Run the Hisecweb.inf Hardening Script
The next step is to run hisecweb.inf, a slightly modified version of Microsoft's high-security Web server .inf file for NT 4.0 and IIS 4.0. Download hisecweb .zip from the Code Library on the IIS Administrator Web site (http://www .iisadministrator.com), and unzip the file to a Temp directory.
Web-exclusive Figure 1 summarizes the changes that hisecweb.inf makes to your server. For a detailed look at the changes, open the hisecweb.inf file in the Microsoft Management Console (MMC) Security Configuration Editor snap-in. To implement the hisecweb .inf changes, type the command
secedit /configure
/cfg hisecweb.inf /db
%temp%\secedit.sdb /verbose
/log %temp%\seclog.txt
at the command prompt. Hisecweb .inf renames the Administrator account to root. Set a strong password on the Administrator account, then change root to a name that's unique in your environment.
Edit the Registry
Hisecweb.inf can't perform all the necessary registry edits; you must do some manually (e.g., you must delete some registry keys). So fire up regedt32, and start hacking away at the registry. (The standard disclaimers apply, of course.) First, remove the OS/2 and POSIX
subsystems. To do so, remove the HKEY_LOCAL_MACHINE\SOFT
WARE \Microsoft\OS/2 Subsystem for NT registry subkey. Then remove the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Environment\Os2LibPath registry subkey. Finally, remove these registry subkeys: HKEY_LOCAL _MACHI NE\SYSTEM\CurrentControl Set\Control\Session Manager\Sub-Systems\Optional, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\SubSystems\Posix, and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\SubSystems\Os2. Open Windows Explorer, and delete the C:\winnt\system32\os2 directory and all its subdirectories.
One of the most devastating IIS attacks of recent years is an exploit in which a cracker uses the MDAC Remote Data Services (RDS) Data Factory component to gain unauthorized access to an IIS machine. After Rain .Forest.Puppy discovered the vulnerability, crackers ran autoscripts that searched the Web for IIS servers that had the component installed. When the crackers found an exploitable copy of MDAC, they copied root kits that contained remote-access programs such as Virtual Network Computing (VNC) to the Web server or they defaced the server's Web sites. No level of hotfix or service pack can protect your server against MDAC attacks—you must remove the RDS Data Factory object. If you aren't using the Data Factory object—and chances are that you aren't on a bastion Web server—remove its functionality. To do so, delete these registry subkeys: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVCParameters\ADCLaunch\RDSServer.DataFactory, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVCParameters\ADCLaunch\AdvancedDataFactory, and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVCParameters\ADCLaunch\VbBusObj.VbBusObjCls. Then, reboot your server. You can read more about the MDAC vulnerability at http://www.wiretrip.net/rfp/p/doc.asp?id=5&iface=7.
Remove Network Services
The next step is to remove unnecessary network services. In the Control Panel Network applet, click Services. Remove NetBIOS Interface, Computer Browser, Server, and Workstation. Keep RPC Configuration, and keep SNMP if necessary. Note that when you remove the Workstation service, you receive the message Windows NT Networking is not installed. Do you want to install it now? each time you open the Control Panel Network applet. Just click No in the message box when this happens.
Set Permissions
Now you can further lockdown permissions to peel off another few layers of security vulnerability. First, secure the IUSR_computername account. Open User Manager. Under Username, rename the IUSR_computername account to an obscure name. Set a strong password, and ensure that the renamed IUSR_computername account is disabled.
Remove the renamed IUSR_computername account from the Guest group. Set permission for the renamed IUSR_computername account on all volumes to No Access. To let the Web server function properly, change the renamed IUSR_computername account permission to Read Only for the directories that Table 3 shows. (Don't use recursive permissions for these directories.)
I recommend that you also reset some user rights. In User Manager, select Policies, User Rights, then set the rights that Table 4 specifies.
Set the Firewall Access List
Even these steps aren't enough to ensure the security of your bastion server. You must also have a perimeter firewall that limits access to the box. You want to let in HTTP and allow a few management protocols in to a select few subnets. Web-exclusive Figure 2 shows a sample ACL for a router acting as a firewall that permits only HTTP (port 80), SSL (port 443), SSH, and SNMP. If you need to Web surf from the box, you must also add UDP port 53 as an allowed port in the firewall.
Administer the Server with SSH
You've disabled all the normal methods for updating your Web server (i.e., Microsoft FrontPage Server Extensions, FTP, and Filesharing), but you still need to be able to administer the box, and your Web developers need to be able to upload new content in a secure way. The best tool for securely updating and administering the server is SSH, which provides strong user authentication and end-to-end encryption. SSH encrypts all communication between client and server, unlike FTP, which passes data (including passwords) in plaintext.
I currently install a commercial version of SSH, SSH Secure Shell for Windows Servers, on my bastion-host Web servers, and I highly recommend that all commercial installations do the same. You can download SSH Secure Shell for Windows Servers (which comes with support updates and a graphical file-transfer program and costs $565) from http://www.ssh .com/products/ssh.
You can download free versions of SSH for Windows from various Web sites. For your convenience, I've included sshdnt.zip, an old SSH for NT port that I formerly used. You can download sshdnt.zip from the Code Library on the IIS Administrator Web site. Use this port with caution—if you have more than one user simultaneously accessing the server, one user could run code in another user's context, thereby elevating the first user's privilege level.
Download sshdnt.zip to a Temp directory on your bastion-host Web server, then decompress it. From the same directory, run install.bat, which creates a server key, installs SSH as a service, and starts the SSH service. Edit the Passwd file (in C:\etc) to add users in the format username:x:user ID:group ID:full name:home directory:. For example, you could add the user administrator:x:1:10:Local Administrator:/bin:.
To transfer files between computers running SSH, you use the Secure Copy (scp) command. For example, to push the net.txt file from a UNIX host named host.com to the \bin directory on an NT host with IP address 10.0.0.20, you log on to host.com and type
scp net.txt
administrator@10.0.0.20:/bin
To pull the test.exe file from the same NT host to your user directory on host.com, log on to host.com and type
scp administrator@10.0.0.20:
test.exe /home/user
You now have a secure, remotely manageable Web server. You might think that your quest for a secure Web server is over, but nothing could be further from the truth. You've made a good start, but you need to stay current with what's happening in both the NT and the security world and make sure that you implement a process for testing and deploying hotfixes and patches before a critical event occurs.