Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IIS 5/6 Install and Lockdown v3

452 views

Published on

This was a training document on how to install and lockdown IIS 5 or 6 (Windows Server 2000 or 2003). It was originally designed for Act! CRM resellers new to web technologies. I hope to get the time to do a new version based on current OS servers.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

IIS 5/6 Install and Lockdown v3

  1. 1. CONSULTANTS INFO PACK For GL Computing resellers and clients IIS5–Installationandlockdown forACT!Consultants,Including NetworkingBasics. Volume 1
  2. 2. DE V E L OP E R : M I K E L A Z A RU S , G L C OM P U TI N G TH IS DOCU M E NT IS A S U P P OR T DOCU M E NT F OR GL COM P U TING R E S E L L E R S TO A S S IS T TH E M IN R E S E L L ING GL COM P U TING S U P P OR TE D P R ODU CTS INCL U DING A CT! P R E M IU M F OR W E B IT IS NOT TO BE COP I E D, R E P R ODU CE D OR DIS TR IBU TE D W ITH OU T TH E E XP R E S S W R ITTE N P E R M IS S ION O F GL COM P U TING. W H IL E TH E A U TH OR H A S TA K E N GR E A T CA R E TO E NS U R E TH E A CCU R A CY OF TH E INF OR M A TION CONTA INE D IN TH IS DOCU M E NT, A L L M A TE R IA L S A R E P R OV IDE D W ITH OU T W A R R A NTY W H A TS OE V E R - INCL U DING, BU T NOT L IM ITE D TO, TH E IM P L IE D W A R R E NTIE S , M E R CH A NTA BIL ITY OR F ITNE S S F OR A P A R TICU L A R P U R P OS E . A CT! A ND A CT! F OR W E B A R E R E GIS TE R E D TR A DE M A R K S OF INTE R A CT COM M E R CE COR P OR A TION, BE S T S O F TW A R E OR S A GE S OF TW A R E IN V A R IOU S COU NT R IE S . W INDOW S IS A TR A DE M A R K OF M ICR OS OF T COR P OR A TION. A L L OTH E R P R ODU CT NA M E S A R E TR A DE M A R K S OR R E GIS TE R E D TR A DE M A R K S OF TH E IR R E S P E CTIV E COM P A NIE S . A GL Computing support initiative  GL Computing, 2004 PO Box 161, Paddington 2021 Phone 02-9361-6766 http://www.GLComputing.com.au
  3. 3. GL Computing Page 3 6/8/2004 Table of Contents C H A P T E R 1 Server and Networking Basics C H A P T E R 2 IIS – What is it? C H A P T E R 3 Installing IIS C H A P T E R 4 Protect against What? C H A P Y E R 5 Configuring and Securing IIS A P P E N D I X More tips for the sensibly paranoid
  4. 4. GL Computing Page 4 6/8/2004 Server and Networking Basics t is essential for your comfort in consulting to IIS clients and their IT staff that you have a good understanding of the core terms and protocolsin use on an IIS server. This includesterms that will occur later in this document as well as terms that you may need to address in on-going support. For this reason, wehave put, what would normally be in a glossary at the beginning of this document. IIS is the Microsoft Internet Information Server. As such, some of the terms have specificdefinitions that may not be as accurate for other Internet servers. Chapter 1 I
  5. 5. GL Computing Page 5 6/8/2004 Term Definition Server Vs Workstation ACT! for Web supportsNT4 (sp6a)Workstation or Server and Windows2000 Professionalor Server (1.1 andlater also supports XP Pro and1.2 and later supports on Windows 2003). Sowhat arethebasic differences between Workstation/Professional andthe Server versions of theoperating systems? First, the Server versionsare pre-setand biased to processing background tasksover fore- ground, which can make IIS operate faster…but thiscan be reconfigured on the workstation versionto getprettyclose. More importantly, the Workstations versions can only support10 concurrentusers. Considering the hitsfrom other random internettraffic, this can limit youto 6-8 concurrent usersaccessing your ACT! databaseon the internet. So, if looking for reliableconnectionsfor more than 5 users, you will need tousethe Server versions. NTFS New Technology File System This file system has many improvements over theFAT16/32 filesystems. To begin with, itis transaction-based- i.e. it usesa transactionlog to assistin maintainingdata integrity. This does notmeanthat youcannotlose data, butit does mean thatyou have a much greater chanceof accessing your filesystem even if a system crash occurs. This capabilitystems from theuseof the transaction log toroll back outstanding disk writesthenexttimeWindowsis booted. It also uses thislog to check thedisk for errorsinstead of scanning each file allocation tableentryasdoes the FAT filesystem. It also adds a security model thatwewillbe using to protectour servers. This documentwillassumeyouare runningWindows 2000 withan NTFS file system. NTFS Security The NTFS filesystem includes the capabilityto assign access controlentries(ACEs) to an access control list(ACL). TheACE containsa group identifier or a user identifier encapsulatedin a securitydescriptor, which can be usedto limitaccess to a particular directoryor file. This access can include such capabilitiesasread, write, delete, execute, or evenownership. An ACL, on the other hand, isthe container that encapsulatesone or more ACE entries. What this meansto you, isthat wecan determine, through NTFSsecurity, which users and groupscanaccessfilesand folders on your server and whataccessthey have. You cannotdo this with FAT16 or FAT32 file systems.
  6. 6. GL Computing Page 6 6/8/2004 Term Definition Multithreading A thread is theminimum executableresource. Thedifferencebetweena threadand a process is thata processis the container for an address space, whereasa thread executes withinthat addressspace. A processby itself isnot executable; itis the thread that isscheduledand executed. Whatis uniqueabout threadsis thata single process canhave morethan one thread of execution. Thesethreads, providing that they are not dependanton each other, can be executed concurrentlyin Windows operating systems. However, itisimportant to understand that, whileIIS is inherently multithreaded, ACT! itself (and mostimportantly it’sSDK)isnot “thread aware”. This means thatitcanonlyhandleone call ata time and needsto complete processingit before the nextcall ismade. What this meansto you, isthat multiple-processors ina server cannotbe properly utilised. A single fastprocessor isthe bestway to operatefor a stand-alone ACT! For Web environment. Workgroups Vs Domains A workgroup isa casual affiliation of computersthat are groupedlogicallyinto a single accesspoint. Thiscutsdown on the clutter when your users browse for resources on the network. Instead of seeing all theresources thatareshared on thenetwork, they first see thesharedresourcesof the workgroup to which theybelong All security ina workgroup is based on thelocal(the onesharingthe resource) computer. Thisis a seriousadministrativechorebecauseitrequires thatall workgroup computers havethesame user accountsdefined if youwantto allow other computer users to accessyour shared resources transparently (without supplyinga differentuser accountand password) ina user accessenvironment A domainis similar to a workgroup because itprovidesthesamegrouping capability as a workgroup, butwith onemajor difference. A domain has a centralizeduser databasethat resides on thedomain controller. All user logon authentication is based on this centraluser database. ThismakesAdministration much easier as nearly allthe users are thesamefrom anymachine on theDomain. It is very importantto notethattheIUSR guest account, even on a domain, isstilla local onlyaccountandis alsonot partof anygroup including EVERYONE. This means it can be better controlledthan creating a specificaccount.
  7. 7. GL Computing Page 7 6/8/2004 Term Definition Domain Controllers The Domain controller is theserver thatauthorisesthe user logonsto thenetwork. The DC containsthemaster copyof the user database, which includes allyour global groups, user accounts, and computer accounts. In addition to this, your DC is used to authenticate your users when theylog onto thenetwork or accessa shared resource. Your DC also includes thetoolsyou will use for centralized administration, such as User Manager for Domains, Server Manager for Domains, DHCP server, WINS server, and a hostof additional tools. Other DCs replicatethe information for load balancingand backup purposes. In NT, there is a conceptof PDCs (PrimaryDomain Controllers)and BDCs (Backup Domain Controllers). This meantthat when the PDC wentdown, a BDP would need tobe promoted to the PDC by anAdministrator. In Windows 2000, this is no-longer an issue as DCs in Windows 2000 and2003 arepeers. Do not use a DC as a web server if possible. The Domain Controller isconstantly processingauthentication requests. Running IIS on the PDC willdecrease performance. It couldalso exposethe DC to attacks thatrender theentire network as non-secure. Client/Server Client server technology iswhere the server (IIS, SQL Server, etc) houses thedata and most of the intensive data processing sections of the application, whilethe client (Internet Explorer or a specific clientapplication)handles the user interface. This means thatthere ismuch less bandwidth on thenetwork, much lessrequirementsfor clienthardware, andusually much lessadministration - asmost of thesefunctionsare controlled on theserver only. Theclientsends a request for information to the server, and theserver application doesthedatabaseintensive processing and just sends back theresults. TCP/IP Transmission Control Protocol / Internet Protocol These are thecoreprotocols thattheentireInternetisbased on. Createdby US Universitiesin the60s, and later expandedby theUS Departmentof Defence, it is the most popular protocol for connecting non-heterogeneous systems (iecomputers that are not of thesame type). Theyprovide communicationsacrossinterconnected networksof computerswith diverse hardware architectures and variousoperating systems. TCP/IP includes standardsfor how computerscommunicateand conventionsfor connecting networksandrouting traffic. URL UniversalResource Locator A URL is the full internetaddress including theaccessprotocol(http, ftp, nntp, https, etc), the domain internetaddress (IP or name) and optionally a pathand or file, user and password. The IP canbe in decimalor standard-dotform. A full URL can be of the form: protocol://user:pass@domain:port/path/filename.ext This has sincebeenchanged for HTTP/HTTPSby Microsoft Internet Explorer as per: http://support.microsoft.com/default.aspx?kbid=834489 – this can affectsites if using Windows login asopposed toAnonymous.
  8. 8. GL Computing Page 8 6/8/2004 Term Definition DHCP Dynamic Host Configuration Protocol DHCP provides a meansto dynamicallyallocateIP addresses to computerson a network. Theadministrator assigns a range of IP addresses to theDHCP server and each clientcomputer on theLAN hasitsTCP/IP software configured to request an IP address from theDHCP server. The request and grantprocessuses a lease concept witha controllabletimeperiod. Theadvantage of this isthatthe administrator doesn’thaveto manually assign theIP addressof each machine. A server should be assigned a permanent staticIP rather than a dynamicone if possible DNS Domain Name System The DNS is a general-purpose, hierarchical, distributed, replicated, data query service (database) used mainlyfor translating hostnames (domain names) into IP addresses – eg when a user looksfor www.GLComputing.com.au itshould return it’scorrectIP address. DNS can be configured to usea sequenceof nameservers, basedon the domains in thenamebeing looked for, until a match isfound. An organisationmay have severalDNS servers tospread the load. Allof which replicate with each other and the globalDNS via their ISP. A full global replication of a changeto an IP can take 24-48 hours. The name resolution clientcanbe configuredto search for host information inthe following order: firstin thelocal /etc/hosts file, secondin NIS (Network Information Service) and thirdin DNS. Thissequencing of NamingServicesis sometimescalled "nameserviceswitching" WINS Windows Internet NamingService The WINS service resolvesNetbiosnames totheir IP addressin a similar fashion to the way DNS resolves Hostnamesto IP addresses. NAT Network AddressTranslation The abilityof a router to use oneexternalroutableIP address and provide connectivityfor a number of network clientsby translatingtheir private (non- routable) IPs to thepublic one, and then relaying theincoming data to theclientthat requested it. It allows a securemachine or firewallto handletheincoming data and direct specific ports to specificmachineswithoutthose machines IPs being accessible from the ‘net. PrivateIP addressesare of the form: 192.168.x.x or 10.x.x.x (wherex is 0-255)
  9. 9. GL Computing Page 9 6/8/2004 Term Definition MDAC The Microsoft data AccessComponents providea suite of tools for accessing different databaseobjectsand providesa commonuser interface toaccessall of them – often calledUniversal Data Access(UDA). MDAC include ActiveX Data Objects (ADO and ADO.NET), OLE DB, ODBC, andothers. Problemsreferencing ODBC drivers in ACT! for Web are often due to incorrect versions of MDAC. V2.5 is usually recommended. It is important tonote, thatunlikeother software products, a later version is not necessarilybetter asMicrosoftwithdrew somefunctionalityin 2.6 andlater versions. If you need to install 2.6 or 2.7, youwillneed to also install theFoxPro and Jet drivers separatelyfor ACT! for Web. ACT! for Web 1.2 andlater now also supports MDAC 2.8 for Windows Server 2003 support. If you aren't surewhich version of MDAC isinstalled on your system you can find out by following these steps(Note: ThisinvolvesusingRegEdit and should onlybe done by an experienced computer user):  Press <Start> and select Run.  Type "REGEDIT" into the command line (omit the quotes)  Navigate to the following key:  HKEY_LOCAL_MACHINESoftwareMicrosoftDataAccess  Look for a value named "Version". This value contains the current version of MDAC installed on your computer. Microsoft also has a utility called the ComponentChecker which can be usedto diagnose your currentMDAC version, aswellasfind problemsin your MDAC installation. TheComponentChecker can be downloaded from: http://msdn2.microsoft.com/en-us/data/aa937730.aspx DCOM DistributedComponent Object Model The Distributed ComponentObjectModel (DCOM)is a protocolthat enables softwarecomponents to communicatedirectly over a network in a reliable, secure, and efficientmanner. Previously called"Network OLE," DCOM is designed for use across multiplenetwork transports, includingInternetprotocols such asHTTP. DCOM is based on theOpen SoftwareFoundation's DCE-RPC specification and will work with bothJava applets and ActiveX® components throughitsuseof the Component Object Model (COM) DCOM program permissions aresetusing dcomcnfg.exe. For information on how this relates to ACT! For Web: http://itdomino.act.com/act.nsf/docid/13988
  10. 10. GL Computing Page 10 6/8/2004 Device Definition Firewalls A firewallisessentiallyanynumber of securityschemes designed to prevent unauthorised access to a computer system or network. Theschemes can rangefrom simple NAT securityas above, through portfiltering, IP filtering andother data determining methods. Theycan includethreat monitoring, call-back and activity pattern testing. A server can bepositioned “behind” thefirewall, therebyreducing the“surfacearea” availableto a hacker, or it can be located ina DMZ (demilitarizedzone)to be a more public server. As theIIS server willbe hosting our clientdata, it isbetter to locate it behind the firewalland only permitthat data thatitneeds tohandle. We will discussmore aboutFirewallslater in thesecuritysection Hubs Vs Switches These connectdeviceson the same LAN. When data is sentto one port on thehub, it is copiedto all ports on thehub so all segments of theLAN willseethedata. A switch (or switching hub)onlyforwardspacketsto specific ports rather than broadcasting them to every port. In thisway, theconnectionbetweenthe ports and devices can deliver the fullbandwidth available without risk of collisions. A hub will also be restricted tothe speed of theslowestdeviceon the LAN segment. Routers Vs Bridges Routers and Bridgesallowyouto connect differentnetworks – eg your LAN to your ISP’s network. Routers (OSILayer 3 – network) and Bridges (OSILayer 2 – Data Link) operateatdifferentlevelsof the OSI referencemodel(Open Systems Interconnect – themodelfor network architectureand protocolsused to implement it). We willnot be going into theOSImodelhere, butsufficeit to saythat Routers and Bridges accomplish a similar task in different ways and youas ACCscan treat them the sameway for thepurposeof an ACT! For Webimplementation. Command Description Ping Ping is the simplestcommand to tell ifa remote system is running and available. It verifies theIP connectivity by sending an ICMP (InternetControl MessageProtocol) Echo request. Pinging a domain name, returns the IP address from theDNS server and the time toreach it andreturn. Tracert If you can’tping a system (and youthink it should be running), youmight try TRACERT – this willpingeach machinebetween you and theremote system, usually allowingyou to determinewherethefailure or bottleneck is. IPCONFIG IPCONFIG is a command thatdisplays the TCP/IP network configuration values, and can be usedto refresh the DHCP and DNS settings. Becoming familiar with IPCONFIG and it’sparameters will be of long-term benefitto you– for older operating systems (Win 9X/ME) use WINIPCFG NSLOOKUP NSLOOKUP isa command usedto queryand diagnoseissueswith theDNS server. This is usefulif you are checkingfor problemsreachinga client’sserver.
  11. 11. GL Computing Page 11 6/8/2004 IIS – What is it? IS is the Microsoft Internet Information Server. It is Microsoft’s set of services that support web site configuration, management and publishing as well as various other Internet services. It includes various developmenttools andsoftware development kits. IIS, like all web applications, is a client/server application – in thatit does nothing withouta clientsuchas a web browser or FTP clientsoftware. The information belowis intwo areas: TheServersand the Application Development platforms. In both areas, only one is really relevantto ACT! for Web (theWWW Server and ASP). Theother informationis providedso that youunderstand the differences. Thelistsare also not exhaustive, andthere areother serversand application developmenttools for IIS. The Serversarethe programsthat the clientsoftwaredirectlyconnectswith on theIIS server. They answer therequests from the‘net toreadfilesand send information. The Application Developmentplatforms allowtheWWW Server to run programsand scripts. A plain HTML documentthatthe Web daemon retrieves is static, whichmeans itexistsin a constantstate: a textfile thatdoesn't change. A CGIor ASP program, on the other hand, is executed in real-time, so thatit can output dynamic information. For example, let'ssaythat you wanted to "hook up" your database to the World WideWeb, to allowpeoplefrom all over the worldto query it. Basically, youneed to createa program that the WWW Server will executeto transmitinformation to thedatabaseengine, and receivetheresults back again and displaythem to theclient. Chapter 2 I
  12. 12. GL Computing Page 12 6/8/2004 For full information on IIS, we recommend looking at: http://www.Microsoft.com/IIS http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windo wsserver2003/proddocs/datacenter/gs_whatschanged.asp Other usefulsitesinclude: www.iisfaq.com www.iisanswers.com www.iis-resources.com www.zensecurity.co.uk www.nsa.gov/snac/index.html Let’s havea look atthefunctions of IIS that weneed to know about in a littlemore detail: Server Description WWW Server The WWW server usesthe HyperText Transmission Protocol (HTTP) to communicatewith itsclient application (a web browser). Typicallyon Port 80, the WWW isa content-rich environment. It encompasses themajority of network traffic on theInternet. You can use itto display (on your web browser) text, static graphicsimages, animated graphicsimages, 3-D worlds, andaudio/videofiles. It can alsobe used to access databases such as ACT! for Web via various development tools. FTP FTP Publishing Serviceis a File Transfer Protocol(FTP) server. TheFTP Publishing Service ismuchless complex than theWWW Publishing Service. TheFTP Publishing Serviceis usedprimarilyas a data repository. It is usually on Port21. SMTP The SMTP service usestheSimpleMail Transfer Protocolto send email across the ‘net. POP3 (thePostOfficeProtocol - the abilityto retrieve email) isnot part of theIIS suite. Thedefaultport for SMTP is Port25. NNTP The NNTP serviceuses theNetwork NewsTransportProtocolto provide discussion servers and groupssimilar tothe ACCnewsserver. NNTP servers should defaultto Port119
  13. 13. GL Computing Page 13 6/8/2004 Dev Tool Description CGI The Common GatewayInterface(CGI) isa legacyapplication developmentplatform supported under IIS. It’sa standardfor many different web server platforms. CGIscripts can be written in a variety of languages, includingPerl, C and C++ ISAPI ISAPI– The Internet Server Application Programming Interfacewas Microsoft’s proprietaryprogramming interfacedeveloped for IIS as a replacementfor CGI. It brings the power of OLE (ObjectLinking and Embedding)to theWWW. The main advantageitoffersover CGIis that it is much faster whenperforming thesame tasksandconsumes less resources. Insteadof running each application asa separateprocess(asin CGI), the ISAPI.dll(DynamicLink Library) isalready loadedintothe IIS address space and handlesanycommandsfor it. There is a downside toISAPIDLLs. Because theyshare the sameaddress space as the HTTP server, itis possiblethatan errantISAPIapplication could crash theWWW Publishing Server aswell. ASP Because of theriskswriting ISAPI applications, MicrosoftdevelopedASP (ActiveServer Pages). Thefunctionalityfor ASP ishandled by the ASP.dll file. It is similar in its advantages over CGI, withouttheproblemsof ISAPI. Additionally, because MicrosoftmadeASPdevelopment considerably easier withthe toolsprovided, therearemanymore ASP developersand supportfor applicationswritten to useASP. ACT! for Web is written usingASP, so add-on developmentfor ACT! for Web would requirea good knowledgeof ASP. To gain someknowledge of ASP development, youmighttrylooking at www.asp101.com Additionalinformation on the latestincarnation of ASP, ASP.NET is availablefrom www.asp.net ActiveX ActiveX controls are componentsthatusethe MicrosoftCOM technologies (ComponentObjectModel – an open software architecture developed byDEC andMicrosoftallowing interoperation between OLE and the ObjectBroker). They are Windowsprogramsthatcanbe executed by a browser. ActiveX controls havefullaccess to the Windows operating system. XML Extensible Markup Language isa newer methoddesignedfor the interchangeof documents and data. It is a format for transferring data across the Internet. It not only includesthedata, butself-describing informationabout thedata. Office 2003 can alsouseXML. SOAP The Simple ObjectAccessProtocolmakesuseof HTTP to exchange structured data over the Webusing an XML format..
  14. 14. GL Computing Page 14 6/8/2004 InstallingIIS t is importantto noteatthis time, thattheseproceduresaretargeted at installing a server dedicated to servingan ACT! database tothe ‘netvia ACT! for Web. Theserver could also servethedatabaselocallyas a LAN server to ACT! clients ina “hybrid” implementation. This document will assumethat youhaveperformed a “clean” installof Windows 2000 Server to your machine, but NOT installedanyIIS components. In the Lockdown area, wewill discussthe differences ifyou arelocking down a server that alreadyhas IIS installed by someone elsewithmore components thanwe will be installing in this section. It is advisablenot to perform thesefunctionswhileconnected to the internet and onlyto connect after we have completedthe securing part. We alsorecommendapplying the latest servicepacks and criticalupdates to theWindows 2000 operatingsystem. Installing IIS is quite simple:  Open the ControlPanel(Start| Settings| ControlPanel)and go to: Add/Remove Programs. Chapter 3 I
  15. 15. GL Computing Page 15 6/8/2004  Then click Add/RemoveWindowsComponents:
  16. 16. GL Computing Page 16 6/8/2004 The only optionthat youneed to haveticked in thisdialog box is: InternetInformation Services(IIS). We should take thisfurther by clicking on the“Details” button: In this area, the only necessary options arethe CommonFiles (thesearenecessaryfor IIS) and World Wide Web Server (this service will be hosting ACT! for Web). We will also install theInternet Information services Snap-Inas thismake administering IIS considerablyeasier and the Documentation ashaving theHelp system handycanbe a good option. If you don’t wantthedocumentation, you can alwaysaccesstheMicrosoftweb site and search their knowledge base, TechNet or MSDN. None of the other subcomponents belongingto IIS are necessary, and as such should NOT be installed unlessyou know you willrequire them for someother task. Other options increasethe“surfacearea”availablefor attack on the server, andwillneedto be configured to make them lessvulnerable. We will look at someof theseoptions inthe next section. Click “OK” andIIS willbe installed. Although itis not alwaysrequired, westrongly recommend a re-bootof theserver after installing or removingWindowscomponents.
  17. 17. GL Computing Page 17 6/8/2004 Protect against what? N this Chapter wewillattemptto describewhattypesof attackers are outthere and give you some ideas of the methodstheymayuseto compromise your systems. Types of Attackers Let’s startby categorisingthe types of attackers youmayneedto protect your systemsfrom: Attacker Description Script Kiddie This is the mostcommon form of attack and theone which wewillmost need to protect our serversfrom. Theseareusuallykids looking for easy to hack servers, so thattheycan take control of them and use them to attack others. Typically, theywilluseTrojans(which your anti-virus should have detectedand removed), or exploit known weaknesses in the server operating system, which a combination of theMicrosoftcriticalupdates and our own lock-down proceduresshouldkeep yourelativelysecure from. Valuable Data This is typically doneby someone who knowsthat specificdata on your site is of significant valueto theattacker. It maybe doneby a nasty competitor who wants your data, or someonewho thinksyou mayhave Credit Card numbers (or similar data)on your system. If you areplanning to keep Credit Cards, etcin your database, you willneed to beverycareful about your securityand liability. We do not recommend keepingthistype of data in anACT! database. Prestige Site This is whereyour site iswellenough known, thatthehacker can get credibilityfrom beingable to by-passyour security. This isunlikelyto be an issue for anyACT! for Web installation. Chapter 4 I
  18. 18. GL Computing Page 18 6/8/2004 Enemy Attack This is wheresomeone feels so annoyedby youor your organisation that they feelliketeaching youa lesson. The toughest of theseto protect againstis anex-employeethat feels theyhavebeenwronged andknows the securityof your system. Internal Attack This type typically does themostdamage, as theymayknowyour security and usuallyhavea legitimatereasonfor accessing your system. Sometimes, the ValuableData, PrestigeSiteor Enemy Attack types, willalso usean internalperson to maketheir task easier. The defenceswe areputting up will not assistin stopping this typeof attack. Theonlysolutions areto ensure you havegood backupprocedures, regularlyread andinspectlog files and makesureusers only have access tothe partsof the system that they need access to. Typically, the “Script Kiddie” willuseknown securityflaws in the operating system and or known Trojans. Theother attackerswillusea combination of theseand“un-known” attacks and are typicallymore skilled. We will attemptto keepyour server securefrom both known andun-known attacks. Known Attacks The first defence isto makesureyou areprotected againstthe “known” attacks. Themost common form of these is via Trojans. A Trojan (basedon the story of theTrojanhorse) isa pieceof softwarethat can getloaded on your server and makes itavailable for an attacker to access. Thefunctionsit can provide to an attacker can vary – including damaging your data, providing access for othersto seeyour data or using itself to launchattackson other systems. There are twomainwaysto prevent these:  One is to ensureyouhavea good anti-virus runningandthatyou keepit up-to- date. GL Computingcurrently recommends Symantec(used to be Norton) Anti- Virus Corporate Edition for servers. This should findand prevent Trojansfrom being installed and/or removethem if already installed.  The other is to makesureyour firewallpreventstheattacker from accessing the Trojan if it’s on your system. As theyareusually called from specificports, this provides pretty goodsecurity against mostknown attacks. Many attackslikeNimda, SQL-Slammer and othersused operating system exploitsthat Microsoft hadpatched months earlier – andyetmanyadministrators (including Microsoft’s own) had not patched their all their servers thatwere availablefrom the Internet from these. Consequently, many millions of dollars in damaged data andsystem down-timewerecaused. You should makesurethat alltheService Packsand CriticalUpdatesare applied to your server. Mosthacker/cracker attempts (especially thoseby ScriptKiddies) aredone using security holesin WindowsthatMicrosofthasalreadyissuedpatchesfor, knowing thatmany administratorsdo not applythesefixes. It is a goodpractiseto regularlycheck for updates
  19. 19. GL Computing Page 19 6/8/2004 from the Microsoft site: http://windowsupdate.microsoft.com Unknown Attacks It may seem unusual to talk about preventing an “Unknown Attack”, butthatis exactlywhat is necessaryto provide adequatedefence – preventing, as much as possible, attacks thatuse previouslyundiscoveredexploits. Essentially, thismeans reducing the“SurfaceArea” of attack – thatis, reducing theavailable entry pointsand services thatareavailable for an external sourceto connectto your server and run tasks thatyoudo not want them to run. Configuring theIIS server to removetheservicesthat can be usedto hook intoyour server will be covered inthe next chapter. For now, we’ll discuss reducing theentry pointsthatare available. We’ll look at theservicesin thenextchapter. Port Blocking By entry points, weusually mean the ports thatareopen to your server andthe IPs thatcan connect to it. There are twomaintransportlayer protocolsused on the‘net – TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). Both of thesecan use64k (65536) channels of communicationsor “ports” toconnectto specificapplications on the server machine. So, the simple ruleto startwith, isonlyto permit thoseportsthat youknowyouneed to be allowed through your server. The default portfor web serversis port80, but itcan be setto any portthe administrator chooses. Using a non-standard portis a simple wayto help keep theserver hidden, means the user willneedto putthe portnumber in their URL. The most completelistof registered port numberscan be obtained from: http://www.iana.org/assignments/port-numbers The following portsshouldnearlyalways beblocked from OUTBOUND transmissions: 135, 137, 138, 139, 443 (unless using SSL), 593 IP Blocking If you know the IP ranges usedby theusers whowillbe accessing your server, you can set either thefirewall, or the IIS server to onlypermit thoseIPs that belong to your users to accesstheserver. We’llshowhow to do this on theIIS server in thenextchapter.
  20. 20. GL Computing Page 20 6/8/2004 Configuring and Securing IIS nce again, itis necessary tostate thattheseprocedures, if followedexactly, are designed for a server thatwillbe dedicatedto serving an ACT! database – either solely for ACT! for Web, or in a hybrid with localLAN users. We will also attempt to addressthose issues andcomponents inIIS thatyou mayfindinstalled on servers that are alreadyin operationor thatwillalso be usedfor other tasks. However, we suggest thatyou work with theAdministrator of thenetwork to determinethat your lock- down procedures do not also disableapplicationsor functions thatyour clientsmaywish to run on the server. It is also importantto notethatsecurity can never be guaranteed on theinternet, and so you must be careful, as Consultants, whatcontractualagreementsyou makewhen doing this type of work for clients. Chapter 5 O
  21. 21. GL Computing Page 21 6/8/2004 To modify the IIS settings inWindows2000 we can usetheComputer Managementsnapinat either: Start | Programs| AdministrativeTools | Computer Management Or selecting Managefrom the Right-click menu on My Computer This willbring up the Computer Management Console: It is important thatyou become familiar with this interface and it’soperation. Another methodto accessthis isby: Start | Programs| AdministrativeTools | InternetServicesManager
  22. 22. GL Computing Page 22 6/8/2004 If you are setting up on a server thatis already installed, you might find servicesor virtual folders alreadythere thatarealreadybeing used. Removing them would notbe a good idea if your clientis usingthem for another purpose. If you do not have access tothe system administrator, or they are notsure, select“Stop” to simply stop the servicefrom accepting requestsand check with theadministrator. This should bedone on theAdministration sites, FTPand SMTP services, unless youaresure they are being used on theserver. In the Default Web Site(could be re-named), youshould delete the virtualfolders: IIS Help, IIS Admin, samples, MSADC (MSActiveDirectoryConnector), vti(FrontPage). Theyall includeASP and Java scripts thatmayhavevulnerabilities found in them andare mostlikely not used or needed on the server. If no other application isbeing run on the IIS server at the time, you can removeanyof thevirtualfoldersin theweb site. Theidea being thatwe remove anything notspecificallyrequiredfor our implementation this helpsreducetheavailable “surface area” for an attacker. It is advisableto check withthe system administrator. Onceyou know you can removethem, Right-click on the item and selectdelete. Next open the Default Web Siteproperties (byRight-Click, then properties), which should look something like:
  23. 23. GL Computing Page 23 6/8/2004 On the Documents Tab, removeall theitemsthere and add web.gifor some other smallgif that you haveloaded in the default folder defined in theHome Directorytab (usually C:Inetpubwwwroot folder). This means that anypotentialhacker justlooking for a sitewillseesomethingsmallbut giving nothing away as to thecontentof the site. If the site isbeing used for another site, you may need toleaveanother defaultdocument that is used by theysite. You may wantto point thePrinters virtualfolder atthis gif file also becauseitsometimesre- appears andtheidea isto leavenothingpointing atan application where vulnerabilities maybe discoveredin thefuture. Note: You will need to re-addDefault.htm to the actwebvirtual folder after youhave installedACT! For Web To do this, right-click on theActwebvirtualfolder, select the Documentstab andAdd “Default.htm”.
  24. 24. GL Computing Page 24 6/8/2004 Next, on the Home Directory tab click on the Configuration button. Remove allthe Mappings exceptfor ASA and ASP (which arerequiredfor ACT! for Web to operate). It will then look something like: This is to preventanyholes inother applications being usedto infiltrate your site. Next, remove(or renameif you are notsureif they maybe needed later) thefoldersthat you have removed the virtualfoldersfor earlier:
  25. 25. GL Computing Page 25 6/8/2004 Remove InternetGuest Account (IUSR_machine_name) accessfrom cmd.exe, command.com, tftp.exe, httpodbc.dll, and default.ida – by adding in Securityproperties and selecting Deny (onlyfor IUSR). Youmayneed to do a search of thehard disk to getall the versions of thesefiles. This is to preventa user being ableto point to thosefilesandexecutethem, which hasbeen a common hacking exploit.
  26. 26. GL Computing Page 26 6/8/2004 If you want increased security, you can remove Anonymousaccess anduse Windows Integrated Authentication. Thisenablesyou to use the additional Windowsand domain logins prior to theACT! Login. Note: different versions of Windows may differ slightly. 1. Right-click the My Computer icon, andthenclick Manage from the shortcutmenu. The Computer Managementwindowappears. 2. Expand the Services and Applications option, thenexpand the Internet Information Services option, and then select the Default WebSite optionso that you can see your ActWebvirtual directory inthe right pane. (this isthestandard installationlocation, your ActWebvirtualdirectory locationmay differ) 3. Right-click the ActWeb virtualdirectory, and then click Properties from the shortcut menu. The ActWeb Propertiesdialog appears. 4. Under the Directory Security tab, in the Anonymousaccessand authentication control section, click Edit. TheAuthenticationMethods dialogappears.
  27. 27. GL Computing Page 27 6/8/2004 5. Clear the Anonymousaccess check box, and verifythat the Integrated Windows authenticationcheck box is enabled. The other check boxesare dependenton your specificsecurityrequirements andarenot related to ACT! for Web'sconfiguration. Note: Digest authentication for Windowsdomain servers isan option on IIS 5.1 or later. 6. Click OK on thesetwo windows. Your ACT! for Web site isnow protected bythe IntegratedWindowsauthentication. You mayneed to close your browser and re-open it in order to receivethe proper login prompt. IMPORTANT NOTE:The IUSR_[machinename] account willno longer be used by IIS with this configuration. You will needto make sure the user account youattemptto log inhas proper permissions setfor it in DCOMCNFG, and inthe securityproperties of the folder containing your ACT! Databaseaswellas the installation folder for ACT! for Web (default: "C:websites".) For more informationon how to do this, pleaseread: http://itdomino.act.com/act.nsf/docid/200391584653.
  28. 28. GL Computing Page 28 6/8/2004 Additionalsecuritycanbe achieved by making your website moredifficult tofind by potential hackers. Two simpleways to do this are: 1. Change the defaultweb siteto another TCP portin theWeb Siteproperties. Try not to use any of the other common portsthat youmaywish to use later. You’ll need to state theport when logging in, eg: http://domain.com:port/actweb. Using SSL (SecureSockets Layer ) on port 443 willalso add to thesecurityof your data by adding encryption to theflowacrosstheinternet. Thiswillusean https protocol insteadof http when entering theURL intoyour browser. 2. Search engines send out “spiders” toobtaininformationon sitesavailableon theweb. This means thatsearching google.com or other search engines for thephrase "ACT! for Web Login" (in quotes)maypointto your site (good for public web sites, less good for your corporatedatabase). If you would liketo preventa sitefrom being catalogued ina search engine'sdatabase, you can takestepsto address this. Keepin mind that if youhave existing websites, they may havealready begun totakethesteps to interact with thespidersthat may crawltheir site. Visit thefollowinglinksfor more informationabout meta-tags and therobots.txtfile. Keep in mind that itis impossibleto preventanydirectly accessibleresourceon a site from being linked to by external sites, be it bytheir partner sites, competitive sitesor search engines. However, thesemethods are generallyaccepted by the popular search engines. http://www.robotstxt.org/wc/robots.html http://www.searchengineworld.com/robots/robots_tutorial.htm http://www.robotstxt.org/wc/meta-user.html
  29. 29. GL Computing Page 29 6/8/2004 Appendix More tips for the paranoid ere are some more securitysuggestions to tighten thesecurityon the server – as before, theseneedto be discussed withthe administrator of theserver you are implementingas somemayeffectother operations on theserver in question:  Rename the Administrator accountor disableit after creating another named account with administrator access. Renaming the“Everyone” group to a different name can also be useful.  Do not use the server to browsethe internet; also do not browsetheinternetfrom an accountwho is a member of theAdmin group. Anywebattackswouldthenhave completeaccessto install software and access your system in potentiallyundesired ways.  Run minimal services on theserver. Run onlythose services thatarenecessary for your purposes. Each additionalservicethatyou run presentsa potentialentrypoint for malicious attacks.  Once again, westronglyrecommend you make sure you regularlyupdateyour server with the criticalupdates from http://windowsupdate.microsoft.com/ and alsokeep your anti-virusup-to-date.  Subscribeto securitybulletinsto keepawareof the latestthreatsand vulnerabilitiesas discovered. Some thatwerecommendinclude: www.microsoft.com/security/security_bulletins/decision.asp www.cert.org/contact_cert/certmaillist.html nct.symantecstore.com/virusalert  Run Microsoft Baseline Security Analyzer (MBSA) that can be found at http://www.microsoft.com/technet/treeview/?url=/technet/security/tools/Tools/ MBSAhome.asp. Select theapplicabletype of server configuration. Note: This product will automatically set some of the settings below.  Start | Run - syskey.exe, select Encryption Enabled, then select Ok. For more information on this (before doing it) see http://support.microsoft.com/default.aspx?scid=kb;en-us;310105&Product=win2000 Chapter A H
  30. 30. GL Computing Page 30 6/8/2004  Your server should now bereasonablysecure. For more information, also read: http://itdomino.act.com/act.nsf/docid/20033410728  Some more suggested Registry changes – BACKUP THE REGISTRY FIRST: o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon ChangeLegalNoticeCaption valueto your companynameorsiteowner ChangeLegalNoticeText valueto “Unauthorized Use” o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2 o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOptional o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd  SomemoresuggestedControlPanel changes: o Control Panel | System | Advanced Startup and Recovery Set displaylist to 10seconds. Check “AutomaticReboot” Set WriteDebugging Information to “none” o Control Panel | AdministrativeTools | Local Security Policy | Account Policies | Password Policy Enforce password historyto 8 Minimum password lengthto 8 Maximum password ageto 30 o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Account Lockout Policy Account lockout duration to 10 minutes Account lockout threshold to 5 Reset account lockout counter to 10 minutes o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit Policy Audit account logon events to Success, Failure Audit account management to Success, Failure Audit directory service access to Success, Failure Audit login events to Success, Failure Audit policy change to Success, Failure Audit privilege use to Success, Failure Audit process tracking to Success, Failure Audit system events to Success, Failure
  31. 31. GL Computing Page 31 6/8/2004 o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity Options Allow System to Be Shut Down Without Having to Login On to Disabled Audit Use of Backup and Restore Privilege to Enabled Clear Virtual Memory Pagefile When System Shuts Down to Enabled Disable CTRL-ALT-DEL Requirements for Login to Disabled Do Not Display Last User Name in Login Screen to Enabled Message Text for Users Attempting to Log On to “Unauthorized use prohibited” Message Title for Users Attempting to Log On to company or site owners name Prevent Users from Installing Printer Drivers to Enabled Recovery Console: Allow Automatic Administrative Login to Disabled Restrict CD-ROM Access to Locally Logged-On User to Enabled Restrict Floppy Access to Locally Logged-On user to Enabled Set Unsigned Driver Installation Behavior to Do not allow (NOTE: May prevent software installs) Unsigned Non-Driver Installation Behavior to Do no allow (NOTE: May prevent software installs) Additional restrictions for anonymous connections to No access without explicit anonymous permissions o Control PanelNetwork and Dial-up Connections<applicable connections>PropertiesGeneral Deselect all components except “Internet Protocol (TCP/IP)” o Control PanelNetwork and Dial-up Connections<applicable connections>PropertiesGeneral, select Internet Protocol (TCP/IP), select Properties, select AdvancedWins Disable NetBIOS over TCP/IP Disable LMHOSTS lookup o Control PanelNetwork and Dial-up Connections<applicable connections>PropertiesGeneral, select Internet Protocol (TCP/IP), select Properties, select AdvancedOptionsTCP/IP filtering Disable or filter all TCP, UDP, and IP ports as needed – although, it is often better to do this from an external firewall, doing it through both assists in protecting you against breeches of the firewall. o Control Panel Administrative ToolsComputerManagementLocal Users and GroupsUsers Guest accountGeneral TabCannot change password Guest accountGeneral TabPassword never expires Guest accountGeneral TabAccount disabled Guest accountDial-in Tab Remote Access PermissionDeny access
  32. 32. GL Computing Page 32 6/8/2004  Services o Configure the following Windows Services to start automatically: DNS Client Event Log Logical Disk Manager IPSec Policy Agent Plug and Play Protected Storage Remote Registry Service RunAs Security Accounts Manager Task Scheduler o Configure the following Windows Services to start manually Application Management ClipBook COM+ Event System Logical Disk Manager Administrative Service Distributed Link Tracking Server Fax Service File Replication Indexing Service Internet Connection Sharing Net Logon Netmeeting Remote Desktop Network Connections Network DDE Network DDE DSDM NT LM Security Support Provider Performance Logs and Alerts Qos RSVP Remote Access Auto Connection Manager Remote Access Connection Manager Remote Procedure Call (RPC) Locator Smart Card Smart Card Helper Unit Power Supply Utility Manager Windows Installer Windows Management Instrumentation Driver Extensions o Disable the following Windows Services if they are not being used: Intersite Messaging Kerberos Key Distribution Center Routing and Remote Access Terminal Services Print Spooler Simple Mail Transport Protocal (SMTP) DHCP Client Messenger Telephony Telnet Windows Time
  33. 33. GL Computing Page 33 6/8/2004  Other General Changes o For the Everyone Group (that may have been renamed) C Drive: Document and Settings folder rights: Read & Execute, List Folder Contents, Read C Drive: WinNT folder rights: none Web folder: Read & Execute, List Folder Contents, Read o Remove all rights for the Everyone group (that may have been renamed) and the IUSR account from following c:winntsystem32 files in addition to the ones mentioned above: arp.exe, ipconfig.exe, netstat.exe, at.exe, net.exe, ping.exe, cacls.exe, nslookup.exe rdisk.exe, cmd.exe, posix.exe, regedt32.exe, debug.exe, rcp.exe, route.exe, edit.com regedit.exe, runone.exe, edlin.exe, rexec.exe, syskey.exe, finger.exe, rsh.exe, tracert.exe ftp.exe, telnet.exe, command.exe, xcopy.exe, nbtstat.exe (And any others not needed) o Display Properties Set screen saver to “Logon Screen Saver” Set screen saver to 5 minutes Check password protect o Check AntiVirus program Enable “start program on Windows startup” option Turn on all activity logs (detection, quarantine, etc) Disable “audible alert” option Check that “how to respond when a virus is found” is set for an automatic solution. (Norton for example uses the a default of “ask me what to do”.) Enable scan of “master boot records” Enable scan of “boot records” Scan all inbound file types o Vulnerability Scan Use a vulnerability scanner or scanning services to verify your site is secure and no vulnerability exist. A web search for the term “vulnerability scanner” will yield numerous companies to select from. NOTE: Other security steps may be required based on you system, architecture, and specific needs! Site and server security requires daily procedures to insure a proper defence. Security patched must be applied upon release, and the system and firewall logs need to be reviewed daily to track activity and intrusion attempts.

×