Securing IIS Server Checklists

Abstract

This paper is designed to demonstrate the common IIS web server security specifications in the form of a checklist that aids web masters or penetration testers to implement a secure web server infrastructure swiftly. It is mandatory for a web application to be duly full proof from vicious attacks and for stopping damage which could be in any form. Security professionals and penetration testers are typically part of a web project to ensure the website is protected from various attacks by detecting loopholes which might be exploited later. But such a critical task is typically not followed in a proper manner, and web applications go live into the production environment with inherent vulnerabilities, or even without complying to security guidelines. It is so because developers and organizations are often in a hurry to launch the software into the production environment due to various unnamed pressures.

11 courses, 8+ hours of training

Learn cybersecurity from Ted Harrington, the #1 best-selling author of "Hackable: How to Do Application Security Right."

See Courses

Unfortunately, there is no single tool available which can claim comprehensive security of an application, because attacks can come in any form, in fact the horizon is so extensive that it is beyond assumption. So such summarized checklist snapshots have proven to be truly a savior for hardening or to improve our deployment workstation security precipitously.

Virtual Directory

Machine Configuration File

Security Specifications

Status

Ensure DEBUG is turned off in WEB.CONFIG file

Ensure TRACE is set to false or disabled

Ensure unnecessary HTTP Modules are removed

Secure Communication

Security Specifications

Status

Ensure HTTP requests are filtered or categorized

Ensure HTTPS is enabled, in case your website deals with sensitive data

Ensure Server Certificates are updated and issued by a trusted organization

Ensure Certificates have not withdrawn

In case of remote administration, ensure proper time-outs and encryption are configured

Ensure communication happens through only port 80 or 443

Ensure that IPSec is formed in the network for secure communication

Logging and Audit

Security Specifications

Status

Ensure Failed Logon Attempts are regularly inspected

Ensure Log files are properly maintained and audited

Confirm W3C extended format is enabled for auditing

IIS Metabase and Filters

Security Specifications

Status

Ensure Banner grabbing is disabled

Ensure File (%systemroot%system32inetsrvmetabase.bin)

access is restricted

Ensure unused extensions (.shtml, .hta, .htw, .stm) are removed

Ensure unemployed ISAPI filters are disabled or removed.

Ensure 'Forbidden Handler' is mapped to unemployed ASP.NET files extension

Server Accounts

Security Specifications

Status

Ensure anonymous logon is disabled

Ensure unused IUSR_MACHINE account is disabled

Ensure a solitary administrator account only

Ensure administrator account is properly hardened by strong password scheme

Ensure GUEST account is disabled

Ensure remote logon is disabled

Ensure ASP.NET process account is configured to least access

Ensure anyone couldn't login locally except administrator

Code Access Security

Security Specifications

Status

Confirm CAS is enabled

Confirm source code is obfuscated

Confirm custom error page is installed on server

Confirm permissions removed from Internet and Intranet zone

System Configuration

Security Specifications

Status

Confirm ASP .NET state service is disabled

Confirm Remote Registry Administration is disabled

Confirm WebDAW service is disabled

Confirm FTP and SMTP services are disabled

Confirm SMB service is disabled

Confirm All Redundant share's (C$, D$,..) is removed

Confirm Remote Administration by TELNET is disabled

Confirm only essential System Services are given least privileges

Confirm redundant system services are stopped

Ensure IIS is not installed on domain controller

Ensure IDS is installed in the network perimeter

Ensure that IIS server is configured inside DMZ

Server Updates

Security Specifications

Status

Ensure Windows Operating System is updated

Ensure .NET Framework is Updated

Ensure IIS web server is duly patched

Ensure MBSA is configured and running regularly

Ensure EMET is installed on server and enabled

Ensure Microsoft Notification Service is Enabled

Ensure effective Anti-virus is installed and running

Final Note

In this article, we have seen how to harden the IIS web server to protect ASP.NET websites. This article in fact didn't explain various attacks and their countermeasure. Instead, it is pinpointing major security guidelines in the form of checklists which can be applied swiftly over a web server, so that a developer can ensure himself that a particular security mechanism is applied and it is enabled. Because some critical bugs go unnoticed and remain in the final version of the software, which could get the application into trouble. Hence, such a synopsis reference eases the undertaking of developers or security professionals in terms of not overlooking or forgetting critical security configurations on the web server.