With the sharp increase of hacking attacks over the last couple of years, and the introduction of a number of regulatory compliance guidelines to follow, web application security has become a key concern for many online businesses, and also a common expense in a company’s budget. Although many businesses are focusing on securing their web applications, unfortunately they are not looking at the whole picture. A vital part of securing a business’s whole web infrastructure also includes having a secure web server configuration. Securing a web server’s configuration is as important as securing the web application itself.
A brief introduction to Microsoft IIS
Microsoft Internet Information Services, better known as IIS, is Microsoft’s set of internet based services for servers, which runs on Microsoft Windows operating systems. The internet services provided with IIS are a SMTP (simple mail transport protocol) Server, FTP (file transfer protocol) Server, NNTP (network news transfer protocol) server and WWW (World Wide Web) server. Until version 5.1 (~ year 2000), IIS was hit with a number of vulnerabilities, which also lead to a number of infamous worms on the internet, such as the Code Red Worm. Most of such incidents happened because both the design of the application itself and the permissions it used to run were flawed. An out of the box installation of IIS version 5.1 published on the internet in 2000, could get hacked in a matter of minutes. From version 6 onwards, when internet hacking was causing a huge financial problem to major online businesses, Microsoft re-designed IIS. The way IIS 6 and more recent versions work and use resources, are more secure, and help in reducing the attack surface. Microsoft also removed the SMTP server and the NNTP server in more recent versions of IIS. Still, an out of the box IIS installation, with a default configuration may still lead to a number of problems.
Securing your Microsoft IIS web server
1. To start off with, all web related documents, such as web application files and other files which are typically shared over the internet, should be stored in a different drive from the operating system drive. Because of vulnerability, a malicious user can gain access to the web root directory, and then escalate his permissions and gain access to the whole drive where the web root is. If the malicious user gains access to the whole drive, at least he cannot tamper your operating system installation, thus making it easier to trace his activity.
2. When creating a new web root directory, where all the files to be shared on the web will be stored, grant the appropriate (least possible) NTFS permissions to the anonymous user being used from the IIS web server to access the web content. Ideally, deny write access to any file or directory in the web root directory to the anonymous user. If need be, create a new user to be used as an anonymous user and grant the appropriate permissions, and disable the built-in IIS anonymous user. Always avoid giving write NTFS permissions to the anonymous user.
3. If a database server, such as Microsoft SQL Server is to be used as a backend database, install it on a separate server. If the budget permits, other network services should be installed on separate servers. If one of such network services is compromised, it makes it more difficult for a malicious user to gain access over the other servers, thus compromising the whole web farm infrastructure. Also, if possible, avoid mapping virtual directories between two different servers, or over a network.
4. If IIS FTP service is needed, do not install the FTP service shipped with latest windows editions. Apart from not being a very practical FTP server, its configuration has to be accessed from a IIS 6 management console. Microsoft released a new FTP server which integrates better with IIS 7 and its configuration, and is more practical. It can be downloaded from the following URL (IIS Official website); http://learn.iis.net/page.aspx/310/what-is-new-for-microsoft-and-ftp-75/. One should also follow good FTP server configuration practices, such as to always isolate the ftp user in his home directory, use secure FTP (over SSL), and also allow the least possible privileges to the users. Even though FTP user permissions can be controlled from the IIS 7 MMC, make sure that such permissions are also enforced via NTFS permissions. If port scanning is enabled in Acunetix WVS, it will also check your FTP server configuration, and will launch a number of security checks against the FTP server.
5. Monitor servers, web applications and network services activity frequently. By analysing the log files, you can determine if a web server or network service is being attacked. Studying such activity, you can also learn what type of attacks your server is undergoing, thus helping you understand the attacker and will also help you adapt to such attacks and increase the level of security of the whole web farm infrastructure.
6. Like every other software vendor, Microsoft periodically releases a number of software updates and security patches. These patches should be applied at the earliest possible to reduce the risk of someone finding the security hole before it is patched. Once vulnerabilities are made public, within a couple of hours, malicious users would already have automated scripts and scanners that crawl the internet and identify vulnerable server. Once a new security patch or software update is applied, you should also thoroughly test the web applications’ functionalities, to confirm they were not affected by such security patch or software update.
7. Microsoft provides a number of tools to help you secure your web server. It is imperative to invest time in learning how to use such tools, since in the long run they can save you from a more time consuming activity, such as restoring a server after it was hacked, or tracing a malicious user’s activity. Such tools are; IIS Security “What if” tool, which helps you troubleshoot security issues with IIS, IIS Security Planning Tool which helps you deploy IIS with security that is appropriate for the server’s role, and IIS Lockdown tool, which provides built-in secure IIS configuration templates. There are many other tools provided from Microsoft for free, which can be downloaded from their website. Also, Microsoft frequently publishes documents and security guidelines on how to secure your web server, which one should follow. After using such tools, or applying changes which you’ve learnt about from Microsoft’s documentation, test the web application’s functionality, to confirm that such changes did not affect or block any of the web application’s functionality. Ideally you should also use other third party security tools, such as Acunetix WVS to confirm that such tools are properly securing your web server.