exe, tftp.exe, tracert.exe, wscript.exe, and xcopy.exe. Then, restrict access to the new directory to Administrator Full Control. This example is a classic technique for reducing the damage crackers can do, even if they somehow get a foothold into your system.
Register
