Standard

Posted by

Posted on

March 11, 2009

Posted under

Security

Comments

Leave a comment

Few Common steps to Secure IIS 6.0 Web Servers

  1. Disable NetBIOS over TCP in the TCP/IP Properties of the external NIC
  2. Uncheck "Clients for Microsoft networks" and "File and Print sharing" from the external NIC of the Web server
  3. Enable IPSec policies to restrict the traffic only coming to the port 80 or 443
    1. Create a general IPSec policy deny access from Any to Any for Any port
    2. Then create a specific IPSec policy to Allow access from Any IP to My IP on Port 80/443/Specific
  4. Install the Security Configuration Wizard from the control panel and create a new Security policy. Run this wizard on the same web server which you are securing so that it can compare the current security settings with that of recommended. This can be done remotely but we recommend doing it locally. Select the "Web Server" role from the Installed ones. Unselect all others. Make the necessary changes to the services which are required. In the end, check the current startup mode for the services in comparison to the policy based startup mode. Change the startup for specific services before in case they are appearing wrong. This should be run with care and a lot of testing in a lab. Once you are confident that things are working fine in lab, role the same policy onto the production web servers.
  5. Rename the local Administrator Account and Disable Guest account
  6. Rename the IUSR_computername account to something else. Then Go to the IIS Console and right click the local computer and click properties. Then select "Enable Direct Metabase Edit" check box. Apply changes and edit c:windowssystem32inetsrvmetabase.xml. Locate "AnonymousUserName" using the Find feature in the test editor tool and change it to the new user name you changed the IUSR_computername to.
  7. Move the IIS Logs and the virtual directories to the non-system directory to protect against the directory traversal attacks.
  8. Change the NTFS Permissions to allow only specific users on the parent directory in which all files of a website are located.
  9. Use SSL if possible

Leave a comment