Tuesday, November 30, 2010

Microsoft Web Server - IIS 7.0 Hardening Recomendations

Important checks which are very crucial @ IIS Web Server

All Unknown CGI Extentions must be -> Prohibited
All Unknown ISAPI Extentions must be -> Prohibited
Active Server Pages must be subject to your requirement -> Prohibited
Internet Data Connector must be -> Prohibited
Server Side Includes must be -> Prohibited
WebDAV must be -> Prohibited
Server Header Info must be -> DISABLED
Application Server Running with its own UserAccount must be -> ENABLED
Error Disclosures must be -> DISABLED
Server OS informations/Physical Path Disclosures must be -> DISABLED

Really Great and very useful Post by Mr.Steve Schofield
Reference :- http://forums.iis.net/t/1127617.aspx

1) Run as applicationpoolidentity
2) Uninstall any modules that aren't used, especially authentication modules.  Not having modules reduces the surface attack. 
 If you install additional modules, run at website level, don't load at server level,
 use the web.config to load the modules in the <system.Webserver> section.
3) Look at using Request Filtering or urlscan to block sql injections
4) You can use host-headers to help reduce automated ip-based bot attacks.
5) Do not enable remote management, it's disabled by default
6) Don't install FTP, SMTP services.
7) Run each website in their own application pool
8) Lockdown any delegated permissions or remove them all together. OS, App suggestions
9) Run Security Config wizard this does OS level changes.   Definitely spin up a test VM or box to test SCW before applying at GPO level
http://weblogs.asp.net/steveschofield/archive/2008/10/26/how-to-use-security-configuration-wizard-in-windows-server-2008.aspx
10) Run Windows firewall, block all but 3389, 80, 443, echo reply (for monitoring and pings). 
11) Place Data on a separate drive, remove default NTFS permissions,
12) Keep up on security patches, service packs.
13) Run asp.net apps in medium or partial trust if possible.  Don't install DLL's in the GAC (global assembly cache)
14) Enable auditing in the local security policy (or GPO).
15) Run Anti-virus software.
16) Enable custom errors errors so unhandled errors aren't displayed remotely
17) Most web applications need to be properly tested for hacking, unhandled exceptions, etc..  IIS 7 itself is solid, the applications need to be both load tested and how they handle such situations.
18) Run 64 bit version of W2K8 or R2.
Posted by Rajesh Shethia at 12:46 AM
Labels:

1 comment:

Subscribe to: Post Comments (Atom)