Web services are one of the most vulnerable points in any network. Chances are that you have the highly popular Web server, Microsoft's Internet Information Server (IIS), running in your environment. While the latest IIS 6.0 release tightens security, it's not a security panacea. There are five simple actions you can take with version 6.0 to make your server more secure.
- Only enable IIS components needed to meet business requirements.
One of the best changes in 6.0 is a philosophical shift toward only enabling by default those services that are absolutely necessary for the operation of IIS with static Web pages. Be careful to maintain this philosophy and only permit those services you truly need.
- Strictly limit the access rights assigned to the IUSR_systemname account.
The IUSR (Internet user) account is used by many applications running on the server to interact with the system on behalf of unauthenticated Web users. It's essential that you limit the access privileges granted to this account to those absolutely necessary for the operation of your server.
- Use automatic updates to keep current on security patches.
While the new version sports significant security improvements over previous ones, if history repeats itself (as it always seems to do for Microsoft), the release of 6.0 will soon be followed by one or more hotfixes for new security issues. Enable automatic updates to ensure that you receive
- these patches as soon as possible.
- Utilize Rapid-Fail Protection.
One of the greatest new version features that you can enable is Rapid-Fail Protection. This will protect your server from the performance and security issues associated with a process that fails too many times within a short period, possibly indicating a malfunction or malicious attack. When such a condition occurs, the Web administration service disables the application pool, preventing future failures and making the application unavailable until the administrator intervenes.
- Place strict limits on remote administration.
It's great to be able to administer your server from anywhere, but you want to make sure that only authorized users can do so. You should require that all remote administrators log in from static IP addresses and that logins are restricted to predetermined "safe" IP addresses. You should also implement strong authentication.
While this isn't a complete list of the actions you should perform, these five simple measures can immediately improve the security posture of your IIS server. For more information on IIS security, visit Microsoft's IIS Security Center.
About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the author of the About.com Guide to Databases.
This was first published in September 2004