-
December 11th, 2002, 12:29 AM
#1
Junior Member
IIS Port 80
Hey, I'd really like some help securing my simple web page running on IIS/win2k prof. I know a fw isn't enough, but I have limited ability to change the security settings because it isn't win2k server. I don't want to expose the other pcs on the LAN, or get the host destroyed...well at least I want to slow them down as much as possible. I'm using a fw appliance with the host IP open to HTTP from anywhere.
thanks!
-
December 11th, 2002, 01:04 AM
#2
Well, there are lots of issues with securing IIS. First concern, make sure your box is FULLY patched. Also, you want to pay carefull attention to how you set the permissions(NTFS and settings inside IIS itself). Also, microsoft has 2 tools that may help you out. One is called IIS Lockdown, and the other is called URLScan. both should be available from the downloads section of microsoft.com, I dont know if they run on windows 2000 pro or not.
Microsoft has a decent technet document for securing your IIS server here.
http://www.microsoft.com/technet/tre...g/securiis.asp
Some of it is obviously not applicable, as it talks about active directory and other stuff, but, alot of it should help you out.
-
December 11th, 2002, 02:12 AM
#3
Your correct in your assumption that a Firewall is not adequate when it comes to webserver security.
IchNiSan has given you some good comments, and I suggest that you follow IchNiSans suggestions to a tea.
You may also want to dig up some doco on the web on hardening a Win2k machine. If you are not familiar with the term hardening, basically it is locking down the OS and running only the services that are essential in running the webserver.
You should be able to find a whole heap of stuff in the forums on hardening or securing a Win2K server.
Good luck!!!
SoggyBottom.
[glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]
-
December 12th, 2002, 10:50 AM
#4
Member
Also you might want to log everything, logs are a admins best friend.. =)
only bummer is my iis logs are around 1gb pr month... heh but its well worth it...
-
December 12th, 2002, 05:19 PM
#5
first thing to do is make your IIS appear as and apache sever, this will fool at lot of people! I'm not sure how it is done but try google for it.
The second point is is the web site you are putting on the server secure. If it's plan HTML then there no problem, if you have written it in ASP or something simular then there might be problems. So what is the web site written in?
SittingDuck
I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"
-
December 12th, 2002, 05:43 PM
#6
I suggest not using frontpage. Remove all front page extentions from your computer and all the ms default and example stuff from the directory. Have only what you intend to use in the www folder and don’t allow browsing the directory.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
December 12th, 2002, 07:52 PM
#7
first thing to do is make your IIS appear as and apache sever
I disagree entirely. This is effectively trying to practise "security by obscurity". You might fool a few people, but viruses/worms (and presumably skiddie tools too) are so stupid they'll attack your server regardless of its signature.
Hiding the signature of a server does not help security, contrary to popular belief. Someone can work out what the server is running anyway by fingerprinting rather than reading the banner.
Also the signature of IIS cannot be hidden by "official" means so you will have to install some dodgey third party piece of software, which is a risk in itself.
-
December 13th, 2002, 12:36 AM
#8
sorry I should have made it a bit clearer, the masking of the server should also be done with other security measures, it patching, and the correct configuration of the server. Slarty you are right on it's own it is no good.
SittingDuck
I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"
-
December 13th, 2002, 03:58 AM
#9
Install the service pack before you put it on your network! Due to a miscommunication we put a w2k server live on our network (unpatched). It only took 8 minutes for the server to be infected with nimda.
-
December 13th, 2002, 01:46 PM
#10
There is also one tool called MS Securty Baseline.. it basically scans your box for any MS Security flaws... especially for IIS.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|