1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation...
-
Upload
carlos-rivera -
Category
Documents
-
view
212 -
download
0
Transcript of 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation...
![Page 1: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/1.jpg)
1
Hardening Windows 2003 Web Servers
![Page 2: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/2.jpg)
2 © Ezenta A/S 2005
Agenda
Physical Security OS Installation Account Policies Local Policies Services User Accounts IP Policies Permissions Hardening IIS Additional Hardening
![Page 3: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/3.jpg)
3
General
![Page 4: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/4.jpg)
4 © Ezenta A/S 2005
GeneralWho should take this course
System Consultants Security Consultants System Architects Anyone who is responsible for the configuration and/or the
administration of a Windows 2003 environment
![Page 5: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/5.jpg)
5 © Ezenta A/S 2005
GeneralStrategy: Creating a secure environment
Secure current and/or new implementations of the Windows 2003 operating system
![Page 6: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/6.jpg)
6 © Ezenta A/S 2005
GeneralStrategy: Maintaining a secure environment
Maintain a secure environment by staying on top of security issues that are relevant to your installation
This is a proactive process!!
![Page 7: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/7.jpg)
7 © Ezenta A/S 2005
GeneralScope of this course
This course will focus on the secure configuration of a Windows 2003 server hosting Internet Information Services (IIS) version 6.0
![Page 8: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/8.jpg)
8 © Ezenta A/S 2005
GeneralPrerequisites
Experience with IT security Experience with MMC Experience deploying web applications in enterprise
environments Some web application development knowledge will be useful
but is not mandatory
![Page 9: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/9.jpg)
9 © Ezenta A/S 2005
GeneralWhat happens if I don’t harden my web server?
Most systems can be compromised within 72 hours Corporate humilliation Won’t know if your system is has been/is being attacked Money wasted on reparation and down time Company data/ secrets could be stolen
Some web sites are fed with data that comes from the same database as other internal systems
![Page 10: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/10.jpg)
10 © Ezenta A/S 2005
Hardening one step at a time
Physical Security --------------------------------------- OS Installation ----------------------------------------- Account Policies ---------------------------------------- Local Policies ------------------------------------------- Services ------------------------------------------------ User Accounts ----------------------------------------- IP Policies------------- --------------------------------- Permissions -------------------------------------------- Hardening IIS ------------------------------------------ Additional Hardening ----------------------------------
Numberof
Weaknesses
![Page 11: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/11.jpg)
11 © Ezenta A/S 2005
PrerequisitesWhat should
Install ALL necessary software/ services before you begin. Make sure that they ALL work. Why?
If software/ service dosn’t work: Because of the hardening? Did it work before we started?
These are time wasting situations
Let’s begin.
![Page 12: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/12.jpg)
12
Physical Security
![Page 13: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/13.jpg)
13 © Ezenta A/S 2005
Physical Security
We assume that physical security is in place.
![Page 14: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/14.jpg)
14
OS Installation
![Page 15: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/15.jpg)
15 © Ezenta A/S 2005
OS Installation
No system upgrades Why? Too many grey areas ONLY clean installations
Two partitions (we shall be using one) 01 system files 02 web applications
Strong administrative passwords Rainbow attacks make 8 character passwords trivial to break
Only install necessary components
![Page 16: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/16.jpg)
16 © Ezenta A/S 2005
OS Installation
Use a static IP instead of DHCP if possible (one less service)
If there are multiple servers in the DMZ, consider making a DMZ domain from which critical servers will inherit their baseline GPOs.
![Page 17: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/17.jpg)
17
Proof of concept scan
![Page 18: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/18.jpg)
18 © Ezenta A/S 2005
Proof of concept scanWindows 2003 v. Windows 2000
Why bother using windows 2003? More secure by default.
Can Windows 2000 be as secure? Yes. It requires work.
![Page 19: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/19.jpg)
19 © Ezenta A/S 2005
Proof of concept scanWindows 2003 v. Windows 2000
We will use standard tools to inspect a default Windows 2003 installation.
Tools to use: Nmap. Scans to perform:
Nmap –sS –P0 –O –p1-65535 Nmap –sS –P0 –O –g 53 –p 1-65535 Nmap –sT –P0 –O –p1-65535
NStealth
Windows 2003: xx.xx.xx.xx
![Page 20: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/20.jpg)
20
Local Security Settings
![Page 21: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/21.jpg)
21 © Ezenta A/S 2005
PoliciesLocal Security Settings
![Page 22: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/22.jpg)
22 © Ezenta A/S 2005
PoliciesAccount Policies
Never use dictionary words. Never reuse old passwords by altering only one digit. Never choose passwords based on pets, habits, likes or
dislikes. One must never be able to identify a password by looking at the things on your desk.
Use upper- and lowercase with symbols and numbers. Choose passwords based on phrases:
Th15 comput€r i5 prot€cted by a str0ng p@ssword
![Page 23: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/23.jpg)
23 © Ezenta A/S 2005
PoliciesAccount Policies: password Policy
Enforce Password History: 24 Maximum Password Age: 42 days Minimum Password Age: 2 days Minimum Password Length: 14 Complexity requirements: Enabled Use Reversible Encryption: Disabled
![Page 24: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/24.jpg)
24 © Ezenta A/S 2005
PoliciesAccount Policies: Account Lockout Policy
Account Lockout Duration: 15 Minutes Account Lockout Threshold: 10 invalid attempts Reset Lockout Counter: 15 Minutes
![Page 25: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/25.jpg)
25
Services
![Page 26: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/26.jpg)
26 © Ezenta A/S 2005
Services
What services does a web-server need? Are you sure they are needed?
YES: secure them NO: remove them
This is the hardest to get right
![Page 27: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/27.jpg)
27
Or…
![Page 28: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/28.jpg)
28 © Ezenta A/S 2005
System SettingsIsn’t there a quicker way to change system settings?
Yes. Meet the ”Security Analysis and Configuration” snap-in
![Page 29: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/29.jpg)
29 © Ezenta A/S 2005
System SettingsSecurity Analysis and Configuration
Run mmc File Add/Remove Snap-in Add Security Configuration and Analysis Add Right Click on Security Analysis and Configuration Open
Database Choose a File Name Open Navigate to ”High Security Baseline.inf” Open Right Click on Security Analysis and Configuration Analyse
Computer Now… Save the log to your desktop
![Page 30: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/30.jpg)
30
User Accounts
![Page 31: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/31.jpg)
31 © Ezenta A/S 2005
User AccountsSecuring Well known User Accounts
Rename all built-in accounts: Administrator Guest
Why? Everyone knows the names of these two Windows accounts. 50% of a brute force attack is already common knowledge.
The descriptions should also be altered.
![Page 32: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/32.jpg)
32 © Ezenta A/S 2005
User AccountsSecuring Well known User Accounts
Assign strong passwords to these accounts Th15 1s @ v€ry st0ng p@s5word don’t y0u th1nk?
Disable default guest accounts (if not already done by default)
![Page 33: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/33.jpg)
33
IP Policies
![Page 34: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/34.jpg)
34 © Ezenta A/S 2005
IP PoliciesStructure
IP Filter advice: give your rules good names. Examples might look like this: <POLICY> <DIRECTION> <SERVICE> Permit INBOUND HTTP(S) Permit OUTBOUND SSH Permit OUTBOUND DNS Permit OUTBOUND HTTP(S) Deny BIDIRECTIONAL ALL
![Page 35: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/35.jpg)
35 © Ezenta A/S 2005
IP PoliciesExample scenario
A web server might look similar to this: Permit INBOUND:
HTTP HTTPS? TS?
Permit OUTBOUND: HTTP HTTPS DNS
![Page 36: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/36.jpg)
36 © Ezenta A/S 2005
IP PoliciesLocal Security Settings
![Page 37: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/37.jpg)
37 © Ezenta A/S 2005
IP PoliciesLets get started
Create IP Security Policy… Name: Secure Web Uncheck “Activate the default response rule” Check “Edit Properties” Uncheck “Use Add Wizard”
![Page 38: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/38.jpg)
38 © Ezenta A/S 2005
IP PoliciesBasic rules
Create 4 rules Deny BIDIRECTIONAL ALL Permit INBOUND HTTP(S) Permit OUTBOUND HTTP(S) Permit OUTBOUND DNS
When you’re done, assign your new policy
![Page 39: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/39.jpg)
39 © Ezenta A/S 2005
IP PoliciesLets look at the results
Tools needed: NMap
Exercise Groups of two or three Choose which computer will perform the scan Un-assign IP Policies as they also block outboud traffic Perform the following port scans:
Nmap –sS –P0 –O –p1-65535 Nmap –sS –P0 –O –g 53 –p 1-65535 Nmap –sT –P0 –O –p1-65535
![Page 40: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/40.jpg)
40
File Permissions
![Page 41: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/41.jpg)
41 © Ezenta A/S 2005
PermissionsAssigning correct NTFS permissions
CGI files: .EXE, .DLL, .CMD, .PL Administrators: Full Control System: Full Control IUSR_SERVER: Read & Execute, Read
Script Files: .ASPX, .ASP, .PHP Administrators: Full Control System: Full Control IUSR_SERVER: Read & Execute, Read
Include Files: .INC, .SHTML, .SHTM Administrators: Full Control System: Full Control IUSR_SERVER: Read & Execute, Read
![Page 42: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/42.jpg)
42 © Ezenta A/S 2005
PermissionsAssigning correct NTFS permissions
Static Files: .HTML, .HTM, .TXT, .GIF, .JPG Administrators: Full Control System: Full Control IUSR_SERVER: Read
Data Files: .MDB Administrators: Full Control System: Full Control IUSR_SERVER: Read, Write, Read & Execute, Modify
![Page 43: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/43.jpg)
43
Hardening IIS
![Page 44: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/44.jpg)
44 © Ezenta A/S 2005
Hardening IIS
Web server extensions Application Debugging Custom Errors HTTP Verbs URL Scan Logging
![Page 45: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/45.jpg)
45 © Ezenta A/S 2005
Web server ExtensionsPredefined Web Service Extensions
Everything is turned off by default A default IIS 6.0 installation will only run sites with static
pages, .HTML, .HTM.
![Page 46: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/46.jpg)
46 © Ezenta A/S 2005
Web server ExtensionsPredefined Web Service Extensions (cont.)
Active Server Pages ASP.NET version 1.1.4322 FrontPage Server Extensions 2002 Internet Data Connector Server-Side Includes WebDAV
![Page 47: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/47.jpg)
47 © Ezenta A/S 2005
Application DebuggingStop IIS from sending error messages to clients
Stop applications from sending debugging details to clients: Right click on your web site in the IIS manager Home Directory Configuration App Debugging Check ”Send text error to client” and leave the box blank
![Page 48: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/48.jpg)
48 © Ezenta A/S 2005
Custom ErrorsRedirect to a custom error page when error occur
Send custom error pages to clients for HTTP 500’s, 404’s: Right click on your web site in the IIS manager Custom Errors double click on 500 Message Type: URL URL: /<LOCATION OF CUSTOM PAGE>
Make certain that error 500 messages don’t get sent to the browser!
![Page 49: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/49.jpg)
49 © Ezenta A/S 2005
HTTP VerbsLimit access to HTTP Verbs
Remove all un-needed HTTP verbs from each application: Generally required: GET, HEAD, POST
![Page 50: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/50.jpg)
50 © Ezenta A/S 2005
URL ScanUrl filtering
What is URL Scan? What can it do?
Enable/disable HTTP verbs Disable HTTP headers Enable/disable specific file extensions Disable character sequences Remove/alter the server header Restrict header lengths
Questions concerning URL Scan?
![Page 51: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/51.jpg)
51 © Ezenta A/S 2005
URL ScanUrl filtering
How does it work: Configuration File Installation Fine tuning
![Page 52: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/52.jpg)
52 © Ezenta A/S 2005
LoggingConfiguring Logging
Create seperate logs for each site Log Folder Permissions
Administrators: Full Control System: Full Control IUSR_SERVER: Read, Write, Modify, List Folder Contents, Read & Execute
![Page 53: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/53.jpg)
53
Additional Hardening
![Page 54: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/54.jpg)
54 © Ezenta A/S 2005
Additional Hardening
Uninstallable Components Special Binaries
![Page 55: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/55.jpg)
55 © Ezenta A/S 2005
Uninstallable Components
1. Load “%systemroot%\inf\sysoc.inf” into notepad2. Replace ”hide” with ””3. Run Add/Remove Applications4. Remove any unwanted/ unneeded components (be careful!)
![Page 56: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/56.jpg)
56 © Ezenta A/S 2005
Special Binaries
Several executables exist on a standard Windows 2000 installation that could become rather useful to an attacker
Special access rights need to be set on all of these executables
![Page 57: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/57.jpg)
57 © Ezenta A/S 2005
Special Binaries (cont.)
Uncheck ”Allow inheritable permissions from parent to propagate this object”.
Remove all users from the name list, including SYSTEM.
Assign ”Full Control” to a user that is to be used to access these files – an administrator.
![Page 58: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/58.jpg)
58 © Ezenta A/S 2005
Special Binaries (cont.)
rsh.exe, secfixup.exe, telnet.exe, tftp.exe, ipconfig.exe, nbtstat.exe, netstat.exe, ping.exe, qbasic.exe, rdisk.exe, regdit32.exe, net.exe, nslookup.exe, posix.exe, rcp.exe, regedit.exe, rexec.exe, tracert.exe, command.com, regedit.exe, os2.exe, os2ss.exe, arp.exe, at.exe, atsvc.exe, cacls.exe, cmd.exe, debug.exe, edit.com, edlin.exe, finger.exe, ftp.exe, xcopy.exe, os2srv.exe, cscript.exe, wscript.exe, iisreset.exe, route.exe, runonce.exe, syskey.exe
![Page 59: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/59.jpg)
59 © Ezenta A/S 2005
What have we learned today?
Physical Security OS Installation Account Policies Local Policies Services User Accounts IP Policies- Permissions Hardening IIS Additional Hardening
![Page 60: 1 Hardening Windows 2003 Web Servers. © Ezenta A/S 2005 2 Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts.](https://reader035.fdocuments.us/reader035/viewer/2022070305/55152b6a55034673228b5530/html5/thumbnails/60.jpg)
60 © Ezenta A/S 2005
?