With the advent of Windows 2003 and IIS 6.0 there is a sharp in a way that provided hosting services on the Windows platform a few years ago. Today, the web server running on Internet Information Services 6.0 (IIS 6.0) are very popular around the world – thanks to the revolution NET and AJAX for Web design applications. Unfortunately, this also makes IIS web servers that are popular among target groups, piracy, and almost every day we read about new exploits that are being tracked and patched. This does not mean that is not locked and windows such as Linux. In fact, it’s good to see that a lot of patches released for Windows platform, where it appears clearly that the weak points identified and blocked.
Many server administrators having trouble coping with the patch management on multiple servers, making it easy for hackers to find vulnerable web server on the Internet. One good way I’ve found to ensure the server is patched to use Nagios to run an external script on the remote host in turn alerts on the big screen that needs a patch for the server and reboot after the patch was applied. In other words, it’s not a difficult task for an intruder to gain access to a vulnerable server if it is not secure web server and then give more to the point that there is no option left for the officers but to perform a new operating system install and restore from backup.
Many tools are available on the Internet, which allows an experienced or a beginner identify pirates on the exploitation and access to the web server. The most common are:
IPP (Internet Printing Protocol) – the benefit of the IPP buffer overflow. Application sends a series of real piracy, which overflows the stack and open a window for the implementation of a custom shell law. Because the file cmd.exe Linking to a specific port on the side of the attackers, and hackers are provided with a shell command and access to the system.
UNICODE and CGI rendered – in which a hacker using a browser on his computer to run malicious scripts on the target server. The script is executed using the IUSR_ account is also called “anonymous account” in IIS. Using this type of text can be done manually occasional attacks to gain access to the system again.
During these years, I have seen this more than once, and the attack on the IIS web server as a result because of poor management of the server, and the lack of patch management, configuration, and bad for security, etc. This is not the operating system or application is to blame, but the basic configuration of the server is the primary cause. I have a check list below with an explanation of each item. It will, if followed correctly will help to prevent many attacks on the Internet on a Web server IIS.
Secure operating system
The first step is to secure an operating system that runs the web server. Make sure that the Windows 2003 server running the latest service pack, including a number of major security improvements.
Always use the NTFS file system
NTFS file system permissions to control user Habibi and lets you give users access to only what they need at all to a file or in a folder.
Remove unwanted applications and services
And more applications and services running on the server, and each time the surface of a possible attack by intruders. For example, if you do not need file and printer sharing capabilities on a common platform to host a private, disable this service.
Use of the accounts of the less fortunate for this service
Always use the local system account to start the service. Reduce by default Windows Server 2003, the need to serve the account in many cases, but it is still necessary for some third-party applications. Use local system account in this case instead of using a domain account. Using the local system account means that you have a single server violations.
Rename and disable the Guest Director
Make sure that the account is disabled by default and is called the guests although this is a cost that is less fortunate. In addition, the Administrator account is a favorite target for hackers, and most of the malicious script is used to exploit and server are at risk. Rename the Administrator account to something else so that they are scripts or programs that have hard-coded selection of these accounts fail.
Disable NetBIOS over TCP / IP and SMEs
NetBIOS-based broadcast protocol is non-routable and insecurity, bad table because most of them are designed with a flat space. Network server and the Domain Name System (DNS) server does not require NetBIOS and Server Message Block (SMB). No need to disable this protocol to reduce the threat of the user population.
To disable NetBIOS over TCP / IP, right click on the connection to the network facing the Internet, and select Properties. Open the advanced settings for TCP / IP, and go to the WINS tab. This should be an option to disable NetBIOS TCP / IP becomes clear now.
To disable SMB simply remove the File and Print Sharing for Microsoft Networks and Microsoft Networks client. A word of warning though – if you use a network share to store the content, skip this. Only do this if you believe that your web server is a stand-alone server.
Schedule to improve the administration
Develop a plan for patch management, and stick to it. Participate in the Microsoft Security Notification Service (http://www.microsoft.com/technet/security/bulletin/notify.asp) to stay updated on the latest versions of patches and updates from Microsoft. Configure automatic updates to your server to tell you about the availability of a new patch if you want to review them prior to installation.
Run MBSA Scan
This is one of the best ways to learn about security issues on the server. Font Download Microsoft Security Tool base and running on the server. This will give you details of security issues with user accounts, permissions, missing patches, updates, and much more.
That’s it for the base operating system is safe. There are further reforms that could be done to secure more of the server, but beyond the scope of this article. Let’s move on to a secure IIS web server.
IIS 6.0 is locked when the default settings. When we say this, and this means that when a new installation of IIS, and prevent it from running the script on a web server, unless otherwise stated. When first installed IIS, it serves HTML pages are blocked and all dynamic content by default. This means that the web server will not serve or the analysis of dynamic pages such as ASP, ASP.NET, etc. Since then, the web server is not meant to do, is change the default configuration to allow for this expansion. Here are some key points that lead you to secure more of the web server:
Latest patches and updates
Make sure that the installation, the latest update patches and service packs for. NET Framework. This patch and update to fix the many problems that increase the security of web server.
Isolating the operating system
But it can not run your own web server from the default folder inetpub. If you have the option to partition your hard disk and then use the C: drive to the operating system file and store all of your client’s Web sites in other partitions. The transfer of the root directory on the Internet and virtual directories for non-system partition to help protect against directory traversal attacks.
There are several benefits to this tool, there are some negatives, but use it carefully. If your web server interacts with other servers, security testing tools to ensure configured so as not to lose connectivity to the background service.
Licensing for Web content
Make sure that no scenarios enabled by the arrival of the source under the ownership of Web sites. If this option is enabled, users can access the source file. If Read is selected, you can read the source, and if determined to write, can be written to the source. To ensure that, open the IIS flaw, right click on the location of the folder and select Properties. Clear the check box if it is enabled and posted on all the child sites.
Enable Web Server Extensions are only needed
IIS 6.0 by default does not allow for the content of this site can be analyzed dynamically. To allow for execution in a dynamic page, you need to enable the relevant properties of the extension service web page. Always make sure that “all unknown CGI extensions”, and “all unknown ISAPI extensions” have been disabled at any time. If you are not required for WebDAV and Internet Data Connector, disable it as well.
Switch off the track originally
This is the worst of all, thanks to Microsoft, it’s disabled by default in IIS 6.0. The original song selection allows the programmer to use “..” In the call to the function by allowing paths relative to current directory using the notation … Can set this property to True pose a security risk because of the way including access important or confidential files outside the application root directory. Since more than programmers and third-party applications ready to use this code, give it to you to decide whether it should be enabled or disabled. Alternative solution paths for the main option is to use Server.MapPath in a script is important.
Disable the default Web site
If not needed, and to stop the default Web site that is created when you install IIS 6.0 or change the properties of the default Web site to run on the title of intellectual property along with a host header. Never keep it running on all non-specific because most of the ready-piracy package identifies the IP address of a vulnerable web server instead of domain names. If the default Web site, your work on each has been allocated, and this means that content can be an IP address in the URL, not the domain name.
Use insulation applications
I love this feature in IIS 6.0 which allows you to isolate applications in the application pool. Through the establishment of a new application pool and assign web sites and applications to them, you can make your server more efficient and reliable as it ensures that no other applications or sites that are affected due to faulty application running under this assembly.
Each of these IIS tips, and tools already available in Windows. Do not forget to try one at a time when only one test before being able to access the Web. Can be disastrous if the implementation of all at the same time makes you wonder what is causing the problem if you start having problems.
The last tip: Go to your web server and run “NETSTAT-1″ (without quotes) in the command line. Monitor how many different IP addresses trying to make contact on your device, and mostly through the port 80. If you feel that you have an IP address that was set up in a number of the largest ports, then you’ve got to do a little investigating.