Standards & Guidelines - Securing Microsoft IIS Web Server
- Physical Security
- Server should be in a locked, controlled access room
- Console should be left locked or logged off unless in use
- Control remote access to the console
- Rename Administrator account and use very strong passwords
- Installation Overview - Requirements and Recommendation
- Hardware raid controller - install OS on raid 1, data on raid 5
- While offline, start clean, format NTFS partition, install OS, patch it (use hfnetchk.asp), harden it (ACL's)
- Only install those components of IIS you need (not samples, docs, FP extensions,etc)
- Remove unneeded subsystems (posix, os2, win16 (optional), dos (optional))
- Configuring IIS
- Delete default web, unused extension mappings, samples
- Locate web service on separate volume from OS & on a single purposed system
- Shut off all unneeded ports, services
- Get an SSL certificate if sensitive data housed or authenticated access to web pages
- Consider IP Filtering, urlscan
- Testing the Security
- Run a network security scan of the system to check its status
- NBTSTAT, NETSTAT commands to check BIOS, active ports
- Logging, monitoring, administering the system
- Turn on event logging, don't roll over often or at all
- IIS logs should be moved from default location and copied frequently
- Turn on selected security auditing as needed
- Check out free monitor tools at sysinternals.com, foundstone.com
- Backup and Disaster Recovery
- Backup your data, registry, metadata separately and frequently, emergency repair disk, keep off-site copies of all backups
- Keep a removable disk copy of your SSL certificate, know the password
- Develop recovery procedures and test them
Need More Information?
The SANS Reading Room has a large collection of papers on Windows and Windows 2000 security.
|
|
|
