S 4.282 Secure configuration of the IIS base components under Windows Server 2003
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
The Internet Information Services (IIS) 6.0 are an important component of Windows Server 2003, and many important functions of the operating system are not available or are only available in limited form without IIS. New technologies have been added to IIS since Version 5, and it has been modularised and separated from the core of the operating system for the most part. This new system design makes the IIS more robust and the operating system more stable. IIS is integrated into Windows Server 2003 in the context of an application server for web-based applications. Correspondingly, this component is referred to as the Application Server component in Windows Server 2003. IIS is a subcomponent of the application server. The Application Server component is completely disabled in a standard installation of the operating system.
The recommendations described in the following do not go into the details of a secure application server or Intranet/Internet server installation (see module S 5.10 Internet Information Server for more information on this subject). Instead, it should always be applied when another Windows Server 2003 component or another application requires installation of the IIS as an auxiliary service. This safeguard points out individual aspects you must take into account for a secure configuration of the IIS base component. Specific settings implementing the information presented here can be found in the Resources for IT-Grundschutz (see Securing the IIS base component under Windows Server 2003 in the Resources for Windows Server 2003).
Which components can be installed?
Only COM+ network access and the Internet Information Services (IIS) should be enabled on the server. The latter should only be enabled for the Common Files, Information Service Manager, and WWW service; the only other service that may be used as an option is Internet printing.
Other IIS services in addition to the HTTP server
The widely used SMTP, NNTP, and FTP protocols as well as the Message Queuing service are listed under Application Server. Some tools and server applications require them to be installed. The use of these protocols and services entails additional threats so that additional safeguards need to be implemented in addition to the recommendations stated here (see also S 5.131 Protection of IP protocols under Windows Server 2003).
On a domain controller for Active Directory, only the IIS services and protocols needed should be installed.
Securing the basic configuration
The installation routine for IIS creates the C:\Inetpub and C:\Inetpub\wwwroot directories in the root directory of the system drive. Both folders should be renamed. The Users security group is to be removed from the security settings in C:\Inetpub\wwwroot and all folders below this directory. The AdminScripts folder should be moved to a user-defined directory. In general, no sample or test scripts should be stored on the productive server regardless of whether they were written in-house, downloaded from the Internet, or taken from software development packages.
The same precautions also apply to the following folders, provided that they exist:
- C:\inetpub\ftproot (FTP server)
- C:\inetpub\mailroot (SMTP server)
- C:\inetpub\nntpfile (NNTP server)
All default virtual servers, the default web site, and the default FTP site are to be terminated if they are not needed. It is recommended to disable the default web site as a rule and only add new web sites for clearly defined purposes, e.g. for WebDAV shares.
Many virtual directories in the Internet Information Service Manager refer to functions of the operating system, for example Internet printing or certificate services. Therefore, the base directories are usually assigned to system folders belonging to the operating system. For this reason, the Users security group should be removed as a rule from the security settings of the particular base directories. If certain resources should also be available to users, for example Internet printing or IIS-based changing of the user password, then a corresponding authorisation concept must be planned and implemented. General information on authorisations in web servers are described in S 4.360 Secure configuration of a web server.
Handling dynamic content
The certificate services and other Windows components sometimes contain graphic user interfaces that operate using ASP. For this reason, it is not always possible to disable ASP. In Windows Server 2003, the ability of ASP to influence the operating system is highly restricted by default (IISLockdown is enabled). It is therefore possible to operate this component securely under controlled conditions with little effort. In particular, this means that ASP should only be enabled for administrative and infrastructural purposes. Furthermore, a suitable administration concept and a corresponding security policy must exist. Access at the user level must be restricted, logged, and checked. Otherwise, additional risks are posed that must be counteracted by implementing the corresponding safeguards (see module 5.10 Internet Information Server). To execute dynamic content, IIS starts stand-alone processes. Multiple applications should be isolated from each other during operation using a suitable process management.
Securing and restricting access
Access to the virtual server and directories is not restricted by default even though the IIS services are only requested by the local computer or by certain clients in the network. In addition, the transmission of passwords in plain text is not prevented. For this reason, settings that are more restrictive than the basic settings should be specified.
Authentication methods
In the LAN, Integrated Windows Authentication is the most secure and easiest authentication method available. It works with the most common browsers, e.g. with the Internet Explorer and Firefox. If part of the LAN is located behind a security gateway, then support for integrated Windows Authentication must be provided.
If the security policy permits it and the threats (see T 5.133 Unauthorized use of web-based administration tools) have been adequately taken into account, digest authentication (sends the login information according to RFC 2617 in encrypted form using domain controllers) can be used as an alternative in certain areas. If this is impossible, then the entire connection must be established over an encrypted channel (see below).
The requirements for digest authentication are:
- active Directory with the Windows Server 2003 scheme extension
- windows Server 2003 on all domain controllers of the local Active Directory site
- HTTP 1.1 support on the clients (e.g. MS Internet Explorer Version 5 or higher)
- HTTP-1.1 support on the security gateways
In Windows Server 2003, the digest is integrated as a Security Service Provider Interface (SSPI) (this is referred to as advanced digest authentication). A prerequisite is that both IIS and the domain controller run under Windows Server 2003. On the server with IIS, SSPI must be forced to operate with the digest with the help of a script since Windows Server 2003 switches back to the older digest module from Windows 2000 or authentication fails completely as soon as the Windows domain configuration is not uniform everywhere.
The command line call is:
cscript adsutil.vbs SET W3SVC/UseDigestSSP true
The configuration script adsutil.vbs is located in the AdminScripts directory. Information on the use of scripts can be found in S 2.367 Use of commands and scripts under Windows Server 2003 and higher.
Encryption in a secure channel (SSL/TLS)
A secure channel is often the only way to transmit passwords in encrypted form when using administration tools from third party manufacturers.
Every web site, referred to in the following as virtual servers, must be equipped with a valid certificate and permit encrypted communication over a secure channel.
For servers with high or very high protection requirements, clients can be required to provide certificates. With the help of additional systems such as chip cards, it then becomes possible to implement a two-factor authentication procedure.
Surveillance
On all virtual servers and web sites, logging must be enabled in the Properties dialogue window. The default setting of one log file per day should be left unchanged provided that the security policy for the server does not require the log file to extend over several days. In Windows Server 2003 with Service Pack 1 and higher, metabase monitoring should also be enabled. The configuration script iiscnfg.vbs is used for this purpose.
The command line call
iiscnfg.vbs /enableaudit W3SVC/<identifier>/ROOT
activates monitoring for the web site configuration and the virtual directories. The <identifier> is the virtual server number. This is documented in the Internet Information Service Manager under the Web sites node next to the list of web sites. Finally, the group policy for object monitoring must be enabled or in effect on the server (see also S 2.365 Planning of system monitoring under Windows Server 2003).
Documentation
At a minimum, it should be documented which server serves as an access point for which administrative tools, which authentication methods are set up for this purpose, and which additional resources the tool needs to access (if any). Deviations from the basic settings or installation standard mentioned should be documented, and reasons must be provided for the deviations.
Review questions:
- Are only the required IIS services protocols installed on all Windows servers?
- Was the basic configuration of the IIS basic components under Windows Server 2003 secured, and was the access to the virtual servers and directories limited?
- Was logging under Windows Server 2003 activated on all virtual servers and web pages?
- Is the configuration of the IIS base components under Windows Server 2003 documented?