Abstract
This paper addresses the common IIS web server security specification in the form of a checklist that aids the web master or penetration tester to implement a secure web server infrastructure swiftly.
It is mandatory for a web application to be duly foolproof from vicious attacks for preventing damage that could be in any form indeed. Security professionals and penetration testers are typically part of a web project to ensure the website protection from various attacks by detecting loopholes that might be exploited later. But such critical task is typically not followed in a proper manner and web applications become live into the production environment with inherent vulnerabilities, or even without complying with security guidelines. That is because developers and organizations are often in a hurry to launch the software into the production environment due to various unnamed pressures. Unfortunately, there is not a single tool available that can claim the comprehensive security of an application because attacks could come in any form, in fact the its horizon is so extensive that, it is beyond the assumption. So such summarized checklist snapshots proved to be a truly savior for hardening or to improve our deployment workstation security precipitously.
Virtual Directory
| Security Specifications |
Status |
| Ensure restriction is enabled to those directories that allows anonymous access |
|
| Ensure IISAdmin, IISHelp, IISamples directory are removed |
|
| Confirm PARENT PATH configuration is disabled |
|
| Ensure unused Front pages extension is removed |
|
| Ensure website directories are dislocated from the system partition drive |
|
| Ensure directory traversing is disabled (uncheck write permission) |
|
| Ensure other unused utilities such resource kit, SDK are detached |
|
Machine Configuration File
|
Security Specifications |
Status |
| Ensure DEBUG is turned-off in WEB.CONFIG file |
|
| Ensure TRACE is set to false or disabled |
|
| Ensure unnecessary HTTP Modules are removed |
|
Secure Communication
| Security Specifications |
Status |
| Ensure HTTP requests are filtered or categorized |
|
| Ensure HTTPs is enable, in case if your website deals with sensitive data |
|
| Ensure Server Certificates is updated and issued by trusted organization |
|
| Ensure Certificates has not withdrawn |
|
| In case of Remote administration, ensure proper time-outs and encryption is configured |
|
| Ensure communication is happens using only port 80 or 443 |
|
| Ensure that IPSec is formed in the network for secure communication |
|
Logging and Audit
| Security Specifications |
Status |
| Ensure Failed Logon Attempts are regularly inspected |
|
| Ensure Log files are properly maintained and audited |
|
| Confirm W3C extended format is enabled for auditing |
|
IIS Metabase and Filters
| Security Specifications |
Status |
| Ensure Banner grabbing is disabled |
|
| Ensure File (%systemroot%\system32\inetsrv\metabase.bin) access is restricted |
|
| Ensure unused extensions (.shtml, .hta, .htw, .stm,,) are removed |
|
| Ensure unemployed ISAPI filters are disabled or removed. |
|
| Ensure "Forbidden Handler" is mapped to unemployed ASP.NET files extension |
|
Server Accounts
| Security Specifications |
Status |
| Ensure anonymous logon is disabled |
|
| Ensure unused IUSR_MACHINE account is disabled |
|
| Ensure a solitary administrator account only |
|
| Ensure administrator account is properly hardened by strong password scheme |
|
| Ensure GUEST account is disabled |
|
| Ensure remote logon is disabled |
|
| Ensure ASP.NET process account is configured to least access |
|
| Ensure anyone couldn't login locally except administrator |
|
Code Access Security
| Security Specifications |
Status |
| Confirm CAS is enabled |
|
| Confirm source code is obfuscated |
|
| Confirm custom error page is installed on server |
|
| Confirm permissions removed from Internet and Intranet zone |
|
System Configuration
| Security Specifications |
Status |
| Confirm ASP.NET state service is disabled |
|
| Confirm Remote Registry Administration is disabled |
|
| Confirm WebDAW service is disabled |
|
| Confirm FTP and SMTP services are disabled |
|
| Confirm SMB service is disabled |
|
| Confirm All Redundant share's (C$, D$,..) is removed |
|
| Confirm Remote Administration by TELNET is disabled |
|
| Confirm only essential System Services given least privilege |
|
| Confirm redundant system services are stop |
|
| Ensure IIS is not installed on domain controller |
|
| Ensure IDS is installed in the network perimeter |
|
| Ensure that IIS server is configured inside DMZ |
|
Server Updates
| Security Specifications |
Status |
| Ensure Windows Operating System is updated |
|
| Ensure .NET Framework is Updated |
|
| Ensure IIS web server is duly patched |
|
| Ensure MBSA is configured and running regularly |
|
| Ensure EMET is installed on server and enabled |
|
| Ensure Microsoft Notification Service is Enabled |
|
| Ensure effective Anti-virus is installed and running |
|
Final Note
In this article, we have seen how to harden an IIS web server to protect ASP.NET websites. This article, in fact didn't explain various attacks and their countermeasures. Instead, it is pinpointing major security guidelines in the form of checklists that can be applied swiftly over the web server, so that a developer can ensure himself that a specific security mechanism is applied and it is enabled. Because some critical bugs remain unnoticed and remains in the final version of the software that could get the application into danger. Hence, such synopsis reference eases the undertaking of developers or security professional in terms of not overlooking or forgetting critical security configuration at the web server.