The IIS Lockdown Wizard
Security guides consistently give the same advice for maintaining a secure environment: Turn off all unnecessary facilities that can introduce additional vulnerabilities. The IIS Lockdown Wizard has automated this process.
The IIS Lockdown Wizard works with Win2K and Windows NT 4.0 servers and lets you easily remove unnecessary IIS services. To install the tool, download the application from http://www.microsoft.com/downloads/release.asp?releaseid=33961. Install this tool in development environments until you verify that all aspects of your Web application function properly.
After you complete the introduction and End User License Agreement (EULA) windows, the Select Server Template window will appear, as Figure 1 shows. Select a role for the server you want to secure. The server role you select will define the default answers in subsequent wizard pages.
For most server roles, you can install URLScan, which screens all incoming requests and compares them with an administrator-defined rule set. Scanning and evaluating each incoming request helps IIS process only valid requests. This approach eliminates most attacks based on long URLs or alternate character sets. Choosing the server role that most closely matches your server's role will help specify a default rule set that's appropriate for your machine.
You can use the IIS Lockdown Tool to disable and remove unused IIS features, such as FTP, SMTP, or Network News Transfer Protocol (NNTP) services. You can disable unused script mappings (e.g., Index Server, server-side includes, Internet Database Connector—IDC, .hrt scripting, Internet Printing). You can also remove the default virtual directories that IIS installs, disable WWW Distributed Authoring and Versioning (WebDAV), and restrict privileges for anonymous users. These options are user-configurable, so you can keep all the facilities your Web applications require.
After you perform the IIS lockdown and apply the hisecweb.inf template, test your application to ensure that the changes haven't modified your ability to successfully run the application. If you find that the new settings are too aggressive for your application, simply rerun the tool to roll back the changes.
Vulnerability Assessment Tools
Administrators—and intruders—use vulnerability assessment tools to identify a given system's vulnerabilities and generate a report that helps them determine which areas to address. As part of its Trustworthy Computing initiative, Microsoft has provided the Microsoft Baseline Security Analyzer (MBSA) tool, which is available as a free download from http://www.microsoft.com/technet/security/tools/tools/mbsahome.asp.
MBSA isn't as robust as other tools on the market (such as Internet Security Systems'—ISS's—Internet Scanner), but it's free. MBSA lets you scan the OS (English versions of Windows XP, Win2K, and NT 4.0), IIS, and Microsoft SQL Server, and includes password-strength checking and integration with the HFNetChk tool (see the next section) for investigating hotfix installations on a given machine.
MBSA supports a command-line interface that lets you run the tool en masse or on a schedule by using a remote task scheduler. (Figure 2, page 16, shows the interface for scanning a single computer.) The tool also lets you scan entire domains or IP address ranges. After it completes the scan, MBSA generates an enumerated report.
Ongoing Security
Applying hotfixes in a timely manner is a crucial part of maintaining the integrity of your computing environment. Microsoft's HFNetChk tool helps administrators determine which systems need which hotfixes and helps keep them up-to-date with hotfix announcements.
In addition, MBSA uses HFNetChk as an optional component for vulnerability analysis. In "Automating Hotfixes," April 2002, InstantDoc ID 24268, I discuss HFNetChk in detail and describe how you can use it as the basis for an automated hotfix deployment system.
Going the Distance
Microsoft's tools provide basic security for Web servers, but they don't automate security. The tools don't cover IP Security (IPSec) policies, address TCP/IP filtering, disable parent paths for IIS applications, or remove Remote Data Services (RDS). You must manually secure the file systems for your applications and drives that are beyond the system partition. The tools remove the default virtual directories but don't remove the default application files or let you do more than disable FTP, NNTP, or SMTP services.
To get a leg up on security, read the IIS security white papers on the Internet and keep up with the intruder community. Microsoft's tools don't transform machines into fortresses, but they can provide reasonable security that can help reduce the threat of worm attacks and casual intruders.