Microsoft recently released a new security-related document that helps administrators better secure their Internet Information Server 5.0 systems. The document is entitled "Secure Internet Information Services 5 Checklist" and lists a dozen specific items that must be addressed in addition to a few tweaks to the underlying Windows 2000 operating system.
For Windows 2000, Microsoft recommends that users apply a provided security template (available on their Web site), configure an IPSec packet filter on the system, and ensure the TelnetClients group does not contain any unwanted members. In addition, users are urged to apply the latest hotfixes or Service Pack for both Windows 2000 and IIS 5.0.
To tighten IIS 5.0, Microsoft suggests users first inspect all virtual directories to ensure the Access Control Lists (ACLs) are set correctly. The checklist recommends that users establish seperate directories for each type of content. For example, the document recommends that administrator put images in one directory, ASP scripts in another directory, DLL files in yet a different directory, and so on. In addition, Microsoft recommends several other configuration checks which include the inspection of logging parameters and Certificate Authorities as well as the removal of specific unnecessary default components and file mappings. The checklist goes on to recommend that specific features be disabled to prevent the exposure of internal IP addresses and to prevent the use of use parent path syntax ("..\") within a URL.
The document, which was last updated on July 7, is of value to developers as well. The document offers example VBScript code that demonstrate how to strip out unwanted characters when parsing user input. By stripping out unwanted characters many potential security risks associated with Windows, IIS, and SQL Server can be avoided