My company is using the Microsoft white paper "From Blueprint to Fortress: A Guide to Securing IIS 5.0" as a guide to help us secure our Web servers. After we applied the HiSecWeb security template, however, we began to experience problems. First, can we undo the security template? Second, could we have determined in advance what the effects of applying the security template would be?
The Microsoft article "IIS 5: HiSecWeb Potential Risks and the IIS Lockdown Tool" (Q316347,) states that "The possible effects and ramifications of security templates are vast and wide-ranging." Because you can't undo security templates, you now face a challenge.
The HiSecWeb security template disables some server functionality and, consequently, can cause problems. To remedy the situation, you can apply the default Basic template to return your server to a baseline state, but this template probably won't restore all functionality. Therefore, you might be better off reviewing all the changes in the security template and determining which ones you need to undo to get your server working again. This approach is also probably more secure because you then know which settings you've adjusted.
Because Microsoft widely recommends the HiSecWeb security template, anyone who considers applying the template will benefit from reviewing its contents. The template makes the following assumptions about an IIS server that's a candidate for the template:
- It isn't a domain controller (DC).
- It's a dedicated Web server.
- It's physically secure.
- It hasn't been upgraded from Windows NT 4.0.
- Its NTFS permissions and user rights haven't changed.
- Only administrators can log on to it locally.
- Administrators can't log on to it remotely.
- Its Administrator and Guest accounts haven't been renamed.
This information, which is provided at the top of the HiSecWeb security template file, gives you a starting point for determining which modifications you might want to make in the template. One glaring pair of assumptions the template makes is that administrators will log on at the server console and that they won't be able to log on over the network. These stipulations can interfere with remote administration.
In addition, the HiSecWeb security template disables these services: Alerter, Clipbook, Computer Browser, DHCP Client, Fax Services, Internet Connection Sharing, IrMon, Messenger, NetMeeting, NetMeeting Remote Desktop Sharing, Print Spooler, Remote Access Connection Manager, Remote Access Auto Connection Manager, Remote Registry Services, Telephony, and Terminal Services. You might want to reenable the Terminal Services service for remote administration and the Print Spooler service if you want to apply service packs. (The Print Spooler service must be running before you can apply service packs—strange but true.)
The HiSecWeb security template also disables 8.3-filename compatibility. In most cases, disabling this setting doesn't pose a problem. However, some software installation routines still use 16-bit software, which requires 8.3 filenames.
You can inspect the hisecweb.inf file in Notepad and in the Security and Configuration Analysis template in the Microsoft Management Console (MMC) Security Templates snap-in to view the exact changes the template makes when applied. From this analysis, you can make informed decisions about the template's suitability for your environment.
Because Microsoft hasn't updated the HiSecWeb security template in a few years, you might want to look at the newer baseline.inf and iisincremental.inf templates that are part of the "Security Operations Guide for Windows 2000 Server" at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/windows/windows2000/staysecure/default.asp. These templates are by far the best that Microsoft has produced to date. You can also check out the National Security Agency's (NSA's) IIS templates at http://nsa1.www.conxion.com and SystemExperts' IIS templates at http://www.systemexperts.com/win2k/HardenWin2K.zip.