IIS Port 80
Results 1 to 10 of 10

Thread: IIS Port 80

  1. #1
    Junior Member
    Join Date
    Dec 2002
    Posts
    3

    IIS Port 80

    Hey, I'd really like some help securing my simple web page running on IIS/win2k prof. I know a fw isn't enough, but I have limited ability to change the security settings because it isn't win2k server. I don't want to expose the other pcs on the LAN, or get the host destroyed...well at least I want to slow them down as much as possible. I'm using a fw appliance with the host IP open to HTTP from anywhere.

    thanks!

  2. #2
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    Well, there are lots of issues with securing IIS. First concern, make sure your box is FULLY patched. Also, you want to pay carefull attention to how you set the permissions(NTFS and settings inside IIS itself). Also, microsoft has 2 tools that may help you out. One is called IIS Lockdown, and the other is called URLScan. both should be available from the downloads section of microsoft.com, I dont know if they run on windows 2000 pro or not.

    Microsoft has a decent technet document for securing your IIS server here.

    http://www.microsoft.com/technet/tre...g/securiis.asp

    Some of it is obviously not applicable, as it talks about active directory and other stuff, but, alot of it should help you out.

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    371
    Your correct in your assumption that a Firewall is not adequate when it comes to webserver security.

    IchNiSan has given you some good comments, and I suggest that you follow IchNiSans suggestions to a tea.

    You may also want to dig up some doco on the web on hardening a Win2k machine. If you are not familiar with the term hardening, basically it is locking down the OS and running only the services that are essential in running the webserver.

    You should be able to find a whole heap of stuff in the forums on hardening or securing a Win2K server.

    Good luck!!!
    SoggyBottom.

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

  4. #4
    Also you might want to log everything, logs are a admins best friend.. =)
    only bummer is my iis logs are around 1gb pr month... heh but its well worth it...
    Missing em ol BBS' days!
    Virtus - Splashgame.org

  5. #5
    Senior Member
    Join Date
    Oct 2002
    Posts
    181
    first thing to do is make your IIS appear as and apache sever, this will fool at lot of people! I'm not sure how it is done but try google for it.

    The second point is is the web site you are putting on the server secure. If it's plan HTML then there no problem, if you have written it in ASP or something simular then there might be problems. So what is the web site written in?

    SittingDuck
    I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    I suggest not using frontpage. Remove all front page extentions from your computer and all the ms default and example stuff from the directory. Have only what you intend to use in the www folder and don’t allow browsing the directory.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  7. #7
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    first thing to do is make your IIS appear as and apache sever
    I disagree entirely. This is effectively trying to practise "security by obscurity". You might fool a few people, but viruses/worms (and presumably skiddie tools too) are so stupid they'll attack your server regardless of its signature.

    Hiding the signature of a server does not help security, contrary to popular belief. Someone can work out what the server is running anyway by fingerprinting rather than reading the banner.

    Also the signature of IIS cannot be hidden by "official" means so you will have to install some dodgey third party piece of software, which is a risk in itself.

  8. #8
    Senior Member
    Join Date
    Oct 2002
    Posts
    181
    sorry I should have made it a bit clearer, the masking of the server should also be done with other security measures, it patching, and the correct configuration of the server. Slarty you are right on it's own it is no good.

    SittingDuck
    I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"

  9. #9
    Senior Member
    Join Date
    Jul 2002
    Posts
    167
    Install the service pack before you put it on your network! Due to a miscommunication we put a w2k server live on our network (unpatched). It only took 8 minutes for the server to be infected with nimda.

  10. #10
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584
    There is also one tool called MS Securty Baseline.. it basically scans your box for any MS Security flaws... especially for IIS.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides