This was a training document on how to install and lockdown IIS 5 or 6 (Windows Server 2000 or 2003). It was originally designed for Act! CRM resellers new to web technologies. I hope to get the time to do a new version based on current OS servers.
1. CONSULTANTS INFO PACK
For GL Computing resellers and clients
IIS5–Installationandlockdown
forACT!Consultants,Including
NetworkingBasics.
Volume
1
2. DE V E L OP E R : M I K E L A Z A RU S , G L C OM P U TI N G
TH IS DOCU M E NT IS A S U P P OR T DOCU M E NT F OR GL COM P U TING R E S E L L E R S TO
A S S IS T TH E M IN R E S E L L ING GL COM P U TING S U P P OR TE D P R ODU CTS INCL U DING
A CT! P R E M IU M F OR W E B
IT IS NOT TO BE COP I E D, R E P R ODU CE D OR DIS TR IBU TE D W ITH OU T TH E E XP R E S S
W R ITTE N P E R M IS S ION O F GL COM P U TING.
W H IL E TH E A U TH OR H A S TA K E N GR E A T CA R E TO E NS U R E TH E A CCU R A CY OF TH E
INF OR M A TION CONTA INE D IN TH IS DOCU M E NT, A L L M A TE R IA L S A R E P R OV IDE D
W ITH OU T W A R R A NTY W H A TS OE V E R - INCL U DING, BU T NOT L IM ITE D TO, TH E
IM P L IE D W A R R E NTIE S , M E R CH A NTA BIL ITY OR F ITNE S S F OR A P A R TICU L A R P U R P OS E .
A CT! A ND A CT! F OR W E B A R E R E GIS TE R E D TR A DE M A R K S OF INTE R A CT COM M E R CE
COR P OR A TION, BE S T S O F TW A R E OR S A GE S OF TW A R E IN V A R IOU S COU NT R IE S .
W INDOW S IS A TR A DE M A R K OF M ICR OS OF T COR P OR A TION. A L L OTH E R P R ODU CT
NA M E S A R E TR A DE M A R K S OR R E GIS TE R E D TR A DE M A R K S OF TH E IR R E S P E CTIV E
COM P A NIE S .
A GL Computing support initiative
GL Computing, 2004
PO Box 161, Paddington 2021
Phone 02-9361-6766
http://www.GLComputing.com.au
3. GL Computing Page 3 6/8/2004
Table of Contents
C H A P T E R 1
Server and Networking Basics
C H A P T E R 2
IIS – What is it?
C H A P T E R 3
Installing IIS
C H A P T E R 4
Protect against What?
C H A P Y E R 5
Configuring and Securing IIS
A P P E N D I X
More tips for the sensibly paranoid
4. GL Computing Page 4 6/8/2004
Server and Networking Basics
t is essential for your comfort in consulting to IIS clients and their IT staff that you have a good
understanding of the core terms and protocolsin use on an IIS server. This includesterms that will
occur later in this document as well as terms that you may need to address in on-going support.
For this reason, wehave put, what would normally be in a glossary at the beginning of this document.
IIS is the Microsoft Internet Information Server. As such, some of the terms have specificdefinitions that
may not be as accurate for other Internet servers.
Chapter
1
I
5. GL Computing Page 5 6/8/2004
Term Definition
Server Vs
Workstation
ACT! for Web supportsNT4 (sp6a)Workstation or Server and Windows2000
Professionalor Server (1.1 andlater also supports XP Pro and1.2 and later supports
on Windows 2003). Sowhat arethebasic differences between
Workstation/Professional andthe Server versions of theoperating systems? First, the
Server versionsare pre-setand biased to processing background tasksover fore-
ground, which can make IIS operate faster…but thiscan be reconfigured on the
workstation versionto getprettyclose. More importantly, the Workstations versions
can only support10 concurrentusers. Considering the hitsfrom other random
internettraffic, this can limit youto 6-8 concurrent usersaccessing your ACT!
databaseon the internet. So, if looking for reliableconnectionsfor more than 5 users,
you will need tousethe Server versions.
NTFS New Technology File System
This file system has many improvements over theFAT16/32 filesystems. To begin
with, itis transaction-based- i.e. it usesa transactionlog to assistin maintainingdata
integrity. This does notmeanthat youcannotlose data, butit does mean thatyou
have a much greater chanceof accessing your filesystem even if a system crash
occurs. This capabilitystems from theuseof the transaction log toroll back
outstanding disk writesthenexttimeWindowsis booted. It also uses thislog to
check thedisk for errorsinstead of scanning each file allocation tableentryasdoes
the FAT filesystem. It also adds a security model thatwewillbe using to protectour
servers. This documentwillassumeyouare runningWindows 2000 withan NTFS
file system.
NTFS Security The NTFS filesystem includes the capabilityto assign access controlentries(ACEs)
to an access control list(ACL). TheACE containsa group identifier or a user
identifier encapsulatedin a securitydescriptor, which can be usedto limitaccess to a
particular directoryor file. This access can include such capabilitiesasread, write,
delete, execute, or evenownership. An ACL, on the other hand, isthe container that
encapsulatesone or more ACE entries.
What this meansto you, isthat wecan determine, through NTFSsecurity, which
users and groupscanaccessfilesand folders on your server and whataccessthey
have. You cannotdo this with FAT16 or FAT32 file systems.
6. GL Computing Page 6 6/8/2004
Term Definition
Multithreading A thread is theminimum executableresource. Thedifferencebetweena threadand a
process is thata processis the container for an address space, whereasa thread
executes withinthat addressspace. A processby itself isnot executable; itis the
thread that isscheduledand executed. Whatis uniqueabout threadsis thata single
process canhave morethan one thread of execution. Thesethreads, providing that
they are not dependanton each other, can be executed concurrentlyin Windows
operating systems. However, itisimportant to understand that, whileIIS is inherently
multithreaded, ACT! itself (and mostimportantly it’sSDK)isnot “thread aware”.
This means thatitcanonlyhandleone call ata time and needsto complete
processingit before the nextcall ismade.
What this meansto you, isthat multiple-processors ina server cannotbe properly
utilised. A single fastprocessor isthe bestway to operatefor a stand-alone ACT! For
Web environment.
Workgroups Vs
Domains
A workgroup isa casual affiliation of computersthat are groupedlogicallyinto a single
accesspoint. Thiscutsdown on the clutter when your users browse for resources on
the network. Instead of seeing all theresources thatareshared on thenetwork, they
first see thesharedresourcesof the workgroup to which theybelong
All security ina workgroup is based on thelocal(the onesharingthe resource)
computer. Thisis a seriousadministrativechorebecauseitrequires thatall
workgroup computers havethesame user accountsdefined if youwantto allow
other computer users to accessyour shared resources transparently (without
supplyinga differentuser accountand password) ina user accessenvironment
A domainis similar to a workgroup because itprovidesthesamegrouping capability
as a workgroup, butwith onemajor difference. A domain has a centralizeduser
databasethat resides on thedomain controller. All user logon authentication is based
on this centraluser database. ThismakesAdministration much easier as nearly allthe
users are thesamefrom anymachine on theDomain.
It is very importantto notethattheIUSR guest account, even on a domain, isstilla
local onlyaccountandis alsonot partof anygroup including EVERYONE. This
means it can be better controlledthan creating a specificaccount.
7. GL Computing Page 7 6/8/2004
Term Definition
Domain
Controllers
The Domain controller is theserver thatauthorisesthe user logonsto thenetwork.
The DC containsthemaster copyof the user database, which includes allyour global
groups, user accounts, and computer accounts. In addition to this, your DC is used
to authenticate your users when theylog onto thenetwork or accessa shared
resource. Your DC also includes thetoolsyou will use for centralized administration,
such as User Manager for Domains, Server Manager for Domains, DHCP server,
WINS server, and a hostof additional tools. Other DCs replicatethe information for
load balancingand backup purposes.
In NT, there is a conceptof PDCs (PrimaryDomain Controllers)and BDCs
(Backup Domain Controllers). This meantthat when the PDC wentdown, a BDP
would need tobe promoted to the PDC by anAdministrator. In Windows 2000, this
is no-longer an issue as DCs in Windows 2000 and2003 arepeers.
Do not use a DC as a web server if possible. The Domain Controller isconstantly
processingauthentication requests. Running IIS on the PDC willdecrease
performance. It couldalso exposethe DC to attacks thatrender theentire network as
non-secure.
Client/Server Client server technology iswhere the server (IIS, SQL Server, etc) houses thedata
and most of the intensive data processing sections of the application, whilethe client
(Internet Explorer or a specific clientapplication)handles the user interface. This
means thatthere ismuch less bandwidth on thenetwork, much lessrequirementsfor
clienthardware, andusually much lessadministration - asmost of thesefunctionsare
controlled on theserver only. Theclientsends a request for information to the
server, and theserver application doesthedatabaseintensive processing and just
sends back theresults.
TCP/IP Transmission Control Protocol / Internet Protocol
These are thecoreprotocols thattheentireInternetisbased on. Createdby US
Universitiesin the60s, and later expandedby theUS Departmentof Defence, it is
the most popular protocol for connecting non-heterogeneous systems (iecomputers
that are not of thesame type). Theyprovide communicationsacrossinterconnected
networksof computerswith diverse hardware architectures and variousoperating
systems. TCP/IP includes standardsfor how computerscommunicateand
conventionsfor connecting networksandrouting traffic.
URL UniversalResource Locator
A URL is the full internetaddress including theaccessprotocol(http, ftp, nntp, https,
etc), the domain internetaddress (IP or name) and optionally a pathand or file, user
and password. The IP canbe in decimalor standard-dotform.
A full URL can be of the form:
protocol://user:pass@domain:port/path/filename.ext
This has sincebeenchanged for HTTP/HTTPSby Microsoft Internet Explorer as
per: http://support.microsoft.com/default.aspx?kbid=834489 – this can affectsites
if using Windows login asopposed toAnonymous.
8. GL Computing Page 8 6/8/2004
Term Definition
DHCP Dynamic Host Configuration Protocol
DHCP provides a meansto dynamicallyallocateIP addresses to computerson a
network. Theadministrator assigns a range of IP addresses to theDHCP server and
each clientcomputer on theLAN hasitsTCP/IP software configured to request an
IP address from theDHCP server. The request and grantprocessuses a lease
concept witha controllabletimeperiod. Theadvantage of this isthatthe
administrator doesn’thaveto manually assign theIP addressof each machine.
A server should be assigned a permanent staticIP rather than a dynamicone if
possible
DNS Domain Name System
The DNS is a general-purpose, hierarchical, distributed, replicated, data query service
(database) used mainlyfor translating hostnames (domain names) into IP addresses –
eg when a user looksfor www.GLComputing.com.au itshould return it’scorrectIP
address. DNS can be configured to usea sequenceof nameservers, basedon the
domains in thenamebeing looked for, until a match isfound. An organisationmay
have severalDNS servers tospread the load. Allof which replicate with each other
and the globalDNS via their ISP. A full global replication of a changeto an IP can
take 24-48 hours.
The name resolution clientcanbe configuredto search for host information inthe
following order: firstin thelocal /etc/hosts file, secondin NIS (Network
Information Service) and thirdin DNS. Thissequencing of NamingServicesis
sometimescalled "nameserviceswitching"
WINS Windows Internet NamingService
The WINS service resolvesNetbiosnames totheir IP addressin a similar fashion to
the way DNS resolves Hostnamesto IP addresses.
NAT Network AddressTranslation
The abilityof a router to use oneexternalroutableIP address and provide
connectivityfor a number of network clientsby translatingtheir private (non-
routable) IPs to thepublic one, and then relaying theincoming data to theclientthat
requested it. It allows a securemachine or firewallto handletheincoming data and
direct specific ports to specificmachineswithoutthose machines IPs being accessible
from the ‘net.
PrivateIP addressesare of the form: 192.168.x.x or 10.x.x.x (wherex is 0-255)
9. GL Computing Page 9 6/8/2004
Term Definition
MDAC The Microsoft data AccessComponents providea suite of tools for accessing different
databaseobjectsand providesa commonuser interface toaccessall of them – often
calledUniversal Data Access(UDA). MDAC include ActiveX Data Objects (ADO
and ADO.NET), OLE DB, ODBC, andothers. Problemsreferencing ODBC
drivers in ACT! for Web are often due to incorrect versions of MDAC. V2.5 is
usually recommended.
It is important tonote, thatunlikeother software products, a later version is not
necessarilybetter asMicrosoftwithdrew somefunctionalityin 2.6 andlater versions.
If you need to install 2.6 or 2.7, youwillneed to also install theFoxPro and Jet
drivers separatelyfor ACT! for Web. ACT! for Web 1.2 andlater now also supports
MDAC 2.8 for Windows Server 2003 support.
If you aren't surewhich version of MDAC isinstalled on your system you can find out
by following these steps(Note: ThisinvolvesusingRegEdit and should onlybe done
by an experienced computer user):
Press <Start> and select Run.
Type "REGEDIT" into the command line (omit the quotes)
Navigate to the following key:
HKEY_LOCAL_MACHINESoftwareMicrosoftDataAccess
Look for a value named "Version". This value contains the current version of MDAC
installed on your computer.
Microsoft also has a utility called the ComponentChecker which can be usedto
diagnose your currentMDAC version, aswellasfind problemsin your MDAC
installation. TheComponentChecker can be downloaded from:
http://msdn2.microsoft.com/en-us/data/aa937730.aspx
DCOM DistributedComponent Object Model
The Distributed ComponentObjectModel (DCOM)is a protocolthat enables
softwarecomponents to communicatedirectly over a network in a reliable, secure,
and efficientmanner. Previously called"Network OLE," DCOM is designed for use
across multiplenetwork transports, includingInternetprotocols such asHTTP.
DCOM is based on theOpen SoftwareFoundation's DCE-RPC specification and
will work with bothJava applets and ActiveX® components throughitsuseof the
Component Object Model (COM)
DCOM program permissions aresetusing dcomcnfg.exe. For information on how
this relates to ACT! For Web: http://itdomino.act.com/act.nsf/docid/13988
10. GL Computing Page 10 6/8/2004
Device Definition
Firewalls A firewallisessentiallyanynumber of securityschemes designed to prevent
unauthorised access to a computer system or network. Theschemes can rangefrom
simple NAT securityas above, through portfiltering, IP filtering andother data
determining methods. Theycan includethreat monitoring, call-back and activity
pattern testing.
A server can bepositioned “behind” thefirewall, therebyreducing the“surfacearea”
availableto a hacker, or it can be located ina DMZ (demilitarizedzone)to be a more
public server. As theIIS server willbe hosting our clientdata, it isbetter to locate it
behind the firewalland only permitthat data thatitneeds tohandle.
We will discussmore aboutFirewallslater in thesecuritysection
Hubs Vs
Switches
These connectdeviceson the same LAN. When data is sentto one port on thehub,
it is copiedto all ports on thehub so all segments of theLAN willseethedata. A
switch (or switching hub)onlyforwardspacketsto specific ports rather than
broadcasting them to every port. In thisway, theconnectionbetweenthe ports and
devices can deliver the fullbandwidth available without risk of collisions.
A hub will also be restricted tothe speed of theslowestdeviceon the LAN segment.
Routers Vs
Bridges
Routers and Bridgesallowyouto connect differentnetworks – eg your LAN to your
ISP’s network. Routers (OSILayer 3 – network) and Bridges (OSILayer 2 – Data
Link) operateatdifferentlevelsof the OSI referencemodel(Open Systems
Interconnect – themodelfor network architectureand protocolsused to implement
it). We willnot be going into theOSImodelhere, butsufficeit to saythat Routers
and Bridges accomplish a similar task in different ways and youas ACCscan treat
them the sameway for thepurposeof an ACT! For Webimplementation.
Command Description
Ping Ping is the simplestcommand to tell ifa remote system is running and available. It
verifies theIP connectivity by sending an ICMP (InternetControl MessageProtocol)
Echo request. Pinging a domain name, returns the IP address from theDNS server
and the time toreach it andreturn.
Tracert If you can’tping a system (and youthink it should be running), youmight try
TRACERT – this willpingeach machinebetween you and theremote system,
usually allowingyou to determinewherethefailure or bottleneck is.
IPCONFIG IPCONFIG is a command thatdisplays the TCP/IP network configuration values,
and can be usedto refresh the DHCP and DNS settings. Becoming familiar with
IPCONFIG and it’sparameters will be of long-term benefitto you– for older
operating systems (Win 9X/ME) use WINIPCFG
NSLOOKUP NSLOOKUP isa command usedto queryand diagnoseissueswith theDNS server.
This is usefulif you are checkingfor problemsreachinga client’sserver.
11. GL Computing Page 11 6/8/2004
IIS – What is it?
IS is the Microsoft Internet Information Server. It is Microsoft’s set of services that
support web site configuration, management and publishing as well as various other
Internet services. It includes various developmenttools andsoftware development kits.
IIS, like all web applications, is a client/server application – in thatit does nothing withouta
clientsuchas a web browser or FTP clientsoftware.
The information belowis intwo areas: TheServersand the Application Development
platforms. In both areas, only one is really relevantto ACT! for Web (theWWW Server and
ASP). Theother informationis providedso that youunderstand the differences. Thelistsare
also not exhaustive, andthere areother serversand application developmenttools for IIS.
The Serversarethe programsthat the clientsoftwaredirectlyconnectswith on theIIS server.
They answer therequests from the‘net toreadfilesand send information.
The Application Developmentplatforms allowtheWWW Server to run programsand scripts.
A plain HTML documentthatthe Web daemon retrieves is static, whichmeans itexistsin a
constantstate: a textfile thatdoesn't change. A CGIor ASP program, on the other hand, is
executed in real-time, so thatit can output dynamic information. For example, let'ssaythat
you wanted to "hook up" your database to the World WideWeb, to allowpeoplefrom all
over the worldto query it. Basically, youneed to createa program that the WWW Server will
executeto transmitinformation to thedatabaseengine, and receivetheresults back again and
displaythem to theclient.
Chapter
2
I
12. GL Computing Page 12 6/8/2004
For full information on IIS, we recommend looking at: http://www.Microsoft.com/IIS
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windo
wsserver2003/proddocs/datacenter/gs_whatschanged.asp
Other usefulsitesinclude:
www.iisfaq.com
www.iisanswers.com
www.iis-resources.com
www.zensecurity.co.uk
www.nsa.gov/snac/index.html
Let’s havea look atthefunctions of IIS that weneed to know about in a littlemore detail:
Server Description
WWW Server The WWW server usesthe HyperText Transmission Protocol (HTTP) to
communicatewith itsclient application (a web browser). Typicallyon Port
80, the WWW isa content-rich environment. It encompasses themajority
of network traffic on theInternet. You can use itto display (on your web
browser) text, static graphicsimages, animated graphicsimages, 3-D
worlds, andaudio/videofiles. It can alsobe used to access databases such
as ACT! for Web via various development tools.
FTP FTP Publishing Serviceis a File Transfer Protocol(FTP) server. TheFTP
Publishing Service ismuchless complex than theWWW Publishing
Service. TheFTP Publishing Serviceis usedprimarilyas a data repository.
It is usually on Port21.
SMTP The SMTP service usestheSimpleMail Transfer Protocolto send email
across the ‘net. POP3 (thePostOfficeProtocol - the abilityto retrieve
email) isnot part of theIIS suite. Thedefaultport for SMTP is Port25.
NNTP The NNTP serviceuses theNetwork NewsTransportProtocolto
provide discussion servers and groupssimilar tothe ACCnewsserver.
NNTP servers should defaultto Port119
13. GL Computing Page 13 6/8/2004
Dev Tool Description
CGI The Common GatewayInterface(CGI) isa legacyapplication
developmentplatform supported under IIS. It’sa standardfor many
different web server platforms. CGIscripts can be written in a variety of
languages, includingPerl, C and C++
ISAPI ISAPI– The Internet Server Application Programming Interfacewas
Microsoft’s proprietaryprogramming interfacedeveloped for IIS as a
replacementfor CGI. It brings the power of OLE (ObjectLinking and
Embedding)to theWWW. The main advantageitoffersover CGIis that
it is much faster whenperforming thesame tasksandconsumes less
resources. Insteadof running each application asa separateprocess(asin
CGI), the ISAPI.dll(DynamicLink Library) isalready loadedintothe IIS
address space and handlesanycommandsfor it.
There is a downside toISAPIDLLs. Because theyshare the sameaddress
space as the HTTP server, itis possiblethatan errantISAPIapplication
could crash theWWW Publishing Server aswell.
ASP Because of theriskswriting ISAPI applications, MicrosoftdevelopedASP
(ActiveServer Pages). Thefunctionalityfor ASP ishandled by the ASP.dll
file. It is similar in its advantages over CGI, withouttheproblemsof
ISAPI. Additionally, because MicrosoftmadeASPdevelopment
considerably easier withthe toolsprovided, therearemanymore ASP
developersand supportfor applicationswritten to useASP.
ACT! for Web is written usingASP, so add-on developmentfor ACT! for
Web would requirea good knowledgeof ASP. To gain someknowledge
of ASP development, youmighttrylooking at www.asp101.com
Additionalinformation on the latestincarnation of ASP, ASP.NET is
availablefrom www.asp.net
ActiveX ActiveX controls are componentsthatusethe MicrosoftCOM
technologies (ComponentObjectModel – an open software architecture
developed byDEC andMicrosoftallowing interoperation between OLE
and the ObjectBroker).
They are Windowsprogramsthatcanbe executed by a browser. ActiveX
controls havefullaccess to the Windows operating system.
XML Extensible Markup Language isa newer methoddesignedfor the
interchangeof documents and data. It is a format for transferring data
across the Internet. It not only includesthedata, butself-describing
informationabout thedata. Office 2003 can alsouseXML.
SOAP The Simple ObjectAccessProtocolmakesuseof HTTP to exchange
structured data over the Webusing an XML format..
14. GL Computing Page 14 6/8/2004
InstallingIIS
t is importantto noteatthis time, thattheseproceduresaretargeted at installing a server
dedicated to servingan ACT! database tothe ‘netvia ACT! for Web. Theserver could
also servethedatabaselocallyas a LAN server to ACT! clients ina “hybrid”
implementation.
This document will assumethat youhaveperformed a “clean” installof Windows 2000 Server
to your machine, but NOT installedanyIIS components. In the Lockdown area, wewill
discussthe differences ifyou arelocking down a server that alreadyhas IIS installed by
someone elsewithmore components thanwe will be installing in this section.
It is advisablenot to perform thesefunctionswhileconnected to the internet and onlyto
connect after we have completedthe securing part. We alsorecommendapplying the latest
servicepacks and criticalupdates to theWindows 2000 operatingsystem.
Installing IIS is quite simple:
Open the ControlPanel(Start| Settings| ControlPanel)and go to: Add/Remove
Programs.
Chapter
3
I
15. GL Computing Page 15 6/8/2004
Then click Add/RemoveWindowsComponents:
16. GL Computing Page 16 6/8/2004
The only optionthat youneed to haveticked in thisdialog box is: InternetInformation
Services(IIS). We should take thisfurther by clicking on the“Details” button:
In this area, the only necessary options arethe CommonFiles (thesearenecessaryfor IIS)
and World Wide Web Server (this service will be hosting ACT! for Web).
We will also install theInternet Information services Snap-Inas thismake administering
IIS considerablyeasier and the Documentation ashaving theHelp system handycanbe a
good option. If you don’t wantthedocumentation, you can alwaysaccesstheMicrosoftweb
site and search their knowledge base, TechNet or MSDN.
None of the other subcomponents belongingto IIS are necessary, and as such should NOT
be installed unlessyou know you willrequire them for someother task. Other options
increasethe“surfacearea”availablefor attack on the server, andwillneedto be configured to
make them lessvulnerable. We will look at someof theseoptions inthe next section.
Click “OK” andIIS willbe installed.
Although itis not alwaysrequired, westrongly recommend a re-bootof theserver after
installing or removingWindowscomponents.
17. GL Computing Page 17 6/8/2004
Protect against what?
N this Chapter wewillattemptto describewhattypesof attackers are outthere and give
you some ideas of the methodstheymayuseto compromise your systems.
Types of Attackers
Let’s startby categorisingthe types of attackers youmayneedto protect your systemsfrom:
Attacker Description
Script Kiddie This is the mostcommon form of attack and theone which wewillmost
need to protect our serversfrom. Theseareusuallykids looking for easy
to hack servers, so thattheycan take control of them and use them to
attack others.
Typically, theywilluseTrojans(which your anti-virus should have
detectedand removed), or exploit known weaknesses in the server
operating system, which a combination of theMicrosoftcriticalupdates
and our own lock-down proceduresshouldkeep yourelativelysecure
from.
Valuable Data This is typically doneby someone who knowsthat specificdata on your
site is of significant valueto theattacker. It maybe doneby a nasty
competitor who wants your data, or someonewho thinksyou mayhave
Credit Card numbers (or similar data)on your system. If you areplanning
to keep Credit Cards, etcin your database, you willneed to beverycareful
about your securityand liability.
We do not recommend keepingthistype of data in anACT! database.
Prestige Site This is whereyour site iswellenough known, thatthehacker can get
credibilityfrom beingable to by-passyour security. This isunlikelyto be
an issue for anyACT! for Web installation.
Chapter
4
I
18. GL Computing Page 18 6/8/2004
Enemy Attack This is wheresomeone feels so annoyedby youor your organisation that
they feelliketeaching youa lesson. The toughest of theseto protect
againstis anex-employeethat feels theyhavebeenwronged andknows
the securityof your system.
Internal
Attack
This type typically does themostdamage, as theymayknowyour security
and usuallyhavea legitimatereasonfor accessing your system. Sometimes,
the ValuableData, PrestigeSiteor Enemy Attack types, willalso usean
internalperson to maketheir task easier. The defenceswe areputting up
will not assistin stopping this typeof attack. Theonlysolutions areto
ensure you havegood backupprocedures, regularlyread andinspectlog
files and makesureusers only have access tothe partsof the system that
they need access to.
Typically, the “Script Kiddie” willuseknown securityflaws in the operating system and or
known Trojans. Theother attackerswillusea combination of theseand“un-known” attacks
and are typicallymore skilled.
We will attemptto keepyour server securefrom both known andun-known attacks.
Known Attacks
The first defence isto makesureyou areprotected againstthe “known” attacks. Themost
common form of these is via Trojans.
A Trojan (basedon the story of theTrojanhorse) isa pieceof softwarethat can getloaded on
your server and makes itavailable for an attacker to access. Thefunctionsit can provide to an
attacker can vary – including damaging your data, providing access for othersto seeyour data
or using itself to launchattackson other systems.
There are twomainwaysto prevent these:
One is to ensureyouhavea good anti-virus runningandthatyou keepit up-to-
date. GL Computingcurrently recommends Symantec(used to be Norton) Anti-
Virus Corporate Edition for servers. This should findand prevent Trojansfrom being
installed and/or removethem if already installed.
The other is to makesureyour firewallpreventstheattacker from accessing the
Trojan if it’s on your system. As theyareusually called from specificports, this
provides pretty goodsecurity against mostknown attacks.
Many attackslikeNimda, SQL-Slammer and othersused operating system exploitsthat
Microsoft hadpatched months earlier – andyetmanyadministrators (including Microsoft’s
own) had not patched their all their servers thatwere availablefrom the Internet from these.
Consequently, many millions of dollars in damaged data andsystem down-timewerecaused.
You should makesurethat alltheService Packsand CriticalUpdatesare applied to your
server. Mosthacker/cracker attempts (especially thoseby ScriptKiddies) aredone using
security holesin WindowsthatMicrosofthasalreadyissuedpatchesfor, knowing thatmany
administratorsdo not applythesefixes. It is a goodpractiseto regularlycheck for updates
19. GL Computing Page 19 6/8/2004
from the Microsoft site: http://windowsupdate.microsoft.com
Unknown Attacks
It may seem unusual to talk about preventing an “Unknown Attack”, butthatis exactlywhat
is necessaryto provide adequatedefence – preventing, as much as possible, attacks thatuse
previouslyundiscoveredexploits.
Essentially, thismeans reducing the“SurfaceArea” of attack – thatis, reducing theavailable
entry pointsand services thatareavailable for an external sourceto connectto your server and
run tasks thatyoudo not want them to run.
Configuring theIIS server to removetheservicesthat can be usedto hook intoyour server
will be covered inthe next chapter. For now, we’ll discuss reducing theentry pointsthatare
available. We’ll look at theservicesin thenextchapter.
Port Blocking
By entry points, weusually mean the ports thatareopen to your server andthe IPs thatcan
connect to it.
There are twomaintransportlayer protocolsused on the‘net – TCP (Transmission Control
Protocol) and UDP (User Datagram Protocol). Both of thesecan use64k (65536) channels of
communicationsor “ports” toconnectto specificapplications on the server machine.
So, the simple ruleto startwith, isonlyto permit thoseportsthat youknowyouneed to be
allowed through your server.
The default portfor web serversis port80, but itcan be setto any portthe administrator
chooses. Using a non-standard portis a simple wayto help keep theserver hidden, means the
user willneedto putthe portnumber in their URL.
The most completelistof registered port numberscan be obtained from:
http://www.iana.org/assignments/port-numbers
The following portsshouldnearlyalways beblocked from OUTBOUND transmissions:
135, 137, 138, 139, 443 (unless using SSL), 593
IP Blocking
If you know the IP ranges usedby theusers whowillbe accessing your server, you can set
either thefirewall, or the IIS server to onlypermit thoseIPs that belong to your users to
accesstheserver. We’llshowhow to do this on theIIS server in thenextchapter.
20. GL Computing Page 20 6/8/2004
Configuring and Securing IIS
nce again, itis necessary tostate thattheseprocedures, if followedexactly, are
designed for a server thatwillbe dedicatedto serving an ACT! database – either
solely for ACT! for Web, or in a hybrid with localLAN users.
We will also attempt to addressthose issues andcomponents inIIS thatyou mayfindinstalled
on servers that are alreadyin operationor thatwillalso be usedfor other tasks. However, we
suggest thatyou work with theAdministrator of thenetwork to determinethat your lock-
down procedures do not also disableapplicationsor functions thatyour clientsmaywish to
run on the server.
It is also importantto notethatsecurity can never be guaranteed on theinternet, and so you
must be careful, as Consultants, whatcontractualagreementsyou makewhen doing this type
of work for clients.
Chapter
5
O
21. GL Computing Page 21 6/8/2004
To modify the IIS settings inWindows2000 we can usetheComputer Managementsnapinat
either:
Start | Programs| AdministrativeTools | Computer Management
Or selecting Managefrom the Right-click menu on My Computer
This willbring up the Computer Management Console:
It is important thatyou become familiar with this interface and it’soperation.
Another methodto accessthis isby:
Start | Programs| AdministrativeTools | InternetServicesManager
22. GL Computing Page 22 6/8/2004
If you are setting up on a server thatis already installed, you might find servicesor virtual
folders alreadythere thatarealreadybeing used.
Removing them would notbe a good idea if your clientis usingthem for another purpose. If
you do not have access tothe system administrator, or they are notsure, select“Stop” to
simply stop the servicefrom accepting requestsand check with theadministrator.
This should bedone on theAdministration sites, FTPand SMTP services, unless youaresure
they are being used on theserver.
In the Default Web Site(could be re-named), youshould delete the virtualfolders: IIS Help,
IIS Admin, samples, MSADC (MSActiveDirectoryConnector), vti(FrontPage). Theyall
includeASP and Java scripts thatmayhavevulnerabilities found in them andare mostlikely
not used or needed on the server. If no other application isbeing run on the IIS server at the
time, you can removeanyof thevirtualfoldersin theweb site. Theidea being thatwe remove
anything notspecificallyrequiredfor our implementation this helpsreducetheavailable
“surface area” for an attacker. It is advisableto check withthe system administrator. Onceyou
know you can removethem, Right-click on the item and selectdelete.
Next open the Default Web Siteproperties (byRight-Click, then properties), which should
look something like:
23. GL Computing Page 23 6/8/2004
On the Documents Tab, removeall theitemsthere and add web.gifor some other smallgif
that you haveloaded in the default folder defined in theHome Directorytab (usually
C:Inetpubwwwroot folder).
This means that anypotentialhacker justlooking for a sitewillseesomethingsmallbut giving
nothing away as to thecontentof the site.
If the site isbeing used for another site, you may need toleaveanother defaultdocument that
is used by theysite.
You may wantto point thePrinters virtualfolder atthis gif file also becauseitsometimesre-
appears andtheidea isto leavenothingpointing atan application where vulnerabilities maybe
discoveredin thefuture.
Note: You will need to re-addDefault.htm to the actwebvirtual folder after youhave
installedACT! For Web
To do this, right-click on theActwebvirtualfolder, select the Documentstab andAdd
“Default.htm”.
24. GL Computing Page 24 6/8/2004
Next, on the Home Directory tab click on the Configuration button. Remove allthe
Mappings exceptfor ASA and ASP (which arerequiredfor ACT! for Web to operate). It will
then look something like:
This is to preventanyholes inother applications being usedto infiltrate your site.
Next, remove(or renameif you are notsureif they maybe needed later) thefoldersthat you
have removed the virtualfoldersfor earlier:
25. GL Computing Page 25 6/8/2004
Remove InternetGuest Account (IUSR_machine_name) accessfrom cmd.exe,
command.com, tftp.exe, httpodbc.dll, and default.ida – by adding in Securityproperties
and selecting Deny (onlyfor IUSR). Youmayneed to do a search of thehard disk to getall
the versions of thesefiles.
This is to preventa user being ableto point to thosefilesandexecutethem, which hasbeen a
common hacking exploit.
26. GL Computing Page 26 6/8/2004
If you want increased security, you can remove Anonymousaccess anduse Windows
Integrated Authentication. Thisenablesyou to use the additional Windowsand domain
logins prior to theACT! Login.
Note: different versions of Windows may differ slightly.
1. Right-click the My Computer icon, andthenclick Manage from the shortcutmenu.
The Computer Managementwindowappears.
2. Expand the Services and Applications option, thenexpand the Internet
Information Services option, and then select the Default WebSite optionso that
you can see your ActWebvirtual directory inthe right pane. (this isthestandard
installationlocation, your ActWebvirtualdirectory locationmay differ)
3. Right-click the ActWeb virtualdirectory, and then click Properties from the shortcut
menu. The ActWeb Propertiesdialog appears.
4. Under the Directory Security tab, in the Anonymousaccessand authentication
control section, click Edit. TheAuthenticationMethods dialogappears.
27. GL Computing Page 27 6/8/2004
5. Clear the Anonymousaccess check box, and verifythat the Integrated Windows
authenticationcheck box is enabled. The other check boxesare dependenton your
specificsecurityrequirements andarenot related to ACT! for Web'sconfiguration.
Note: Digest authentication for Windowsdomain servers isan option on IIS 5.1
or later.
6. Click OK on thesetwo windows. Your ACT! for Web site isnow protected bythe
IntegratedWindowsauthentication. You mayneed to close your browser and re-open
it in order to receivethe proper login prompt.
IMPORTANT NOTE:The IUSR_[machinename] account willno longer be used by IIS
with this configuration. You will needto make sure the user account youattemptto log inhas
proper permissions setfor it in DCOMCNFG, and inthe securityproperties of the folder
containing your ACT! Databaseaswellas the installation folder for ACT! for Web (default:
"C:websites".)
For more informationon how to do this, pleaseread:
http://itdomino.act.com/act.nsf/docid/200391584653.
28. GL Computing Page 28 6/8/2004
Additionalsecuritycanbe achieved by making your website moredifficult tofind by potential
hackers. Two simpleways to do this are:
1. Change the defaultweb siteto another TCP portin theWeb Siteproperties. Try not
to use any of the other common portsthat youmaywish to use later. You’ll need to
state theport when logging in, eg: http://domain.com:port/actweb. Using SSL
(SecureSockets Layer ) on port 443 willalso add to thesecurityof your data by
adding encryption to theflowacrosstheinternet. Thiswillusean https protocol
insteadof http when entering theURL intoyour browser.
2. Search engines send out “spiders” toobtaininformationon sitesavailableon theweb.
This means thatsearching google.com or other search engines for thephrase "ACT!
for Web Login" (in quotes)maypointto your site (good for public web sites, less
good for your corporatedatabase). If you would liketo preventa sitefrom being
catalogued ina search engine'sdatabase, you can takestepsto address this. Keepin
mind that if youhave existing websites, they may havealready begun totakethesteps
to interact with thespidersthat may crawltheir site.
Visit thefollowinglinksfor more informationabout meta-tags and therobots.txtfile.
Keep in mind that itis impossibleto preventanydirectly accessibleresourceon a site
from being linked to by external sites, be it bytheir partner sites, competitive sitesor
search engines. However, thesemethods are generallyaccepted by the popular search
engines.
http://www.robotstxt.org/wc/robots.html
http://www.searchengineworld.com/robots/robots_tutorial.htm
http://www.robotstxt.org/wc/meta-user.html
29. GL Computing Page 29 6/8/2004
Appendix
More tips for the paranoid
ere are some more securitysuggestions to tighten thesecurityon the server – as
before, theseneedto be discussed withthe administrator of theserver you are
implementingas somemayeffectother operations on theserver in question:
Rename the Administrator accountor disableit after creating another named account
with administrator access. Renaming the“Everyone” group to a different name can
also be useful.
Do not use the server to browsethe internet; also do not browsetheinternetfrom an
accountwho is a member of theAdmin group. Anywebattackswouldthenhave
completeaccessto install software and access your system in potentiallyundesired
ways.
Run minimal services on theserver. Run onlythose services thatarenecessary for
your purposes. Each additionalservicethatyou run presentsa potentialentrypoint
for malicious attacks.
Once again, westronglyrecommend you make sure you regularlyupdateyour server
with the criticalupdates from http://windowsupdate.microsoft.com/ and alsokeep
your anti-virusup-to-date.
Subscribeto securitybulletinsto keepawareof the latestthreatsand vulnerabilitiesas
discovered. Some thatwerecommendinclude:
www.microsoft.com/security/security_bulletins/decision.asp
www.cert.org/contact_cert/certmaillist.html
nct.symantecstore.com/virusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
http://www.microsoft.com/technet/treeview/?url=/technet/security/tools/Tools/
MBSAhome.asp. Select theapplicabletype of server configuration. Note: This product
will automatically set some of the settings below.
Start | Run - syskey.exe, select Encryption Enabled, then select Ok. For more
information on this (before doing it) see
http://support.microsoft.com/default.aspx?scid=kb;en-us;310105&Product=win2000
Chapter
A
H
30. GL Computing Page 30 6/8/2004
Your server should now bereasonablysecure. For more information, also read:
http://itdomino.act.com/act.nsf/docid/20033410728
Some more suggested Registry changes – BACKUP THE REGISTRY FIRST:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
ChangeLegalNoticeCaption valueto your companynameorsiteowner
ChangeLegalNoticeText valueto “Unauthorized Use”
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
SomemoresuggestedControlPanel changes:
o Control Panel | System | Advanced Startup and Recovery
Set displaylist to 10seconds.
Check “AutomaticReboot”
Set WriteDebugging Information to “none”
o Control Panel | AdministrativeTools | Local Security Policy | Account Policies | Password
Policy
Enforce password historyto 8
Minimum password lengthto 8
Maximum password ageto 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success, Failure
Audit account management to Success, Failure
Audit directory service access to Success, Failure
Audit login events to Success, Failure
Audit policy change to Success, Failure
Audit privilege use to Success, Failure
Audit process tracking to Success, Failure
Audit system events to Success, Failure
31. GL Computing Page 31 6/8/2004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to “Unauthorized use prohibited”
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console: Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE: May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE: May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connections<applicable
connections>PropertiesGeneral
Deselect all components except “Internet Protocol (TCP/IP)”
o Control PanelNetwork and Dial-up Connections<applicable
connections>PropertiesGeneral, select Internet Protocol (TCP/IP), select
Properties, select AdvancedWins
Disable NetBIOS over TCP/IP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connections<applicable
connections>PropertiesGeneral, select Internet Protocol (TCP/IP), select
Properties, select AdvancedOptionsTCP/IP filtering
Disable or filter all TCP, UDP, and IP ports as needed – although, it is often better to
do this from an external firewall, doing it through both assists in protecting you against
breeches of the firewall.
o Control Panel Administrative ToolsComputerManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
32. GL Computing Page 32 6/8/2004
Services
o Configure the following Windows Services to start automatically:
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used:
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
33. GL Computing Page 33 6/8/2004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive: Document and Settings folder rights: Read & Execute, List Folder Contents,
Read
C Drive: WinNT folder rights: none
Web folder: Read & Execute, List Folder Contents, Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following c:winntsystem32 files in addition to the ones mentioned
above:
arp.exe, ipconfig.exe, netstat.exe, at.exe, net.exe, ping.exe, cacls.exe, nslookup.exe
rdisk.exe, cmd.exe, posix.exe, regedt32.exe, debug.exe, rcp.exe, route.exe, edit.com
regedit.exe, runone.exe, edlin.exe, rexec.exe, syskey.exe, finger.exe, rsh.exe, tracert.exe
ftp.exe, telnet.exe, command.exe, xcopy.exe, nbtstat.exe
(And any others not needed)
o Display Properties
Set screen saver to “Logon Screen Saver”
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable “start program on Windows startup” option
Turn on all activity logs (detection, quarantine, etc)
Disable “audible alert” option
Check that “how to respond when a virus is found” is set for an automatic solution.
(Norton for example uses the a default of “ask me what to do”.)
Enable scan of “master boot records”
Enable scan of “boot records”
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist. A web search for the term “vulnerability scanner” will yield numerous
companies to select from.
NOTE: Other security steps may be required based on you system, architecture, and specific needs!
Site and server security requires daily procedures to insure a proper defence. Security patched must be
applied upon release, and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts.