I have learned this from both experience and lots of reading, mix that
with good administrative practices and you have a fairly secure system.
One of the basics to me is that if you are not using it remove it. If
there is a mapping in IIS that is not and will never be relevant to your
content get rid of it. I find servers all the time that still have .htr
vulnerabilities. I use it to look at there global.asa and half the time
they have an administrative account referenced in it. I don't know anyone
who is allowing passwords to be changed from a live web server (this is
what the .htr is used for) I have scripted out the most relevant parts of
the IIS checklist from Microsoft
(http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolu
tions/security/tools/iis5chk.asp for IIS 5 and
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolut
ions/security/tools/iischk.asp for IIS 4)I never use default installation
locations for anything, and I choose custom install for everything and
remove unneeded components

Hope this has helped.

Also I like these, even though it is funny that they came from Microsoft
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns
/security/10imlaws.asp

> -----Original Message-----
> From: Andrew Langton [mailto:andrew.langtonBabcockBrown.com]
> Sent: Thursday, August 16, 2001 9:27 AM
> To: 'patrickinternetsecurityguru.com';
> security-basicssecurityfocus.com; focus-mssecurityfocus.com
> Subject: RE: Properly securing IIS (Was: Accessing mail from the web)
>
>
> So is this all documented somewhere, or have you learnt all this by
> experience? Or both? ;)
>
> > -----Original Message-----
> > From: Patrick S. Harper [mailto:patrickinternetsecurityguru.com]
> > Sent: Thursday, August 16, 2001 6:24 AM
> > To: Andrew Langton; 'Frank Knobbe'; security-basicssecurityfocus.com;
> > focus-mssecurityfocus.com
> > Subject: RE: Accessing mail from the web
> >
> >
> > My IIS systems were also not affected by code red, and I did
> > not need to
> > apply the patch. I simply removed the .ida mapping,
> > unregistered the DLL
> > and then renamed it. If I had anything running index server
> > I would have
> > used the patch.
> >
> > > -----Original Message-----
> > > From: Andrew Langton [mailto:andrew.langtonBabcockBrown.com]
> > > Sent: Wednesday, August 15, 2001 11:58 PM
> > > To: 'Frank Knobbe'; security-basicssecurityfocus.com;
> > > focus-mssecurityfocus.com
> > > Subject: RE: Accessing mail from the web
> > >
> > >
> > > So how did you avoid the Code Red worms? The way I
> > understand it, they
> > > worked by utilising the .ida vulnerability - that works
> > over port 80.
> > >
> > > > -----Original Message-----
> > > > From: Frank Knobbe [mailto:FKnobbeKnobbeITS.com]
> > > > Sent: Wednesday, August 15, 2001 9:59 AM
> > > > To: 'Andrew Langton'; 'RH'; security-basicssecurityfocus.com;
> > > > focus-mssecurityfocus.com
> > > > Subject: RE: Accessing mail from the web
> > > >
> > > >
> > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > Hash: SHA1
> > > >
> > > > > -----Original Message-----
> > > > > From: Andrew Langton [mailto:andrew.langtonBabcockBrown.com]
> > > > > Sent: Tuesday, August 14, 2001 5:16 PM
> > > > >
> > > > > Therein lies the problem.... we don't really have the
> > > > > resources to put into
> > > > > constantly patching both Windows and IIS if the servers are
> > > > > exposed. Our
> > > > > aim is to make the system as unexposed as possible.
> > > >
> > > > Andrew,
> > > >
> > > > you need to get used to the fact that HAVE to accept a
> > certain risk
> > > > level. If you want to play it bullet-proof and 100% safe, then you
> > > > need to keep the box disconnected from the network.
> > > >
> > > > If the system is properly hardened in the beginning and configured
> > > > well, you don't have to put every patch on it. I had
> > systems (of my
> > > > own and client systems) that were not patched against Code Red.
> > > > However, they were not vulnerable because the systems were setup
> > > > properly in the beginning (remove stuff, incl. IIS mappings, that
> > > > aren't needed; correctly configured firewall; properly hardened
> > > > system; etc)
> > > >
> > > > A web server for OWA, that accesses an Exchange server on
> > a different
> > > > box, can be slimmed and hardened quite well. I see you
> > reaction as a
> > > > fear of the unknown. I suggest you review a couple NT hardening
> > > > guides and built the machine while repeating the lines "I
> > will remove
> > > > what I don't need, I will remove...".
> > > >
> > > > Again, if the system is properly setup, you don't need to
> > have a lot
> > > > of resources babysitting that box.
> > > >
> > > > Regards,
> > > > Frank
> > > >
> > > >
> > > >
> > > > -----BEGIN PGP SIGNATURE-----
> > > > Version: PGP Personal Privacy 6.5.8
> > > > Comment: PGP or S/MIME encrypted email preferred.
> > > >
> > > > iQA/AwUBO3qqR5ytSsEygtEFEQIA8QCeN36Zm8iAfKSCWQQXRZCVX3+gAmoAn2Gf
> > > > omTFhptWiRqZAKTA8RxNagyO
> > > > =LjG9
> > > > -----END PGP SIGNATURE-----
> > > >
> > >
> > >
> > >
> > > This email message may contain information that is confidential and
> > > proprietary to Babcock & Brown or a third party. If you are not the
> > > intended recipient, please contact the sender and destroy
> > the original
> > and
> > > any copies of the original message. Babcock & Brown takes
> > measures to
> > > protect the content of its communications. However, Babcock &
> > > Brown cannot
> > > guarantee that email messages will not be intercepted by
> > third parties
> > or
> > > that email messages will be free of errors or viruses.
> >
>
>
>
> This email message may contain information that is confidential and
> proprietary to Babcock & Brown or a third party. If you are not the
> intended recipient, please contact the sender and destroy the original
and
> any copies of the original message. Babcock & Brown takes measures to
> protect the content of its communications. However, Babcock &
> Brown cannot
> guarantee that email messages will not be intercepted by third parties
or
> that email messages will be free of errors or viruses.

• application/x-pkcs7-signature attachment: smime.p7s

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]