6 - 1
Windows Security - SANS
©2001
1
Internet Information Server
(IIS) Security
Security Essentials
The SANS Institute
In this section we are going to cover some of the key aspects that need to be addressed in order to
have a secure web server using IIS. It is important to note that a system is only as secure as its
weakest link and therefore any web server must be built on a secure and hardened Windows 2000
system. Securing Windows 2000 is not covered in this section but has been covered in a previous
module. So before you install IIS make sure that you spend the time to properly harden your base
operating system. Once you have a secure operating system configured, you can then move ahead
with this module on securing IIS.
6 - 2
IIS Security - SANS
©2001
2
Are you or Aren’t you?
One lesson from
CodeRed is that many
users did not know if
they were, or were not
running IIS. Check
both installed
programs and then
use the task manager
to doublecheck.
Also, some people are beginning to upgrade their internal systems to XP Professional. While XP
appears to have some substantial improvements over the older Windows operating systems, don’t

tune out!! Before you think that everything’s OK, take a look at this slide! This is the Windows
Components installation wizard available through the Add/Remove Programs applet in the Control
Panel. The IIS engine has always been more or less available at the desktop level as a product called
“Personal Web Server” which was typically installed if a user installed FrontPage. The actual server
engine was a scaled down IIS engine. Now, however, we have a full IIS server available!! Good
Group Policy rules through your Active Directory will prevent users from activating the IIS engine
as will good installation controls. The key is to be aware of what’s happening on your systems, even
your user desktops!
6 - 3
IIS Security - SANS
©2001
3
If you are Running IIS
(and
know
you are running IIS)
• This document is relevant for the
implementation of an IIS 5.0 server
running on a Windows 2000 SP2 server
• Anything other than IIS 5.0 running on
Windows 2000 SP2 system will require
further customized hardening
• This document does not discuss
hardening the code used for the
particular web site
The information contained in this module applies only to IIS 5.0 Server running on a Windows 2000
SP2 server. If you are running your web server on a different operating system or using a different
version of the web server it will require further customization. Also, this module addresses the
known vulnerabilities and security issues that exist today. Since new vulnerabilities and exposures
are found on a daily basis, just because your system is secure today does not mean that it will be

secure tomorrow. Any system, especially one that is accessible from the Internet, will require
constant care and feeding to make sure that it stays secure.
Also, this module only looks at hardening the web server application itself, it does not look at
securing the web site or the actual web pages or code that the site is hosting. Writing secure web
applications is beyond the scope of this document but must be addressed in order to have a secure
site.
Finally, the steps outlined in this module should not be performed on a production system because
certain changes could have unexpected results. Therefore, the steps should be performed on a
development server and the development server should be backed up prior to making any changes.
Once everything has been tested, the changes should be made to the production server. The
production server should also be backed up before any changes are made.
6 - 4
IIS Security - SANS
©2001
4
Agenda
• This module will cover the security
concerns with the implementation
off IIS 5.0 and Windows 2000 SP2
on a clean formatted machine
• We will than cover:
– Installation
– Common security vulnerabilities
This module will assume that Windows 2000 has already been installed on a clean formatted system
and that it has been properly secured. Service Pack 2 (the most recent Service Pack as of this
writing) should also be applied prior to installing the web server. This module is not meant as a step-
by-step guide for installing and configuring a web server. It is meant to serve as a guide for
addressing some of the key security concerns with running an IIS server.
Before a web server goes into production, it should be tested from a security perspective and have a
vulnerability and security assessment performed to make sure all key issues have been addressed.

Once the system goes live it should be monitored on a regular basis because even though it is secure
today it might not be secure tomorrow.
6 - 5
IIS Security - SANS
©2001
5
OS/IIS Installation and Hardening
• Install the 2000 OS from a clean verified media
source
• Use a 4 GB NTFS partition for the OS
• Under component Services Installation Area
– Uncheck Indexing Services
– Check Terminal Services
– Uncheck Script Debugger
– Under Details for Accessories and Utilities, Uncheck Accessibility
Wizard, Communications, Games, and Multimedia
– Under Details for IIS Service, Uncheck FrontPage extensions,
documentation, and Internet Services Manager
– Select Remote Administration mode for Terminal Services
– Select that this computer is “Not a part of a domain”
– Change the CD-Rom drive letter to Z
When installing IIS you should always start with original CDs. If you download a copy or obtain a
copy from another source you increase your chances of having security issues because you cannot be
guaranteed that the software is clean and does not have any back doors.
The OS partition should be kept separate from the data and application partitions. This way problems
in one area have less of a chance of impacting the other. For example the operating system needs a
certain amount of hard drive space to operate properly. If all of the hard drive space is consumed, then
the system will crash. If the data, application and operating system are all on the same partition, an
attacker can write large amounts of data to the system, use up all of the disk space and crash the system.
The boot partition needs to be NTFS, so that security can be enabled on files and directories, and

auditing turned on. It is important to remember that with NTFS, you will be unable to boot to a DOS
prompt should the need arise. The use of applications such as ERDCommander should be purchased to
assist if such a need ever were to arise.
When installing the operating system and IIS, under components services installation area, the
following options should be selected or unselected.
Uncheck Indexing Services
Check Terminal Services
Uncheck Script Debugger
Under Details for Accessories and Utilities, Uncheck Accessibility Wizard, Communications,
Games, and Multimedia
Under Details for IIS Service, Uncheck FrontPage extensions, documentation, and Internet Services
Manager
Select Remote Administration mode for Terminal Services
Select that this computer is “Not a part of a domain”
Change the CD-Rom drive letter to Z
6 - 6
IIS Security - SANS
©2001
6
Right Click the C drive in
My Computer. Click on
Security > Remove the
Everyone Group > Add
both the Administrator
and System groups, give
full control to both
OS/IIS Installation and Hardening (2)
To change the security permissions on the system, select the C:\ drive under My Computer and right
click on it. From the Local Disk Properties dialog box, select the Security tab. The Everyone group
should be removed. The Everyone group includes literally everyone. It is a common misperception

that the Everyone group includes everyone in the specific domain. This is not the case. The
Everyone group does encompass anyone in the domain but also includes anyone in the world who
can get to the system, not just authenticated users. The Administrators and SYSTEM group should
be given access and in most cases should be given Full Control. Users or Authenticated Users can
then be added as a specific group, but remember to enforce a principle of least privilege. Users
should be given the minimal access they need to do their job and nothing else. If necessary,
additional groups should be created with fewer privileges and users should be added to those groups.
6 - 7
IIS Security - SANS
©2001
7
OS/IIS Installation and Hardening (3)
• Audit the following
– Create files/write data
– Create folders/Append
data
– Delete subfolders and files
– Delete change permissions
– Take ownership
When it comes to security, prevention is ideal but detection is a must. You will never be able to
prevent all attacks on your system, so in cases where you can not prevent an attack you must be able
to detect it in a timely manner. The only way that you can detect an attack and know what is
occurring on your system, is if you audit key events and review them on a regular basis. Therefore,
it is critical to have auditing turned on.
The key events that must be audited are:
Create files/write data
Create folders/Append data
Delete subfolders and files
Delete change permissions
Take ownership

You can turn on additional features but remember the more events that you audit could have a direct
impact on the performance of your system and resources that are available. Since there are many
vulnerabilities with Microsoft’s Indexing Service (including buffer overflows) and since this
machine will not be used for file services, Indexing is not needed and should be disabled and
therefore no associated auditing events are turned on.
After hitting Apply you will get a message stating that auditing is not turned on. That is ok, we will
be turning this feature on later in the module.
6 - 8
IIS Security - SANS
©2001
8
Encryption and OS Patch Setup
• Install the High Encryption Pack for
Windows 2000
• Do not reboot when complete
• Run KEYMIGRT.exe
• Set the system’s paging file’s
Minimum/Maximum size as equal
• Reboot
Remember when it comes to security there is no silver bullet. In order to have a secure system you
must use defense in depth. With defense in depth you have multiple mechanisms protecting your
system and one of those must be encryption. First, you should install the High Encryption Pack for
Windows 2000. Since you will be making other changes, do not reboot the system at this time.
Run KEYMIGRT.exe after installing the High Encryption Pack. It is necessary to run this utility to
upgrade the encryption of the private keys used by IIS SSL from 40-bit RC4 to 168-bit 3DES. The
upgraded key is the Master key which encrypts IIS’s private keys as well as the private keys of all
the services which use public/private keys on this server.
The system’s pagefile values for minimum and maximum should also be set to the same value. At
this point, the system needs to be rebooted so that the changes can take effect.
6 - 9

IIS Security - SANS
©2001
9
Encryption and OS Patch Setup (2)
• Install SP2 for 2000
• Install all of the latest hot fixes
–hfnetchk.exe can be used to
determine a list of required fixes
When Microsoft finds a vulnerability with a system they usually release a patch (hotfix) to fix the
problem. A hotfix will secure the system against that specific vulnerability. After several hotfixes
have been released, Microsoft will usually put out a Service Pack which fixes all of the
vulnerabilities and problems up to that point. You should stay up-to-date on the latest Service Packs
and hotfixes to make sure your system stays secure. Before installing a hotfix or a Service Pack it
should be run on a test system, and the production system should be backed up prior to installation.
Service Packs and hotfixes have both been known to cause problems or crash systems. At the time
of this writing, Service Pack 2 is the latest service pack for Windows 2000.
Once SP2 is installed, all of the current hotfixes should be applied. Microsoft’s Network Hot Fix
Checker (hfnetchk.exe) can be downloaded for free from Microsoft’s web site
( This command line utility will retrieve a
list of current hotfixes from Microsoft’s site as an XML file, compare the current list of hotfixes with
your system, and provide a list of fixes that should be installed. The specific hotfixes can then be
downloaded and applied.
6 - 10
IIS Security - SANS
©2001
10
Configuring Services
• Disable all network protocols
except for TCP/IP
– disable NetBIOS over TCP/IP

• Set a fixed IP Address for the
server
In order to have a secure system you must adhere to a principle of least privilege. This approach sets
up a system with the least amount of privileges needed for it to function properly and nothing else.
From a network protocol standpoint, any protocol that is not needed should be disabled. For most
networks only TCP/IP is needed and/or recommended. If you require another protocol such as SNA
or IPX/SPX, there are additional steps that must be taken from a configuration standpoint.
Note that a web server strictly uses TCP/IP protocols – HTTP/HTTPS, possibly FTP or SMTP. It
has no need for Microsoft’s NetBIOS protocol, used for file and print sharing and some Windows
networking functions. As NetBIOS has a number of vulnerabilities, you should disable NetBIOS
over TCP/IP on your web server. This may prevent any remote administration of the web server that
uses NetBIOS (i.e., connecting to a shared drive over the network), but the inconvenience of having
to administer the server from the console is far outweighed by the security advantages of turning off
NetBIOS.
Since the server will need to be accessible, it should be given a static IP address. If dynamic
addresses were used people could have difficulty connecting to the server because the address could
potentially change.
To provide additional levels of protection, TCP/IP filtering could also be used by an administrator to
prevent attackers from trying to gain access through other ports that are not secured.
6 - 11
IIS Security - SANS
©2001
11
Configuring Services
•Alerter
•DHCP Client
•DNS Client
• License Logging Agent
• Distributed Link Tracking Client
• Distributed Link Tracking Server

• Distributed Transaction
Coordinator
• Messenger
•Print Spooler
• Remote Registry Service
• Removable Storage
• Run as a Service
•Server
• SMTP
• Task Scheduler
•TCP/IP NetBIOS
• Telephony
Disable the following services in
Computer Management:
When Microsoft ships a version of the operating system including Windows 2000, it is installed with most of the
common features and functionality turned on. This might be needed for an enterprise server but a lot of these
services are not needed for a web server, especially one that is going to be accessed from the Internet. The fewer
services that are running on the system, the fewer potential points of compromise. Therefore the following
services should be disabled:
Alerter
DHCP Client
DNS Client
License Logging Agent
Distributed Link Tracking Client
Distributed Link Tracking Server
Distributed Transaction Coordinator
Messenger
Print Spooler
Remote Registry Service
Removable Storage

Run as a Service
Server
SMTP
Task Scheduler
TCP/IP NetBIOS Helper Service
Telephony
These services can be disabled using the Services section of the Computer Management MMC.
6 - 12
IIS Security - SANS
©2001
12
Configuring Terminal Services
• Under Terminal
Services
Configurations
– Right click RDP-TCP
and change the
encryption
level to high
The only way to have a secure system is by utilizing defense in depth or having multiple levels of
defenses protecting your system. Encryption is a key part in a company’s defense in depth strategy
and should also be configured and utilized by Terminal Services. To configure encryption for
Terminal Services, under the Terminal Services configuration, right click on RDP-TCP and change
the encryption level to high. This will allow all data that is being sent between the client and the
server to be protected by encryption, based on the server’s maximum key length. To provide proper
protection, a server should utilize the highest possible encryption for its keys. There is a trade off
however. The longer the keys the more resources will be needed and the bigger the strain on the
computer system. Therefore in some cases, if the server is suffering performance issues, a medium
or low level of encryption would be needed until the hardware can be upgraded to handle the proper
level.

6 - 13
IIS Security - SANS
©2001
13
IIS 5.0 Configuration
• Stop the default web site in ISM
These slides now cover some of the key things that need to be done to secure and configure an IIS
5.0 server. This portion does not discuss how to implement your web site or how to write or create
secure HTML. To start configuring IIS, you need to start the Internet System Manager (ISM). The
first thing you should do is stop the default web site which is included when you install IIS.
The ISM is used to perform a lot of the configuration and to see what IIS is doing and what it is
running.
6 - 14
IIS Security - SANS
©2001
14
z
Edit the Master properties
for the WWW Service
–Enable logging
–Use W3C Extended Log
File Format
–Change the New Log Time
Period to When the File
Reaches 50 MB
z
In Extended Properties
–Add checks for Cookies and
Referrer
IIS 5.0 Configuration (2)

To turn on logging and enable other security measures, you need to edit the master properties of the
WWW server. This is done by using the WWW Service master properties for the WWW Server
dialog box. To start configuration, click on the Web Site tab. In order to understand what is
occurring on your network and to be able to detect attacks in a timely manner, auditing must be
turned on. To do this, select the Enable Logging checkbox near the bottom of the dialog box. Under
Active log format, select W3C Extended log file format. Click Properties and change the New Log
Time period to when the file reaches 50 MB. Under Extended Properties, add checks for Cookies
and Referrer.
6 - 15
IIS Security - SANS
©2001
15
IIS 5.0 Configuration (3)
• Under Home Directory and
Configuration
– Remove all Unnecessary Application
mappings
– Note: It is best to remove all
mappings and add back the ones
needed for the final website
– .asa, .asp, .bat, .cdx, .cer, .htr,
.htw, .ida, .idc, .idq, .printer, .shtm,
.shtml, .stm
– Note: At a minimum .htr, .idc, and
.printer should be removed unless
absolutely required
Under Application Configuration, click on the App Mappings tab and remove all unnecessary
application mappings. By removing unneeded mappings, an administrator has taken the steps to
eliminate a large number of exploits present in IIS. One general recommendation is to remove all
mappings and add back the ones needed for the final website.

The general mappings are: .asa, .asp, .bat, .cdx, .cer, .htr, .htw, .ida, .idc, .idq, .printer, .shtm, .shtml,
and .stm. At a minimum, .htr, .idc, and .printer should be removed unless absolutely required as
these all have known buffer overflow exploits.
6 - 16
IIS Security - SANS
©2001
16
z
Create a new web site
under your computer
name
–Choose a drive that is Not
your system partition to be
the path to your home
directory
–Uncheck “Allow Anonymous
Access to this Website”
–Choose the minimum set of
permissions for your web
site
IIS 5.0 Configuration (4)
Create a new web site under your computer name using the Web Site Creation Wizard. The Web
Site Creation Wizard will walk you through the necessary steps needed to set up and configure a new
web site. When setting up a new web site you should choose a drive that is NOT your system
partition for the path to your home directory. You should also uncheck “Allow anonymous access to
this website.” Under Web Site Access Permissions you should choose the minimum set of
permissions required for your web site to function properly. In most cases, only Read access is
recommended. If additional access is granted, care should be given that you are not opening the door
to an attacker.
6 - 17

IIS Security - SANS
©2001
17
IIS 5.0 Configuration (5)
• Configure a separate directory for each
file type so that the proper ACLs can be
set
• Delete both the Default and the
Administrative Web Sites
• Remove all IIS Sample Directories
• Delete the printers virtual directory at
%systemroot%\web\printers
Whenever possible, a separate directory should be set up for each file type so that the proper access
control lists (ACLs) can be set. For example, the following could be the typical directory structure
based on the different file types on your system:
z
D:\ my_site \static (.html)
z
D:\ my_site \include (.inc)
z
D:\ my_site \script (.asp)
z
D:\ my_site \executable (.dll)
z
D:\my_site \images (.gif, .jpeg)
Both the default and administrative web sites should be deleted. Since this potential access on all IIS
web servers is installed by default, they are a common avenue that attackers could use to
compromise a system.
All IIS sample directories should be removed including the following:
–IIS %webroot%\iissamples

–IIS SDK %webroot%\iissamples\sdk
–Admin Scripts %webroot%\AdminScripts
–IIS HELP %systemroot%\help\iishelp
–IIS adpwd %systemroot%\system32\inetsrv\iisadmpwd
–Data Access C:\Program Files\Common files\System\msadc\Samples
Finally, the printers virtual directory should be deleted.
6 - 18
IIS Security - SANS
©2001
18
High Security Web Template
• Download and install the high security web
template from Microsoft
– />srv/SCM/1.0/NT5/EN-US/hisecweb.exe
– Copy the resulting .inf into the
%windir%\security\templates directory
Microsoft makes many resources available in order to provide a higher level of security. One of the
resources for IIS is the high security web template. This can be downloaded from Microsoft's
download web site. Once it is installed, you should copy the resulting .inf into the Security
Templates directory (%windir%\security\templates). This will be used to “lock down” and provide
additional protection to the web server.
6 - 19
IIS Security - SANS
©2001
19
z
In the MMC add:
–Security Configuration and
Analysis Tool
–Security Templates

z
In the Security
Configuration and Analysis
tool
–Choose Open Dbase and give
an appropriate name to it
–Load the hisecweb.inf
High Security Web Template (2)
To add the template, go to MMC and bring up the Add Standalone Snap-in dialog box. Under Snap-
ins, select Security Configuration and Analysis and Security Templates. Save the newly created
MMC. Run the MMC. Under the Security Configuration and Analysis, choose Open Database and
give the new database an appropriate name. Then load the corresponding hisecweb.inf file into the
database.
6 - 20
IIS Security - SANS
©2001
20
High Security Web Template (3)
• Choose analyze now
– This will allow you to browse the changes the
template will make
• Change anything that will have an adverse
effect
• Once complete, click Configure Computer
Now
Once the template is setup, you should review the existing state of the system. This is done by
choosing the “Analyze Now” option, which will compare the current system state to the security
settings in the database you just created. This will allow you to browse the changes that the template
will make before actually applying them. It also gives you a chance to do a final review before
making any changes that could have an adverse impact on your system. Once you are happy with

everything, you would select “Configure Computer Now” to apply the changes in the template to the
web server.
6 - 21
IIS Security - SANS
©2001
21
User Account and
ACL Modifications
• Under Local Users and Groups
– Rename the Internet guest account
– Delete the guest account
• Use delguest.exe
– Remove the renamed Internet Guest
account from the Guest Group
– Rename the Administrator Account
• Ensure a strong password
– Disable the IWAM_Machinename Account
User accounts provide a common way that attackers use to compromise a system. User accounts
(and their passwords) carefully control who has access to your system (who can get access, the
strength of the passwords, etc.) all which are very important. Just as important is what someone can
do once they gain access and this is controlled by access control lists (ACLs). Even after a legitimate
user gets access, they should only be allowed access to the minimal amount of information needed
for them to do their job. In order to make any changes to passwords, you will need to start the
Workstation Service. Once you are done you need to go back in and stop and disable the service
when complete.
Under local user and groups, you should rename the Internet guest account (IUSR_Machinename)
and remove this new account from the Guest group. You should delete the Guest account using the
delguest.exe program available from the Internet. The Administrator account should also be
renamed. All accounts left on the system should have strong passwords. Finally, you should disable
the IWAM_Machinename account. This account may be required on servers that make use of

certain web-based applications, but can safely be disabled on most servers, particularly if they are
only serving static content.
6 - 22
IIS Security - SANS
©2001
22
User Account and
ACL Modification (3)
• Set the permissions for the renamed Internet Guest
account on all Volumes to “No Access”
• IMPORTANT!! Click Advanced > Check Reset
Permissions on all Child Objects
• Change the permissions for the renamed IUSR account to
Read Only for the following:
– C:\winnt, D:\InetPub\wwwroot (the IIS Root)
• Uncheck “Allow Inheritable Permissions From Parent
Object to Propagate to This Object”
– Choose Copy
Once the accounts have been renamed, you need to set the permission for the renamed Internet Guest
account (IUSR_Machinename) on all volumes to “No Access.” It is important that these rights are
also set for all child objects. This is done by clicking on Advanced, then check Reset Permission on
All Child Objects. Otherwise the parent directory will be configured correctly and not the
underlying child directories.
The permissions for the renamed IUSR account should also be set to Read only for the IIS root and
on C:\winnt. The IIS root is \InetPub\wwwroot, where wwwroot is the path you named during the
installation of the web server.
Uncheck “Allow inheritable permissions from the parent object to propagate to this object.” This
will result in a security message warning you that you are about to prevent any inheritable
permissions from propagating to this object and asks what you want to do. The recommendation is
to copy the previously inherited permissions to this object.

6 - 23
IIS Security - SANS
©2001
23
Helpful Utilities
• Utilities to assist with Hotfix maintenance:
–Hfcheck
• www.microsoft.com/Downloads/Release.asp?ReleaseID=24168
• Allows IIS 5.0 Administrators to ensure that their systems are
up-to-date on their security patches
–Qfecheck
• Command line tool from Microsoft that helps administrators
track and verify installed hotfixes
• www.microsoft.com/technet/support/kb.asp?ID=282784
–PatchWork
• Software tool that automates the discovery of local
vulnerabilities and identifies needed patches
• />To keep your system secure, it requires constant updating. Microsoft makes several tools available
to help with this process. These tools can be used to help an administrator keep an accurate count and
list of what hotfixes and Service Packs are installed on a system. These should be run on at least a
monthly basis, or as required by an organization. The following are some of the tools:
hfnetchk.exe
Allows IIS 5.0 administrators to ensure that their systems are up-to-date on their security patches
www.microsoft.com/Downloads/Release.asp?ReleaseID=24168
Qfecheck
Command line tool from Microsoft that helps administrators track and verify installed hotfixes
www.microsoft.com/technet/support/kb.asp?ID=282784
PatchWork
Software tool that automates the discovery of local vulnerabilities and identifies needed patches
/>6 - 24

IIS Security - SANS
©2001
24
Hacking IIS
• You can’t plan a defense without
knowing the offense
– What tools are attackers using?
– What vulnerabilities exist on your
web server?
– What are you doing to mitigate risk?
IIS is a favorite target of attackers. Because of its widespread use on the Internet and its flexibility as
an application server (and because it is produced by Microsoft) IIS has received a great deal of
security scrutiny. Due to this scrutiny, IIS is much more secure today than with earlier versions of
IIS. Ironically, the best thing that ever happened for IIS security has been the rapid publication of its
holes and exploits, just as the best thing for Windows NT/2000 security has been the L0pht (formerly
www.l0pht.com, now defunct).
It is impossible to secure a product without knowing how to attack it. As a security administrator it
is your responsibility to learn how to think like an attacker.
6 - 25
IIS Security - SANS
©2001
25
Reconnaissance
• Finding and profiling IIS servers:
– Port scanning
– Script source code
– Filename extensions
– SSL-Telnet and Netcat
–NBTSTAT
– URL Scanners

– WebReaper
– Error messages
– Content-Location HTTP header
The URLs of public webservers are usually listed in search engines such as Yahoo and Lycos.
Hidden and non-public servers, such as intranet servers, can be located even if they are not
advertised.
Example. HTTP uses TCP port 80 and FTP uses ports 21 and 20. Port scanners can search a range
of IP addresses for systems with these signature ports. This scanning may even be undetectable with
advanced scanners such as Nmap ( Microsoft-compatible scanners
can be found by searching software archives (such as ) for "port scan".
Attackers can locate Microsoft computers, running IIS or not, by scanning for ports 137, 138, or 139.
Example. By examining the source code of CGI and other scripts from public webservers, the IP
addresses of other servers can be extracted. This is possible even if a firewall is blocking port
scanning.