IIS Lockdown

If the Remove unselected services check box is selected, IIS Lockdown will remove the services from the server, not just disable them. Removing unused services is a good idea on servers whose role doesn't change often because if the services are gone, no one can accidentally activate them later.

Next, the wizard displays the Script Maps dialog box, which Figure 2 shows. Script maps associate a specific file extension with the Internet Server API (ISAPI) executable that interprets the file's contents (e.g., .asp maps to asp.dll). IIS Lockdown disables specified file types by altering the script map to point to a DLL that returns a File not found message when a user attempts to execute a file of that type. Clear a file type's check box to disable that file type.

Figure 3 shows the final IIS Lockdown dialog box, Additional Security, which lets you remove unnecessary directories and secure your file system from unauthorized access. IIS is installed with a variety of virtual directories that are intended for development and training purposes but aren't required in a production environment. IIS Lockdown removes the virtual directories you select but leaves intact the data those directories contain.

By default, IIS restricts anonymous access to Web content directories. But you should place another level of security on your system utilities (e.g., cmd.exe) to prevent unauthorized access in the event of a system security failure. If you select the Running system utilities (for example, Cmd.exe, Tftp.exe) check box, IIS Lockdown modifies the access control entry (ACE) for all executable files in \%windir% and its subdirectories, explicitly denying execute rights for the local groups Web Anonymous Users and Web Applications. If you select the Writing to content directories check box, IIS Lock-down also secures all Web content directories, including files and folders on remote computers, by setting the ACE to deny write rights for the local groups Web Anonymous Users and Web Applications.

Web Distributed Authoring and Versioning (WebDAV) allows for remote Web content creation and management. Do you use this technology? If not, select the Disable Web Distributed Authoring and Versioning (WebDAV) check box. IIS Lockdown will set an ACE on httpext.dll, the WebDAV executable, to prevent it from being loaded into the inetinfo.exe process and to effectively disable the WebDAV functionality.

IIS Lockdown next asks whether you want to install URLScan. If you'd like to install a filter that prevents IIS from processing certain types of URLs that crackers commonly use as attack vectors, you can use URLScan as the front door (i.e., the filter). A future article in this newsletter will cover URLScan in depth. In the meantime, you can learn more about it at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/urlscan.asp.

Before starting the modification process, IIS Lockdown displays a list of actions it will perform. You can stop IIS Lockdown or click Next to begin the lockdown process. After the lockdown begins, you can't stop it.

Depending on the changes IIS Lockdown makes, the tool might create in the \%windir%\system32\inetsrv folder several of the log and IIS metabase—backup files that Web Table 2 shows. I can't stress enough that you need to safeguard the IIS Lockdown log and metabase-backup files. Unless you want to reverse IIS Lockdown's actions manually or reinstall the OS, you need the log files to undo the IIS Lockdown operation. Copy the files to a disk or store them on a separate server in a directory associated with the modified server.

If you run IIS Lockdown on a production server, be sure to do so during scheduled downtime. IIS Lockdown stops the server's Web services when the tool starts applying changes and you don't want to inconvenience users more than necessary.

Undo
If you attempt to run IIS Lockdown a second time, the only option that's available is to undo the previous operation. If you can find the oblt-log.log file, IIS Lockdown can perform an undo. If you want to apply a new IIS Lockdown configuration, first you must undo the previous operation, then restart IIS Lockdown and continue with the new configuration. If you chose to remove unnecessary IIS services during lockdown, you'll need to use the Control Panel Add/Remove Programs applet to reinstall them. Similarly, if you chose to install URLScan during lockdown, you must use the Add/Remove Programs applet to uninstall it.

   Previous  1  [2]  3  Next