Securing IIS 6.0 Web Server

10 Aug

Web Server

Hacking a Web Server

With the development of Windows 2003 and also IIS 6.0 there was a dogleg in the way organizing solutions were being offered on Windows platform couple of years back. Today, web servers working in Internet Information Services 6.0 (IIS 6.0) are highly popular around the world – thanks to the.NET and AJAX revolution for designing web applications. However, this likewise makes IIS internet servers a prominent target among hacking teams as well as practically everyday we checked out the brand-new exploits being mapped out as well as covered. That does not imply that Windows is not as safeguarded as Linux. Actually, it’s good that we see a lot of patches being launched for Windows platform as it plainly shows that the vulnerabilities have actually been recognized and also blocked.

Numerous web server administrators have a tough time dealing up with spot management on several web servers, therefore, making it easy for hackers to find a phone web server online. One excellent way I have actually located to make certain servers are patched is to make use of Nagios to run an exterior script on a remote host, then informing on the huge screen which web servers need patches as well as a reboot after the patch has been applied. Simply puts, it is not an uphill struggle for a burglar to access to an at risk server if the web server is not safeguarded and then compromise it further to an extent that there is no alternative left for the manager yet to do a fresh OS install and also recover from backups.
Several tools are available on the Internet which enables a seasoned or a novice cyberpunk to determine a make use of and also gain access to a web server. The most common of them are:

IPP (Internet Printing Protocol) – makings use the IPP barrier overflow. The hacking application sends a real string that overflows the pile and opens up a home window to implement personalized covering code. It attaches the CMD.EXE file to a specified port on the enemy’s side and also the hacker is offered with a command covering as well as system accessibility.

UNICODE and CGI-Decode – where the cyberpunk makes use of the web browser on his/her computer to run harmful manuscripts on the targeted web server. The script is implemented utilizing the IUSR _ account likewise called the “anonymous account” in IIS. Using this kind of manuscripts a directory site transversal attack could be carried out to acquire further access to the system.

Over these years, I’ve seen that most of the time, strikes on a IIS internet server result due to poor web server administration, lack of spot monitoring, negative setup of safety, and so on. It is not the OS or the application to blame however the basic setup of the server is the primary culprit. I’ve laid out listed below a list with an explanation per item. These if followed correctly would help stop great deal of internet strikes on an IIS web server.

Secure the Operating System
The first action is to safeguard the operating system which runs the internet server. Make certain that the Windows 2003 Server is running the most current service pack which consists of a variety of key safety improvements.

Constantly utilize NTFS File System
NTFS documents system supplies granular control over individual permissions and also allows you offer individuals just accessibility to what they absolutely need on a file or inside a folder.

Remove Unwanted Applications and Services
The more applications as well as solutions that you run on a server, the bigger the assault surface area for a potential intruder. As an example, if you do not require File and also Printer sharing abilities on your common organizing platform, disable that solution.

Use Least Privileged Accounts for Service
Constantly utilize the neighborhood system make up starting services. By default Windows Server 2003 has decreased the need for service accounts in numerous instances, yet they are still required for some third-party applications. Use local system accounts in this case instead of using a domain account. Using a neighborhood system account implies you are consisting of a breach to a solitary web server.

Rename Administrator as well as Disable Guest
Make sure that the default account called Guest is handicapped even though this is a much less privileged account. Furthermore, the Administrator account is the favorite targets for hackers and also a lot of the destructive manuscripts available utilize this to exploit and at risk web server. Rename the administrator account to another thing so that the manuscripts or programs that have a check for these accounts hard-coded fail.

Disable NetBIOS over TCP/IP as well as SMB
NetBIOS is a broadcast-based, non-routable and unconfident method, and also it ranges poorly mostly because it was created with a flat namespace. Web web servers and also Domain Name System (DNS) servers do not need NetBIOS as well as Server Message Block (SMB). This method ought to be impaired to minimize the danger of user list.

To disable NetBIOS over TCP/IP, right click the network link encountering the Internet and also choose Properties. Open the Advanced TCP/IP settings and also most likely to the WINS tab. The choice for disabling NetBIOS TCP/IP ought to be noticeable now.

To disable SMB, merely uncheck the File as well as Print Sharing for Microsoft Networks and also Client for Microsoft Networks. A word of caution though – if you are making use of network shares to save material miss this. Only do this if you make sure that your Web Server is a stand-alone server.

Schedule Patch Management
Make a strategy for patch management and stay with it. Register for Microsoft Security Notification Service ( to remain upgraded on the current release of spots as well as updates from Microsoft. Configure your web server’s Automatic Update to notify you on availability of new spots if you want to review them prior to installment.

Run MBSA Scan
This is among the finest means to identify safety problems on your servers. Download and install the Microsoft Base Line Security device and run it on the server. It will offer you details of security problems with individual accounts, approvals, missing out on patches and updates and a lot more.

That’s it to the basic of protecting the os. There are extra fixes which can be carried out for additional protecting the server yet they are beyond the range of this write-up. Allow’s currently proceed to safeguarding the IIS web server.

IIS 6.0 when configuration is secured by default. When we claim this, it implies that when a fresh installation of IIS is done, it prevents scripts from running on the internet server unless specified. When IIS was initially set up, it offers just HTML web pages, and all dynamic web content is obstructed by default. This indicates that the internet server will certainly not serve or analyze vibrant pages like ASP, ASP.NET, and so on. Because that is not just what a web server is implied to do, the default configuration is changed to enable these extensions. Below are some standard points that assist you to safeguarding the internet server even more:

Newest Patches as well as Updates
Make sure that the most recent patches, updates and service packs have been set up for.NET Framework. These spots and also updates take care of great deal of problems which boosts the security of the internet server.

Separate Operating System
Do not run your internet server from the default InetPub folder. If you have the option to partition your hard drives then make use of the C: drive for Operating System data and also shop all your customer website on one more dividers. Transfer internet root directories and virtual directory sites to a non-system dividers in order to help protect against directory site traversal strikes.

IISLockDown Tool
There are some benefits to this tool and there are some disadvantages, however, so utilize it very carefully. If your web server communicates with other web servers, test the lockdown tool making sure it is set up so that connectivity to backend services is not shed.

Permissions for Web Content
Make sure that Script Source Access is never ever enabled under an internet site’s residential or commercial property. If this alternative is allowed, users can access resource data. If Read is chosen, source can be reviewed; if Write is selected, resource can be contacted. To guarantee that it is impaired, open IIS, appropriate click the Websites folder and pick Properties. Clear the check box if it is enabled as well as circulate it to all kid websites.

Enable Only Required Web Server Extensions
IIS 6.0 by default does not enable any vibrant content to be parsed. To enable a vibrant web page to be carried out, you require to enable the pertinent extension from the Web Service Extensions property web page. Constantly ensure that “All Unknown CGI Extensions” and also “All Unknown ISAPI Extensions” are handicapped constantly. If WebDAV as well as Internet Data Connector are not needed, disable that as well.Image result for web scripts

Disable Parent Paths
This is the most awful of all and also thanks to Microsoft, it is disabled in IIS 6.0 by default. The Parent Paths option permits developers to utilize “.” in phone calls to features by permitting courses that are about the present directory making use of the. symbols. Establishing this property to True could comprise a security risk since a consist of path can access critical or confidential documents outside the origin directory of the application. Given that many of the programmers as well as third-party readymade applications utilize this notation, I leave it up to you to make a decision if this should be enabled or disabled. The workaround to Parent Paths is to make use of the Server.MapPath alternative in your dynamic manuscripts.

Disable Default Web Site
Otherwise required, stop the Default Web Site which is produced when IIS 6.0 is installed or alter the property of Default Web Site to work on a details IP address along with a Host Header. Never maintain it running on All Unassigned as many of the prefabricated hacking plans determine an at risk web server from IP address instead of a domain. If your Default Web Site is operating on All Unassigned, it implies that it can serve content over an IP address in the URL as opposed to the domain name.

Use Application Isolation
I like this function in IIS 6.0 which enables you to separate applications in application swimming pools. By producing new application swimming pools as well as designating website and also applications to them, you can make your web server a lot more reliable and reliable as it guarantees that applications or websites do not obtain influenced as a result of a damaged application running under that swimming pool.

All of the previously mentioned IIS suggestions and also tools are natively readily available in Windows. Always remember to attempt just individually before you check your Web availability. It might be devastating if all of these were executed at the same time making you wonder what is creating a problem in case you begin having concerns.

Final tip: Go to your Web web server as well as Run “net start -an” (without quotes) at the command line. Observe just how several various IP addresses are attempting to get connection to your machine, mostly using port 80. If you see that you have actually IP addresses developed at a variety of higher ports, then you’ve already got a bit of exploring to do.

Posted in Web

Leave a Reply

Your email address will not be published. Required fields are marked *