|
Basic IIS security precautions An insecure IIS box is a liablity - just like any other insecure software. This article will set you on the path to a more secure installation IIS's default configuration is inherently insecure. I'm sorry to put it like this, but there you go - anonymous access is available to just about every resource IIS provides - Web, SMTP and FTP. When setting up a new box it's vitally important that these open gates get locked shut before someone takes adavnatage of them. Here are a few tips for securing your machine from intrusion. This article doesn't deal with holes in your source code - only with IIS - secure ASP coding is another thing again! 1. Disable anonymous FTPwww.tartoos.com You probably don't need an anonymous FTP server. If you leave it open port scanning warez kiddies will find it and use your machine to store their files, and these kids have a lot of files - your hard-drive will be full in a matter of hours. If they don't use it for file storage they'll probably 'tag' it - meaning they create a directory with a specially formed path which can't be deleted by the usualy means - you have to use the command line to get rid of these unsightly little nasties, and they can prove an obvious pointer to other users or intruders that your machine isn't well configured. To disable anonymous access, head to the screen below in the FTP properties dialog.www.tartoos.com
If you're only going to be accessing this from certain IP addreses, you can use the screen below to allow only those addresses to access.
2. Enforce a security policy Obviously some people need access and some people don't. The people that do should be subject to a decent security policy. Such steps as using non-obvious passwords (randomised like this is good), changing passwords regularly, creating temporary accounts which are removed when no longer required in place of permanent access accounts and so on are all good steps. You should also make your users aware that they have a responsibility to keep the box safe just the same way as you do. If you can, enable auditing and check up occassionally.www.tartoos.com 3. Keep the box locked My webservers are remotely accessible using VNC. I find this utterly invaluable, but I take care to keep two layers of security in place for this access method. First of all I assign randomised passwords to the VNC service, and make sure they're different tot he password for the box itself. secondly I enable password protection on my screensaver, so that if I forget to lock the box manually it'll lock itself. It also has the benefit of preventing access should someone walk up to the actual machine and try to do something with it.www.tartoos.com 4. Employ some registry tweaks This article shows some registry tweaks you can use to lock down your IIS box against intrusion. They're mainly NT issues rather than pure IIS issues, but they could be important. 5. Lock down your SMTP service This article shows how to lock down your SMTP box against spammers. do it now! 5. Disable unused script mappings.www.tartoos.com If your site only uses ASP scripts, you don't need script mappings for index server, printer services, perl, HTCs or any other mappings. get into application configuration and disable the ones you don't need. Code Red propagated through a vulnerability in index server through thousands of IIS machines on which index server wasn't even needed. the point is, the less potential vulnerabilities, the better. A truly secure server would have them all disabled, but you probably need at least some of them. ONLY use those ones you need. 6. Don't allow write access in IIS You probably don't need it, and if you discover you DO need it, you can always re-add it later. turn it off! 7. Obscure your wwwrootwww.tartoos.com Some folks point their FTP server's root folder directly to their wwwroot. I don't. I use a virtual directory, usually with a non-obvious name, to gai access to my source code. Should someone get into your FTP root this way, they're less likely to get into your webroot and cause havoc 8. and most important.... PATCH OFTEN This is the most important thing you can do. Check the MS site regularly for new patches and apply them. Whenever you make a configuration change or add new software, RE-apply them, in order. It's laborious but utterly essential that you do this. If it's too much hassle, then you really shouldn't be running IIS.... |
