< IT Governance, Compliance, Security and Audit from the Pros: IIS

PDA Logo.gif (6595 bytes)

Windows NT Server IIS


our services

about Peter Davis+Assoc.


security/audit info

Privacy Test

Security & Audit Tools


Windows NT Server IIS

Windows 95


Java, JavaScript and ActiveX

Intrusion Detection Systems

Security Industry Shakeout

Securing Groupware

Client/Server Audit: One Bite At A Time

Configuring Cisco Denial of Service Security Features - Part 1

Configuring Cisco Denial of Service Security Features - Part 2

Configuring Cisco Lock-and-Key

Configuring Cisco Reflexive Access Lists

Dysfunctional Controls: Useless, Impractical, Inefficient and Poorly-Designed

TCPA: Who Can You Trust?

When Getting the Audit Done Is the Only Thing

Palladium: Friend or Foe?

Commentary: Quis Custodiet Ipsos Custodes?

Data Management: Data Destruction and Preservation

Security & Audit Products
Top Ten Security Links 
Security & Audit Checklists
Computer & Security
Security & Audit Bibliography 
Search Page

legal info

privacy info

In this my first column, I am going to step out on a limb and talk about two topics often in the news—Microsoft and the Web. Why Microsoft and the Web? With Windows NT Server 4.0, Microsoft has bundled the Internet Information Server, so we should start to see plenty of it.

Like most operating systems and application software, there are "gotchas" with Windows NT Server and Internet Information Server security. For instance, you could leave a NetBIOS share wide open, and anyone with Windows 95 could gain access.

Unfortunately, vanilla Windows NT probably isn't secure enough to survive in the hostile environment of the Internet. As NT increasingly finds itself operating in the wild, its administrators need to master techniques that UNIX administrators have known for decades.

Here, then, are some preliminary thoughts for making an NT Web site less vulnerable.

  • Use NTFS on Internet-connected Windows NT machines, since it supports resource level and share level security for files and directories.

  • Set an account lockout policy using User Manager to foil brute-force password-guessing attacks.

  • Rename the Administrator account. That way, a password-guesser must first guess the account's name. To rename the administrative account, select the User | Rename menu choice in User Manager.

  • Disable the Guest account and remove or restrict all other user accounts. A machine dedicated to providing public Internet services does not need, and should not have, user accounts other than for its administration.

  • Enable event-auditing using Start | Administrative Tools (Common) | User Manager | Policies | Audit. You can audit both successes and failures of various operations. Obviously, there are some failures you'll want to log, but you also may want to capture successes for infrequent operations—such as Security Policy Changes—that might indicate unauthorized activity.

  • Enable logging for the IIS service on the Logging Properties sheet from the WWW Service Properties dialog panel.

  • Review the event logs to understand what records NT writes under normal conditions.

  • Ensure you guard the audit logs, because attackers typically try to cover their tracks after a break-in.

  • Make frequent backups of your Web site. Should someone bring down your system, you can restore the system quickly.

  • In the Bindings dialog box in the Networks control panel, disable any or all of the bindings between NetBIOS-based services and TCP/IP.

  • Revoke the "Access from Network" right from the group Everyone.

  • Keep Common Gateway Interface (CGI) scripts in one place, and set restrictive permissions for that directory.

  • Create a customized greeting message.

  • Be wary of offering WINS service over the Internet.

  • Review all trust relationships.

  • Use the multi-homing feature very carefully to route packets and support virtual Web servers.. Allegedly, you can have 254 addresses per adapter. It is a good fault tolerance feature, but it can get out of control.

  • Use the Secure Sockets Layer (SSL).

  • Review server performance with the Performance Monitor.

  • Remove sample executables and IDC scripts from the tools directory from any IIS Web site, or at least remove the IUSR_computername access to execute the tools.

Most of the defenses outlined here are simple, but they require effort and diligence. Out of the box, NT configures itself for a trusting environment. When you put an NT server on the Internet, the governing principle must be distrust, not trust.

Diligence also requires you to keep up-to-date with Windows NT Server and IIS security issues. As you begin to work on securing your Web site, you will discover that the Internet itself is a great resource. Start by checking out the WWW Security FAQ . In addition, check out the USENET Newsgroups starting with comp.os.ms-windows.nt. Microsoft also offers a wealth of information.

Tell a friend about this page!
Their Name:
Their Email:
Your Name:
Your Email: