IIS Security - PowerPoint PPT Presentation

1 / 31
About This Presentation
Title:

IIS Security

Description:

Easy to use, easy to hack ... Download: http://www.microsoft.com/technet/security/tools ... For Additional Security, download the security tools. References ... – PowerPoint PPT presentation

Number of Views:69
Avg rating:3.0/5.0
Slides: 32
Provided by: smav
Learn more at: https://www.cs.odu.edu
Category:

less

Transcript and Presenter's Notes

Title: IIS Security


1
IIS Security
Sridurga Mavram
2
Contents
  • Introduction
  • Security Consideration
  • Creating a web page
  • Drawbacks
  • Security Tools
  • Conclusion
  • References

3
Introduction
  • What is IIS?
  • IIS, an acronym for Internet Information Services
    is a web application server program that handles
    HTTP requests
  • The Internet Information Services is a suite of
    tools and services for creating, managing, and
    securing Web sites
  • Popular because IIS sites are so easy to
    implement.
  • Why should you Secure it?
  • Easy to use, easy to hack
  • Default installation(comes with OS) is massively
    vulnerable and it is no wonder that attackers are
    finding IIS to be "the easiest pickings" of all
    Web servers.

4
Security Consideration
  • During Installation/Enabling
  • Post Installation

5
During Installation/Enabling
  • DO NOT install IIS together with services that
    are of key importance for LAN functionality or
    security.
  • Default/No Harm Services
  • Common Files
  • Documentation
  • Internet Information Services Snap-In
  • World Wide Web Server

  • Contd..

6
  • File Transfer Protocol (FTP) Server
  • NNTP Service
  • SMTP Service
  • Risky
  • FrontPage 2000 Server Extensions
  • Internet Service Manager (HTML)

7
(No Transcript)
8
Piece of Note
  • The first step in securing your server is to
    download the most updated Service Pack and
    current IIS patches.
  • Don't forget to register so that you will
    automatically receive Microsoft security
    bulletins

9
Post Installation
  • Before attempting to change settings, ensure
    that you make a backup copy of the metabase (i.e.
    the IIS configuration).
  • To do this, in the "Internet Services Manager"
    application, click on "Backup/Restore
    Configuration".
  • Give a name and create a backup
  • Location of Storing
  • C\WINNT\system32\inetsrv\MetaBack directory

10
(No Transcript)
11
(No Transcript)
12
  • Details of the Logs
  • Enable Logging
  • Change the log time period from daily
  • Put a dedicated drive(E/LogFiles)
  • Extended Properties (Select all)

13
(No Transcript)
14
  • Home Directory Configuration
  • Allows you to set up dynamic WWW pages(dlls) that
    are files with specific extensions.
  • Example C\WINNT\System32\inetsrv\asp.dll,
    ism.dll, httpodbc.dll, ssinc.dll and
    C\WINNT\System32\msw3prt.dll, idq.dll and
    webhits.dll
  • Remove all these except asp.dll and ssinc.dll
    (Security Issues)
  • Reason These were used in the past for breaking
    into the IIS servers and infecting them with
    viruses
  • Example buffer overflow vulnerability contained
    in the idq.dll

15
(No Transcript)
16
  • File Extension Mapping
  • In order to setup the extension service via ISAPI
    applications, click on the "Add" button and then
    fill in the boxes
  • ExecutableC\WINNT\System32\inetsrv\asp.dll
  • Extension .inc
  • Limit to POST, GET, and HEAD

17
(No Transcript)
18
  • Application Configuration
  • Clear Enable Parent Paths
  • Reason Restrict the access to the Applications
    Directory
  • Clear Session State
  • Reason Overloads Servers Memory
  • ?Debugging
  • Enable "Send text error message to client"
  • Reason Prevents Hackers from knowing the detail

19
(No Transcript)
20
(No Transcript)
21
  • Directory Security
  • Commonly used pages Uncheck Integrated
  • Problem username/password passed along the
    network.
  • ?Documents
  • Add default documents
  • Note Home Directory settings - Read, Write,
    Directory Browsing should not be overlooked.

22
(No Transcript)
23
(No Transcript)
24
Creating Webpage
  • Partition your Internet data on different disk
    drives.
  • Reason Escaping from Hackers.
  • -Create a virtual Directory and map it to the
    Local Directory
  • -Enable only needed permissions
  • For Administrators Full Control,
  • For Authenticated Users Read and Execute
  • For SYSTEM Full Control
  • -Disable Directory Browsing

25
(No Transcript)
26
(No Transcript)
27
Drawbacks
  • Managing large IIS server configurations or
    multiple servers over the Internet can be slow
    and cumbersome.
  • Hacker can enter as guest and take over the
    system privileges (due to insecure dll
    isolation).
  • Tools that are produced outside of Microsoft do
    not alert you when you set a property that
    requires supporting properties.

28
Security Tools
  • IIS Lockdown tool
  • Installation Guide
  • http//www.iisanswers.com/articles/IIS_Lockdown/II
    SLockdown.htm
  • Download
  • http//www.microsoft.com/windows2000/downloads/rec
    ommended/iislockdown/default.asp
  • URLScan
  • Download
  • http//www.microsoft.com/technet/security/tools/UR
    Lscan.asp

29
Conclusion
  • Do not ignore making some necessary security tips
  • Regularly update the server with the security
    patches
  • For Additional Security, download the security
    tools

30
References
  • Microsoft Windows Security Resourse Toolkit Ben
    Smith and Brian Komar
  • http//www.windowsecurity.com/articles/Installing_
    Securing_IIS_Servers_Part1.html
  • http//www.serverwatch.com/news/article.php/140049
    1
  • http//www.informit.com/articles/article.asp?p293
    10seqNum5rl1
  • http//www.eeye.com/html/Research/Advisories/AD200
    20410.html

31
Thank You
Write a Comment
User Comments (0)
About PowerShow.com