Securing NTFS Permissions for IIS Servers

Editor's Note: This article focuses exclusively on IIS 4.0 running on Windows NT. If you're securing IIS 5.0 on Windows 2000, take a look at the recently released Win2K/IIS 5.0 checklist (http://www.microsoft.com/technet/security/iis5chk.asp).www.tartoos.com

A key step in securing an IIS Web server is properly using NTFS permissions (also known as ACLs) to limit access to the server without sacrificing that server's functionality. Merely accepting the default permissions assigned during IIS installation results in a working Web server; however, left unchecked, the defaults can lead to trouble. Default installation permissions aren't secure and can benefit a malicious user exploiting other vulnerabilities in IIS, such as the Remote Data Factory exploit I mention later.www.tartoos.com

Before I get into the meat of ACLs, let me start with a disclaimer. These recommendations are intended for new IIS 4.0 installations. You can apply these settings to a production Web server, but please be forewarned that applications, drivers, and services that you installed afterward might not work correctly. Similarly, implementing these permissions changes on a new Web server installation can prevent you from installing software down the road. I often loosen the permissions just long enough to install what I need, then tighten them after the installation is complete. www.tartoos.com

I want to help you make your systems secure by keeping IIS permissions reduced to only what is necessary for properly serving content to your clients. In other words, reduce the permissions to the bare minimum necessary for making IIS work properly, which means changing several settings from their defaults. When you're finished, you'll be better able to thwart opportunistic users and derail malicious users from exploiting IIS to execute unauthorized commands.www.tartoos.com

Why You Need to Change Permissions
In the Microsoft article "Re-release: Unauthorized Access to IIS Servers Through ODBC Data Access with RDS" (http://www.microsoft.com/technet/iis/ iissadsi.asp), the company warns that users could exploit a particular DLL using Remote Data Factory, an object included with Microsoft Data Access Components (MDAC) and installed by default in many installations of Microsoft Windows NT 4.0 Option Pack. Malicious users could exploit this DLL through IIS 4.0 and run DOS shell commands with administrative privileges. This problem was exacerbated because the DLL had Everyone/Full Control permission. This vulnerability was widely published across the industry, including the mainstream media.

The vulnerability still exists in many Web servers. Developers use Remote Data Factory when they want to write pages that make ODBC connections to internal ODBC-compliant databases—a common practice today. Microsoft's recommendation to administrators who need this functionality is to upgrade MDAC and tighten permissions on a subdirectory rarely associated with IIS, \program filescommon files\msadc. Other administrators can merely delete the directory and disable the function within the Registry. Additional tightening of NTFS permissions beyond Microsoft's recommendation alleviates much of the Remote Data Factory concern and other similar but as-yet-undiscovered attacks.www.tartoos.com

The Log on Locally Account Right and the IUSR_server User Account
Part of the function of any Web server is the capability to let an Anonymous user retrieve content from the server. NT requires credentials for any user attempting to access resources on an NT server. For IIS to safely serve Web pages to an Anonymous user, IIS must impersonate a valid account on the local Web server. For that impersonation to work properly, the impersonated account must have the Log on Locally account right.www.tartoos.com

Anonymous Web requests often impersonate valid accounts by using an account called IUSR_server, where server represents your server's formal computer name. The IIS 4.0 installation process creates this account, adds it to the local Guests group, and gives it the Log on Locally account right. Any account that uses IIS Anonymous authentication to access content needs this right. Many security administrators have minor strokes when they learn that an Anonymous user has a right that they typically take away from more privileged users. Thus, most IIS servers fail the traditional audit process.www.tartoos.com

Recommendation: Limit the use of the Log on Locally right to the account using Anonymous authentication to access the Web server and log on to the local machine. Don't forget to leave at least one administrative group or account with this right.

I have a big problem with the IUSR_server account IIS 4.0 uses. I don't like using an account name that you can easily guess. When I install an IIS server that will be in a high-profile or risky situation, I rename that Anonymous user account. Good security administrators tend to set user accounts to lock out after a certain number of bad password attempts. Because the IUSR account is just like any other user account, a malicious user could easily lock up your account by looking for content that would otherwise require credentials. If the IUSR_server account is locked, your Web server comes to a screeching halt.

Recommendation: Change the IUSR account name to something that is harder to guess. Don't use underscores in usernames that Microsoft SQL Server will use. After you rename the account, update your IIS 4.0 server properties with the new name. (The name doesn't change automatically.) Afterward, make sure you can still use your Web site. www.tartoos.com

Users and Groupswww.tartoos.com
Common theory regarding the proper way to set NT permissions says that you must use groups when you assign permissions. While this theory should also hold true for IIS, in fact the default installation uses the single Anonymous Web User account to assign permissions.

I often create two local groups on a Web server—an Authenticated Web Administrators group and an Anonymous Web Users group. This method is similar to the one the Microsoft FrontPage Server Extensions configuration uses—create three local groups per Web (Administrators, Authors, and Browsers), each prefixed by its Web name. (I use two groups because I've never known content developers who would be happy not being administrators of their own sites.)www.tartoos.com

In our model, the Anonymous Web Users group likely has only one member—the Anonymous account that you renamed in the previous section. The Authenticated Web Administrators group has the additional file permissions, such as Write and Delete, in the Web server directories. This Authenticated Web Administrators group lets you add users who need the ability to directly update content in the directories without giving them administrative privileges. www.tartoos.com

I place the Anonymous IIS account (IUSR_server) in the Anonymous Web Users group as I change the file permissions on my Web server. As I browse my content directories, this group never receives any permissions other than Read and Execute. For any developers or content administrators who need access, I assign their usernames (or global group) to the Authenticated Web Administrators local group. This group usually receives Write and Delete permissions in addition to the Read and Execute permissions I give to the Anonymous users.

Using Host Headers for local development
 

Those of us who develop a lot of sites simultaneously go about it several different ways. Here's yet anotherwww.tartoos.com

As we've discussed before, you can host multiple development sites on an IIS Server, as I do with my trusty laptop. Recently I've been picking up several more sites, and the multiple port solution I usually use is starting to get annoying. I can't always remember what port I have a site running on, so I've now started using this technique.www.tartoos.com

What this technique involves is using Host Headers, but crucially, without a domain name. So how do you do that then? Well, there are a couple of ways. Since I'm just using the one machine, I can simply edit my HOSTS file to give myself 'virtual domain names'. Let's take, for example, SydneyPubGuide.net. The development site on my laptop can now be accessed with the name 'pubguide', and here's how.

Open up your HOSTS file, you'll find it in C:\WinNT\System32\drivers\etc on a Windows 2000 system like mine. You'll instantly see the format, one line per mapping, IP address first followed by alias. I added a line like this

127.0.0.1        pubguide

Now, as is, this line will allow me to type 'pubguide' into my browser, but this will just drop me into the default website. I don't actually want this, so I go to my IIS Service manager, find my pubguide site and add a new host header 'pubguide' to the site running on Port 80, as described in this article.

Perhaps, though, you use multiple machines. If so, you have a couple off options. You can either use a standardised HOSTS file on all machines, which would require updating everyone's hosts file each time you add a new site. In a small office this would be an option, but there's another option for you.www.tartoos.com

Windows 2000 DNS + Host Headers = neat LAN-based development options
 

Completing a series on local development options, Atrax runs you through using Windows 2000's DNS service to create simple, easy local site development optionswww.tartoos.com

We've covered two other methods of developing multiple websites in this series, using port-based solutions, using the HOSTS file, and now finally using Windows 2000's DNS.

If you're working as a development team and you're on a well-configured LAN, it's likely you have, or have the option of running, a Windows 2000 or NT Domain controller with local DNS. A competent network administrator will probably have a local DNS server set up to save network traffic out of your LAN on DNS requests, or possibly because it's just THERE on domain controllers, and you can leverage this service to make your multiple development sites easier to use. Let's take my local LAN as an example.

I'm currently running a local LAN with a single machine acting as my gateway to the world. My internal machines have local IP addresses, 10.0.0.9 for my NT4 box, 10.0.0.8 for My Windows 2000 Server (the Domain Controller, gateway and DNS machine) and, among others, 10.0.0.2 for my Win2k AS laptop. All these machines use 10.0.0.8 as their primary DNS machine. This site, RTFM, runs on the laptop, and has ben under a high port number (5146) for a while. I got fed up of this and decided to just set up a DNS record for it as RTFM.home.atrax.co.uk. Now, you won't be able to see this domain from the outside - because it's a local record set up on my DNS server. Here's how it's done.www.tartoos.com

Open the DNS administrator from Administrative Tools.

As you can see, my Domain is home.atrax.co.uk and it has a number of hosts on it already (you'll notice this is a slight cheat, the screenshot was taken after adding my new host)

Select your domain's forward lookup zone. Go to Action and choose 'Add Host'. You'll see this screen

Fill in the machine name.

Now, following the instructions in my previous Host Headers article, I add a new header for the RTFM site, rtfm.home.atrax.co.uk. Sometimes you need to restart the service for these to kick in, especially (it seems) on low spec machines where resources don't allow IIS to operate all that efficiently. If you need to, do so.

Now every machine on my network can see the site as rtfm.home.atrax.co.uk (note: folks outside your network won't see these domains - just inside your network - important if your devsites are confidential prior to launch as many of ours are).www.tartoos.com