Tuesday, 6 May 2008

IIS Security

As much as I hate to say it information technology is a young man’s sport and while admitting to this I also admit that I am no longer as young as I once was, however I am by no means an old man just yet. Still you tend to notice the grandpa Simpson syndrome among the older IT manager and staff as they harp back to how it was in their heyday… these stories often have no relevance to your current predicament and do little other then waste your time if you both to listen to them. These days it must be said that when someone starts to talk about how things where 10 years ago I tend to cut them short by saying “well since the advent of stun guns I’ve not needed to listen to stories about the dark ages” When said with enough menace in the voice they tends to stop talking and they leave me to work in peace.

Now that you understand what the grandpa Simpson syndrome is you’ll undoubtedly notice it around your work place in the coming moments after reading this.

Ok now to get down to today’s lesson, internet information server if you have the need to run IIS and not apache mores the shame because it’s not as stable as apache but anyway here are some basic things you can do to improve the security.

First rule, don’t use the default web site for anything other than admin purposes, there is lots of information freely available on the web about removing virtual directories and other services from it but personally I fine these services useful and so may you, so my recommendation is to change the site to windows authentication and to set access to a web administrators groupand permit access only from trusted IP range so that you can continue to use it safely.

Second rule, remove services that you’re not using such as NNTP, FTP and SMTP as you most likely we’ll not use them on 70% of all sites those that do use them make sure that you lock them down, the URL scanner available from Microsoft as part of the IIS Lockdown tool. With FTP and SMTP services you need to look at how to secure them, with FTP this is most easily done with isolated user.

Note: The MetaBase is designed as a repository for Internet Information Services configuration values. In IIS 6.0, the MetaBase is contained within the following files: MetaBase.xml and MBSchema.xml in the systemroot\System32\Inetsrv folder. The MetaBase.xml file stores IIS configuration information. Additionally Microsoft provides tools such as MetaEdit and adsutil.vbs which can be used to view/edit settings directly

To add isolated users to an FTP site using Active Directory Mode so that users are authenticated against Active Directory set the following properties in the metabase:

1. Set UserIsolationMode to 2

2. Set ADConnectionUserName to the user (Domain\UserName) who has permissions to read Active Directory properties

3. Set the DefaultLogonDomain

4. Set AccessFlags properties, for example: AccessFlags=AccessRead|AccessNoPhysicalDir


This will make your FTP more secure but remember to make sure the account you use does not have Domain Admin rights or you’ll have just left the barn door open for the world to come in.

Ok let’s move on to Securing SMTP this involves requiring users to authenticate to the SMTP server before relaying messages and only permitted computers to relay.

1. In the IIS Manager, right click on the SMTP virtual server and choose Properties

2. Select the Access tab and under Access Control click Authentication.

3. Select the Integrated Windows Authentication checkbox

To add relay restrictions to the SMTP virtual server, perform the following steps.

1. In the IIS Manager on the Access tab, click Relay

2. In the Relay Restrictions box choose Add.

3. To add a single computer, click Single computer, and then type the IP address of the computer to add, and then click OK to add a group of computers that is to say a subnet of computers click group and for domain enter the name of the domain.

Note: TLS can also be used but unless you are looking to use certificates as part of a site or domain wide policy I do not recommend going to the extra trouble of setting it up.

Third rule, I’d like to talk about Weblogs as these are often over looked by people that are new to web site administration, and there are some key points to remember first of all enable extended logging, most people do not do this and find that when something is going wrong or needs investigation they can’t because the events they want where not logged, in the event of anonymous access sites you may want only to log some simple things but on SSL sites you may need to log everything due to the sensitive nature of the information. The last point about weblogs that I’ll mention is thing about retention policy, as you might need to have these logs if you are a legal or financial related business and these log files can be over a gigabyte a day on busy sites so storing those site log files for just one month might equal 32 gigabytes and if you have to store them for 6 month or more you can begin to see how this can become a space issue as most web servers do not have large harddrives. So look at compressing this data as an example these text log file compress by as much as 90% using winzip and other such programs, you can also make a scheduled task to delete or compress these file or you can find some free third party ones on the net, but remember whatever you choose should be standardized in your setup.

No comments: