![Page 1: Securing Windows Internet Servers 23.org / Covert Systems jon.miller@covertsystems.net Jon Miller Senior Security Engineer Covert Systems, Inc](https://reader035.vdocument.in/reader035/viewer/2022062421/56649da65503460f94a91c42/html5/thumbnails/1.jpg)
Securing Windows Internet Servers
23.org / Covert Systems
Jon MillerSenior Security Engineer
Covert Systems, Inc.
![Page 2: Securing Windows Internet Servers 23.org / Covert Systems jon.miller@covertsystems.net Jon Miller Senior Security Engineer Covert Systems, Inc](https://reader035.vdocument.in/reader035/viewer/2022062421/56649da65503460f94a91c42/html5/thumbnails/2.jpg)
Always try to use a fresh install
and migrate existing data over
Make sure to convert to NTFS
Default Security Settings are not applied You must apply them manually using MMC
Upgrading?
Installation
![Page 3: Securing Windows Internet Servers 23.org / Covert Systems jon.miller@covertsystems.net Jon Miller Senior Security Engineer Covert Systems, Inc](https://reader035.vdocument.in/reader035/viewer/2022062421/56649da65503460f94a91c42/html5/thumbnails/3.jpg)
Service Packs
Always check windows update and TechNet to make sure you have the most current patches and SPs
HFNETCHK
Installation
![Page 4: Securing Windows Internet Servers 23.org / Covert Systems jon.miller@covertsystems.net Jon Miller Senior Security Engineer Covert Systems, Inc](https://reader035.vdocument.in/reader035/viewer/2022062421/56649da65503460f94a91c42/html5/thumbnails/4.jpg)
NTFS or FAT
File Systems
![Page 5: Securing Windows Internet Servers 23.org / Covert Systems jon.miller@covertsystems.net Jon Miller Senior Security Engineer Covert Systems, Inc](https://reader035.vdocument.in/reader035/viewer/2022062421/56649da65503460f94a91c42/html5/thumbnails/5.jpg)
Always decide what services you require prior to installation
Now is the time to decide what form of remote administration software, if any you will use…
Terminal Server
Vshell SSH & SFTP (www.vandyke.com)
Services
Never install superfluous services
![Page 6: Securing Windows Internet Servers 23.org / Covert Systems jon.miller@covertsystems.net Jon Miller Senior Security Engineer Covert Systems, Inc](https://reader035.vdocument.in/reader035/viewer/2022062421/56649da65503460f94a91c42/html5/thumbnails/6.jpg)
COMPAQ INSTALLATION =
Services
![Page 7: Securing Windows Internet Servers 23.org / Covert Systems jon.miller@covertsystems.net Jon Miller Senior Security Engineer Covert Systems, Inc](https://reader035.vdocument.in/reader035/viewer/2022062421/56649da65503460f94a91c42/html5/thumbnails/7.jpg)
TCP/IP should be the only protocol
Use TCP/IP Filtering(and IPSec when applicable)
Nmap the server to make sure you don’t have any surprise ports open
If it is an IIS box it can NEVER be on a domain
Use second Ethernet card for remote admin and have only the “Internet Service” on the primary interface
Network Configuration
![Page 8: Securing Windows Internet Servers 23.org / Covert Systems jon.miller@covertsystems.net Jon Miller Senior Security Engineer Covert Systems, Inc](https://reader035.vdocument.in/reader035/viewer/2022062421/56649da65503460f94a91c42/html5/thumbnails/8.jpg)
Customize your own security template and use it
Establish standards within your template that apply to all servers from “PDCs” to desktops
Using the MMC
![Page 9: Securing Windows Internet Servers 23.org / Covert Systems jon.miller@covertsystems.net Jon Miller Senior Security Engineer Covert Systems, Inc](https://reader035.vdocument.in/reader035/viewer/2022062421/56649da65503460f94a91c42/html5/thumbnails/9.jpg)
Password Complexity / Length
Event Log Access
• Always remember passwords so they cannot be reused
Define Permissions for Services
Rename Administrator Account
Security Configuration
![Page 10: Securing Windows Internet Servers 23.org / Covert Systems jon.miller@covertsystems.net Jon Miller Senior Security Engineer Covert Systems, Inc](https://reader035.vdocument.in/reader035/viewer/2022062421/56649da65503460f94a91c42/html5/thumbnails/10.jpg)
Delete or rename files that may be used against you in the event of an attack
Create partitions or move directory structure to protect against directory transversal
• Do you really use MS TFTP?
Remove OWA
Do you really want an IIS server running on your companies Mail server?
• Rename CMD.exe
Microsoft Security Alerts microsoft.com/technet/security/notify.asp
Common Sense
![Page 11: Securing Windows Internet Servers 23.org / Covert Systems jon.miller@covertsystems.net Jon Miller Senior Security Engineer Covert Systems, Inc](https://reader035.vdocument.in/reader035/viewer/2022062421/56649da65503460f94a91c42/html5/thumbnails/11.jpg)
IIS 4 / 5
Try to run only base services
•The services below are the only services required to run a functional IIS server:
–Event Log
–License Logging Service
–Windows NTLM Security Support Provider
–Remote Procedure Call (RPC) Service
–Windows NT Server or Windows NT Workstation
–IIS Admin Service
–MSDTC
–World Wide Web Publishing Service
–Protected Storage
![Page 12: Securing Windows Internet Servers 23.org / Covert Systems jon.miller@covertsystems.net Jon Miller Senior Security Engineer Covert Systems, Inc](https://reader035.vdocument.in/reader035/viewer/2022062421/56649da65503460f94a91c42/html5/thumbnails/12.jpg)
Stuff to Remove
C:\inetpub - sample filesc:\inetpub\iissamples
c:\inetpub\iissamples\sdk
c:\inetpub\AdminScripts
c:\Program Files\Common Files\System\msadc\Samples *
HTW Mapping
IISADMPWD
RDS (Remote Data Services)
![Page 13: Securing Windows Internet Servers 23.org / Covert Systems jon.miller@covertsystems.net Jon Miller Senior Security Engineer Covert Systems, Inc](https://reader035.vdocument.in/reader035/viewer/2022062421/56649da65503460f94a91c42/html5/thumbnails/13.jpg)
Parent Paths?(Disallows “..” *be careful*)
Web server | Properties | Home Directory | Configuration | App Options
Stuff to Remove
Script Mappings(.htr .idc .stm .shtml .shtm .printer .ida .idq .hta )
Web server | Properties | Master Properties | WWW Service | Edit | Home Directory | Configuration
![Page 14: Securing Windows Internet Servers 23.org / Covert Systems jon.miller@covertsystems.net Jon Miller Senior Security Engineer Covert Systems, Inc](https://reader035.vdocument.in/reader035/viewer/2022062421/56649da65503460f94a91c42/html5/thumbnails/14.jpg)
Misc.
Restrict AnonymousHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSAName: RestrictAnonymousType: REG_DWORD Value: 1.
![Page 15: Securing Windows Internet Servers 23.org / Covert Systems jon.miller@covertsystems.net Jon Miller Senior Security Engineer Covert Systems, Inc](https://reader035.vdocument.in/reader035/viewer/2022062421/56649da65503460f94a91c42/html5/thumbnails/15.jpg)
Permissions
Set Your ACL's (next page)
Make sure that the IIS log files are not publicly readable
winnt\system32\LogFiles
![Page 16: Securing Windows Internet Servers 23.org / Covert Systems jon.miller@covertsystems.net Jon Miller Senior Security Engineer Covert Systems, Inc](https://reader035.vdocument.in/reader035/viewer/2022062421/56649da65503460f94a91c42/html5/thumbnails/16.jpg)
Everyone (X)
Permissions
CGI’s - (.exe, .dll, .cmd, .pl)
Administrators (Full Control)
System (Full Control)
![Page 17: Securing Windows Internet Servers 23.org / Covert Systems jon.miller@covertsystems.net Jon Miller Senior Security Engineer Covert Systems, Inc](https://reader035.vdocument.in/reader035/viewer/2022062421/56649da65503460f94a91c42/html5/thumbnails/17.jpg)
Everyone (X)
Script Files - (.asp)
Administrators (Full Control)
System (Full Control)
Permissions
![Page 18: Securing Windows Internet Servers 23.org / Covert Systems jon.miller@covertsystems.net Jon Miller Senior Security Engineer Covert Systems, Inc](https://reader035.vdocument.in/reader035/viewer/2022062421/56649da65503460f94a91c42/html5/thumbnails/18.jpg)
Everyone (X)
Include Files - (.inc, .shtm, .shtml)
Administrators (Full Control)
System (Full Control)
Permissions
![Page 19: Securing Windows Internet Servers 23.org / Covert Systems jon.miller@covertsystems.net Jon Miller Senior Security Engineer Covert Systems, Inc](https://reader035.vdocument.in/reader035/viewer/2022062421/56649da65503460f94a91c42/html5/thumbnails/19.jpg)
Permissions
Everyone (R)
Static Content - (.txt, .gif, .jpg, .html)
Administrators (Full Control)
System (Full Control)
![Page 20: Securing Windows Internet Servers 23.org / Covert Systems jon.miller@covertsystems.net Jon Miller Senior Security Engineer Covert Systems, Inc](https://reader035.vdocument.in/reader035/viewer/2022062421/56649da65503460f94a91c42/html5/thumbnails/20.jpg)
Exchange is one of the few servers that does outgoing mail authentication well Take advantage of that and don’t have an open relay (5.5)
Anti-Virus
Use Encrypted File System (EFS) to protect data
Exchange
Internet Mail ConnectorLimit your outgoing size
Relaying from DMZ server to ExchangeUse sendmail to relay all mail to an internal exchange server
Or with another copy of Exchange: install Exchange, add the Internet Mail Connector, and add it to your existing site. No mailboxes or folders are required
![Page 21: Securing Windows Internet Servers 23.org / Covert Systems jon.miller@covertsystems.net Jon Miller Senior Security Engineer Covert Systems, Inc](https://reader035.vdocument.in/reader035/viewer/2022062421/56649da65503460f94a91c42/html5/thumbnails/21.jpg)
Exchange
Setup Exchange Administrators (2000)
Not All Admins are Full AdminsExchange Administrator
Exchange Full Administrator
Exchange View Only Administrator
Security PageHKCU\Software\Microsoft\Exchange\ExAdminValue: ShowSecurityPageDate: 1 (REG_DWORD)
Tracking LogsRemove Everyone Read
\Exchsrvr\%COMPUTERNAME%.log
![Page 22: Securing Windows Internet Servers 23.org / Covert Systems jon.miller@covertsystems.net Jon Miller Senior Security Engineer Covert Systems, Inc](https://reader035.vdocument.in/reader035/viewer/2022062421/56649da65503460f94a91c42/html5/thumbnails/22.jpg)
Outlook Web Access
Lock Down IIS
Use SSL
Front End / Back End Modehttp://www.microsoft.com/Exchange/techinfo/deployment/2000/E2KFrontBack.asp
![Page 23: Securing Windows Internet Servers 23.org / Covert Systems jon.miller@covertsystems.net Jon Miller Senior Security Engineer Covert Systems, Inc](https://reader035.vdocument.in/reader035/viewer/2022062421/56649da65503460f94a91c42/html5/thumbnails/23.jpg)
Exchange Diagram
![Page 24: Securing Windows Internet Servers 23.org / Covert Systems jon.miller@covertsystems.net Jon Miller Senior Security Engineer Covert Systems, Inc](https://reader035.vdocument.in/reader035/viewer/2022062421/56649da65503460f94a91c42/html5/thumbnails/24.jpg)
Tools
URL Scan (Microsoft)
Baseline Security Analyzer (Microsoft)
IIS Lockdown (Microsoft)
Secure IIS (Eeye)
Tripwire for NT (Tripwire)
Anti-Virus (Symantec, McAfee)
http://www.23.org/~humperdink/
Hire a Security Company
![Page 25: Securing Windows Internet Servers 23.org / Covert Systems jon.miller@covertsystems.net Jon Miller Senior Security Engineer Covert Systems, Inc](https://reader035.vdocument.in/reader035/viewer/2022062421/56649da65503460f94a91c42/html5/thumbnails/25.jpg)
Q & A
Y’all ask me stuff
http://www.23.org/~humperdink/
http://www.covertsystems.net