iis security sridurga mavram. contents -introduction -security consideration -creating a web page...
TRANSCRIPT
![Page 1: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/1.jpg)
IIS Security
Sridurga Mavram
![Page 2: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/2.jpg)
Contents
-Introduction
-Security Consideration
-Creating a web page
-Drawbacks
-Security Tools
-Conclusion
-References
![Page 3: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/3.jpg)
- What is IIS?
IIS, an acronym for Internet Information Services is a web application server program that handles HTTP requests
The Internet Information Services is a suite of tools and services for creating, managing, and securing Web sites
Popular because IIS sites are so easy to implement.
- Why should you Secure it?
Easy to use, easy to hack
Default installation(comes with OS) is massively vulnerable and it is no wonder that attackers are finding IIS to be "the easiest pickings" of all Web servers.
Introduction
![Page 4: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/4.jpg)
Security Consideration
- During Installation/Enabling
- Post Installation
![Page 5: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/5.jpg)
During Installation/Enabling
DO NOT install IIS together with services that are of key importance for LAN functionality or security.
Default/No Harm Services:
•Common Files
•Documentation
•Internet Information Services Snap-In
•World Wide Web Server
Contd..
![Page 6: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/6.jpg)
•File Transfer Protocol (FTP) Server
•NNTP Service
•SMTP Service
Risky:
•FrontPage 2000 Server Extensions
•Internet Service Manager (HTML)
![Page 7: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/7.jpg)
![Page 8: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/8.jpg)
-The first step in securing your server is to download the most updated Service Pack and current IIS patches.
- Don't forget to register so that you will automatically receive Microsoft security bulletins
Piece of Note
![Page 9: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/9.jpg)
Post Installation
Before attempting to change settings, ensure that you make a backup copy of the metabase (i.e. the IIS configuration).
To do this, in the "Internet Services Manager" application, click on "Backup/Restore Configuration".
Give a name and create a backup
Location of Storing :
C:\WINNT\system32\inetsrv\MetaBack directory
![Page 10: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/10.jpg)
![Page 11: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/11.jpg)
![Page 12: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/12.jpg)
Details of the Logs
“Enable Logging”
Change the log time period from daily
Put a dedicated drive(E:/LogFiles)
Extended Properties (Select all)
![Page 13: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/13.jpg)
![Page 14: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/14.jpg)
Home Directory Configuration
Allows you to set up dynamic WWW pages(dlls) that are files with specific extensions.
Example: C:\WINNT\System32\inetsrv\asp.dll, ism.dll, httpodbc.dll, ssinc.dll and C:\WINNT\System32\msw3prt.dll, idq.dll and webhits.dll
Remove all these except asp.dll and ssinc.dll (Security Issues)
Reason: These were used in the past for breaking into the IIS servers and infecting them with viruses
Example : buffer overflow vulnerability contained in the idq.dll
![Page 15: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/15.jpg)
![Page 16: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/16.jpg)
File Extension Mapping
In order to setup the extension service via ISAPI applications, click on the "Add" button and then fill in the boxes:
Executable:C:\WINNT\System32\inetsrv\asp.dll
Extension: .inc
Limit to: POST, GET, and HEAD
![Page 17: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/17.jpg)
![Page 18: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/18.jpg)
Application Configuration
Clear “Enable Parent Paths”
Reason: Restrict the access to the Application’s Directory
Clear “Session State”
Reason: Overloads Server’s Memory
Debugging
Enable "Send text error message to client"
Reason: Prevents Hackers from knowing the detail
![Page 19: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/19.jpg)
![Page 20: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/20.jpg)
![Page 21: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/21.jpg)
Directory Security
Commonly used pages – Uncheck Integrated
Problem : username/password passed along the network.
Documents
Add default documents
Note: Home Directory settings - Read, Write, Directory Browsing should not be overlooked.
![Page 22: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/22.jpg)
![Page 23: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/23.jpg)
![Page 24: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/24.jpg)
Creating Webpage
-Partition your Internet data on different disk drives.
Reason: Escaping from Hackers.
-Create a virtual Directory and map it to the Local Directory
-Enable only needed permissions
For Administrators: Full Control,
For Authenticated Users: Read and Execute
For SYSTEM: Full Control
-Disable Directory Browsing
![Page 25: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/25.jpg)
![Page 26: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/26.jpg)
![Page 27: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/27.jpg)
Drawbacks
-Managing large IIS server configurations or multiple servers over the Internet can be slow and cumbersome.
-Hacker can enter as guest and take over the system privileges (due to insecure dll isolation).
- Tools that are produced outside of Microsoft do not alert you when you set a property that requires supporting properties.
![Page 28: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/28.jpg)
Security Tools
IIS Lockdown tool
Installation Guide:
http://www.iisanswers.com/articles/IIS_Lockdown/IISLockdown.htm
Download:
http://www.microsoft.com/windows2000/downloads/recommended/iislockdown/default.asp
URLScan
Download:
http://www.microsoft.com/technet/security/tools/URLscan.asp
![Page 29: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/29.jpg)
Conclusion
-Do not ignore making some necessary security tips
-Regularly update the server with the security patches
-For Additional Security, download the security tools
![Page 30: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/30.jpg)
References
-Microsoft Windows Security Resourse Toolkit – Ben Smith and Brian Komar
-http://www.windowsecurity.com/articles/Installing_Securing_IIS_Servers_Part1.html
-http://www.serverwatch.com/news/article.php/1400491
-http://www.informit.com/articles/article.asp?p=29310&seqNum=5&rl=1
-http://www.eeye.com/html/Research/Advisories/AD20020410.html
![Page 31: IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f175503460f94c2dad9/html5/thumbnails/31.jpg)
Thank You