Abstract
This paper is designed to demonstrate the common IIS web server security specifications in the form of a checklist that aids web masters or penetration testers to implement a secure web server infrastructure swiftly. It is mandatory for a web application to be duly full proof from vicious attacks and for stopping damage which could be in any form. Security professionals and penetration testers are typically part of a web project to ensure the website is protected from various attacks by detecting loopholes which might be exploited later. But such a critical task is typically not followed in a proper manner, and web applications go live into the production environment with inherent vulnerabilities, or even without complying to security guidelines. It is so because developers and organizations are often in a hurry to launch the software into the production environment due to various unnamed pressures.
Unfortunately, there is no single tool available which can claim comprehensive security of an application, because attacks can come in any form, in fact the horizon is so extensive that it is beyond assumption. So such summarized checklist snapshots have proven to be truly a savior for hardening or to improve our deployment workstation security precipitously.
Virtual Directory
Security Specifications |
|
Status
Ensure restriction is enabled to those directories that allow anonymous access |
|
Ensure IISAdmin, IISHelp, IISamples directory are removed |
|
Confirm PARENT PATH configuration is disabled |
|
Ensure unused Front pages extension is removed |
|
Ensure website directories are dislocated from the system partition drive |
|
Ensure directory traversing is disabled (uncheck write permission) |
|
Ensure other unused utilities such resource kit, SDK are detached |
|
Machine Configuration File
|
Security Specifications
|
Status
Ensure DEBUG is turned off in WEB.CONFIG file |
|
Ensure TRACE is set to false or disabled |
|
Ensure unnecessary HTTP Modules are removed |
|
Secure Communication
Security Specifications |
|
Status
Ensure HTTP requests are filtered or categorized |
|
Ensure HTTPS is enabled, in case your website deals with sensitive data |
|
Ensure Server Certificates are updated and issued by a trusted organization |
|
Ensure Certificates have not withdrawn |
|
In case of remote administration, ensure proper time-outs and encryption are configured |
|
Ensure communication happens through only port 80 or 443 |
|
Ensure that IPSec is formed in the network for secure communication |
|
Logging and Audit
|
Security Specifications
|
Status
Ensure Failed Logon Attempts are regularly inspected |
|
Ensure Log files are properly maintained and audited |
|
Confirm W3C extended format is enabled for auditing |
|
IIS Metabase and Filters
|
Security Specifications
|
Status
Ensure Banner grabbing is disabled |
|
Ensure File (%systemroot%system32inetsrvmetabase.bin)
|
access is restricted
|
Ensure unused extensions (.shtml, .hta, .htw, .stm) are removed |
|
Ensure unemployed ISAPI filters are disabled or removed. |
|
Ensure 'Forbidden Handler' is mapped to unemployed ASP.NET files extension |
|
Server Accounts
Security Specifications |
|
Status
Ensure anonymous logon is disabled |
|
Ensure unused IUSR_MACHINE account is disabled |
|
Ensure a solitary administrator account only |
|
Ensure administrator account is properly hardened by strong password scheme |
|
Ensure GUEST account is disabled |
|
Ensure remote logon is disabled |
|
Ensure ASP.NET process account is configured to least access |
|
Ensure anyone couldn't login locally except administrator |
|
Code Access Security
|
Security Specifications
|
Status
Confirm CAS is enabled |
|
Confirm source code is obfuscated |
|
Confirm custom error page is installed on server |
|
Confirm permissions removed from Internet and Intranet zone |
|
System Configuration
Security Specifications |
|
Status
Confirm ASP .NET state service is disabled |
|
Confirm Remote Registry Administration is disabled |
|
Confirm WebDAW service is disabled |
|
Confirm FTP and SMTP services are disabled |
|
Confirm SMB service is disabled |
|
Confirm All Redundant share's (C$, D$,..) is removed |
|
Confirm Remote Administration by TELNET is disabled |
|
Confirm only essential System Services are given least privileges |
|
Confirm redundant system services are stopped |
|
Ensure IIS is not installed on domain controller |
|
Ensure IDS is installed in the network perimeter |
|
Ensure that IIS server is configured inside DMZ |
|
Server Updates
Security Specifications |
|
Status
Ensure Windows Operating System is updated |
|
Ensure .NET Framework is Updated |
|
Ensure IIS web server is duly patched |
|
Ensure MBSA is configured and running regularly |
|
Ensure EMET is installed on server and enabled |
|
Ensure Microsoft Notification Service is Enabled |
|
Ensure effective Anti-virus is installed and running |
|
Final Note
11 courses, 8+ hours of training
Learn cybersecurity from Ted Harrington, the #1 best-selling author of "Hackable: How to Do Application Security Right."
In this article, we have seen how to harden the IIS web server to protect ASP.NET websites. This article in fact didn't explain various attacks and their countermeasure. Instead, it is pinpointing major security guidelines in the form of checklists which can be applied swiftly over a web server, so that a developer can ensure himself that a particular security mechanism is applied and it is enabled. Because some critical bugs go unnoticed and remain in the final version of the software, which could get the application into trouble. Hence, such a synopsis reference eases the undertaking of developers or security professionals in terms of not overlooking or forgetting critical security configurations on the web server.