Security

Previous Topic Next Topic

IIS 5.0 Security Checklist

This section outlines some of the steps you should take to secure a Windows 2000 Server that is running IIS 5.0 on the Internet. Note that this document does not take into consideration firewalls or proxy servers. It also assumes the company has a security policy in place.

You will notice that this list is quite small, because most of the work is performed by Security Configuration and Analysis.

Step 1: General Information
Server Name     Manufacturer
Asset # Location
Setup Date Set up by

Step 2: Background Work
  Read your corporate security policy.   Configure hardware to meet security policy.
Read the IIS 5.0 Resource Guide “Security” section. Check http://www.microsoft.com/security.

Step 3: Windows 2000 Server Settings
  Apply latest Service Pack and hot-fixes from ftp.microsoft.com.   Format hard disk(s) to NTFS.
Review appropriate Secure Configuration Template settings. Apply appropriate Secure Configuration Template settings.
Turn off NTFS 8.3 name generation. Set appropriate NTFS DACLs.
Set system start time to zero seconds. Set domain controller type to: _____.
Remove OS/2 subsystem. Remove POSIX subsystem.
Remove all net shares. Disable Guest account.
Check user accounts, group membership, and privileges. Set a very strong password for Admin account (at least nine characters).
Unbind NetBIOS from TCP/IP. Disable IP routing.

Step 4: IIS 5.0 Settings
  Install minimal Internet services required.   Set appropriate authentication methods.
Set appropriate virtual directory permissions and partition Web application space. Place executable content in Execute (X)-only location.
Set IP address/DNS address restrictions. Validate executable content for trustworthiness.
Set up SSL if appropriate. Enable Logging.
Map Client Auth Certificates to Windows accounts if appropriate. Set Indexing Service to only index documentation.
Lock down Microsoft Certificate Services ASP enrollment pages with DACLs. Disable or remove all sample applications.

Step 5: Install Scanner/Intrusion Software

Regularly run a security scanner on your Web server, by using software from one of the companies listed at http://backoffice.microsoft.com/securitypartners/.

Step 6: Update the Emergency Repair Disk (ERD)

You should regularly update the ERD.

To update the ERD

  1. Run the Backup tool by clicking Start, Run, and then typing ntbackup.
  2. Select the Tools menu.
  3. Select Create an Emergency Repair Disk.

© 1997-1999 Microsoft Corporation. All rights reserved.