Harden Windows Server 2003 IIS Server

Overview

This module focuses on the instructions and steps required to harden your IIS server in your environment. To provide comprehensive security for Web servers and applications in your organization's corporate intranet, you should protect each Microsoft Internet Information Services (IIS) server and each Web site and application running on those servers from being connected to them. Infringement of the client computer. In addition, Web sites and applications running on all of these IIS servers should be protected from Web sites and applications running on other IIS servers in the corporate intranet.

In order to take the initiative in resisting malicious users and attackers, by default, IIS is not installed on the Windows Server 2003 family of products. IIS was originally installed in a highly secure “locked” mode. For example, by default, IIS initially only provides static content. Such as Active Server Pages (ASP), ASP.NET, Server Side Includes (SSI), Web Distributed Authoring and Versioning (WebDAV) Publishing, and Microsoft FrontPage? Features such as Server Extensions only work if the administrator has enabled them. These features and services can be enabled through the Web Service Extensions node in the Internet Information Services Manager (IIS Manager).

IIS Manager has a graphical user interface (GUI) for easy management of IIS. It includes resources for file and directory management, the ability to configure application pools, and many features in terms of security, performance, and reliability.

The next sections of this chapter detail the various security hardening settings that can be enforced to enhance the security of the IIS server that holds HTML content on the company's intranet. However, to ensure that the IIS server is always in a safe state, you should also perform security monitoring, detection, and response steps.

Audit Policy Settings

In the three environments defined in this guide, the audit policy settings for the IIS server are configured through MSBP. For more information about MSBP, see Modules Creating a Member Server Baseline for Windows Server 2003 Servers. The MSBP settings ensure that all relevant security audit information is logged on all IIS servers.

User Rights Assignment

Most user rights assignments for IIS servers in the three environments defined in this guide are configured through MSBP. For more information about MSBP, see Modules Creating a Member Server Baseline for Windows Server 2003 Servers. The differences between MSBP and Incremental IIS Group Policy are explained in the next section.

Denying access to the computer over the network

Member server defaults old client enterprise client high security

SUPPORT_388945a0

Anonymous login; built-in administrator Account; Support_388945a0; Guest; all non-OS service accounts

Anonymous login; built-in administrator account; Support_388945a0; Guest; all non-OS service accounts

Anonymous login; built-in administrator account; Support_388945a0;Guest; All non-OS service accounts

Note: Anonymous logins, built-in administrator accounts, Support_388945a0, Guest, and all non-OS service accounts are not included in the security template. These accounts and groups have a unique security identifier (SID) for each domain in the organization. Therefore, you must add them manually.

“Deny access to this computer over the network> The settings determine which users cannot access the computer over the network. . These settings will reject a large number of network protocols, including the Server Message Block (SMB) protocol, Network Basic Input/Output System (NetBIOS), Common Internet File System (CIFS), Hypertext Transfer Protocol (HTTP), and Component Object Model (COM+). . This setting overrides the "Allow access to this computer over the network" setting when the user account applies both policies. By configuring this user right for other groups, you can limit the ability of users to perform delegated administrative tasks in your environment.

In the module server baseline for module creation Windows Server 2003 servers, this guide recommends including the Guests group in the list of users and groups to which this privilege is assigned to provide the greatest possible security. However, the IUSR account used for anonymous access to IIS is by default a member of the Guests group. This guide recommends clearing the Guests group from the incremental IIS Group Policy to ensure that anonymous access to the IIS server can be configured if necessary. Therefore, in all three environments defined in this guide, we will “deny access to this computer over the network” for IIS servers. The settings are configured to include: anonymous login, built-in administrator, Support_388945a0, Guest, and all non-operating system services. account.

Security Options

In the three environments defined in this guide, the security options for the IIS server are configured through MSBP. For more information about MSBP, see Modules Creating a Member Server Baseline for Windows Server 2003 Servers. The MSBP settings ensure that the correct event log settings are uniformly configured on the corporate IIS server.