June 2000


  FROM THE FRONTLINES



Ten Steps to a Secure Web Server Installation

by Chris Kinsman


  If you're installing a new Web server under Windows NT and you want it to be secure, don't rely on the default Windows NT installation. Follow these 10 steps to make sure that your system remains secure:
  1. Install the latest service packs and hot fixes—Do it before dropping the server into production so you can test. Numerous security holes are routinely patched in hot fixes and should be applied before rolling out.
  2. Remove all net shares—Remove all net shares from the command-line and make sure you delete all of them using Net Share /d. You should also prevent all administrative shares (C$, D$, ADMIN$) by setting the following in the Registry: 
    HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\LanmanServer\Parameters\AutoShareServer
     with a value of 0.

  3. Disable the guest account—The guest account is a well known and easily attacked account. Disabling it will eliminate one more hole.
  4. Rename the administrator account—It is another well known account, and renaming it will remove it as a target. Consider creating a "honey pot" Administrator account that you can monitor to detect attacks early.
  5. Set a very strong password for the Admin account—The password should be at least nine characters long and include some punctuation or non-alphabetic characters in the first seven characters.
  6. Unbind NetBIOS from TCP/IP—This will help prevent unauthorized access to machine information, which can be gained with tools like NBTSTAT.
  7. Configure TCP/IP filtering—Most Web servers should be accessed over only one or two ports: 80 and/or 443. You should block all other unused ports to prevent vulnerabilities.
  8. Disable the default Web site—IIS ships with a number of sample applications that can be subverted to gain access to your box. In addition, many administration utilities are installed under the default Web site. You are better off disabling the default site and starting from scratch with a new one.
  9. Remove unused script mappings—IIS supports a bunch of filename extension mappings for running various programs, which most people don't use. Disable .htr (Web-based password reset), .idc (Internet database connector), and .shtm, .stm, .shtml (server-side includes).
  10. Disable RDS Support—When incorrectly configured, Remote Data Services can make a server vulnerable to denial-of-service and arbitrary code-execution attacks. You should remove this capability.



Chris Kinsman is Vice President of Technology for DevX.com. He is a regular speaker at VBITS conference events.


 
Resources
• Microsoft's Security Advisor page for Microsoft Internet Information Server offers more information.

• Go to Microsoft's Security Bulletin page to find the latest patches.

Sponsored Links


Advertising Info  |   Member Services  |   Contact Us  |   Help  |   Feedback  |   Site Map
Jupiterweb networks

internet.comearthweb.comDevx.comClickZ

Search Jupiterweb:

Jupitermedia Corporation has four divisions:
JupiterWeb, JupiterResearch, JupiterEvents, and JupiterImages

Copyright 2004 Jupitermedia Corporation All Rights Reserved.
Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Jupitermedia Corporate Info | Newsletters | Tech Jobs | E-mail Offers