IIS Port 80

[jdonovan]

Hey, I'd really like some help securing my simple web page running on IIS/win2k prof. I know a fw isn't enough, but I have limited ability to change the security settings because it isn't win2k server. I don't want to expose the other pcs on the LAN, or get the host destroyed...well at least I want to slow them down as much as possible. I'm using a fw appliance with the host IP open to HTTP from anywhere.

thanks!

[IchNiSan]

Well, there are lots of issues with securing IIS. First concern, make sure your box is FULLY patched. Also, you want to pay carefull attention to how you set the permissions(NTFS and settings inside IIS itself). Also, microsoft has 2 tools that may help you out. One is called IIS Lockdown, and the other is called URLScan. both should be available from the downloads section of microsoft.com, I dont know if they run on windows 2000 pro or not.

Microsoft has a decent technet document for securing your IIS server here.

http://www.microsoft.com/technet/tre...g/securiis.asp

Some of it is obviously not applicable, as it talks about active directory and other stuff, but, alot of it should help you out.

[SoggyBottom]

Your correct in your assumption that a Firewall is not adequate when it comes to webserver security.

IchNiSan has given you some good comments, and I suggest that you follow IchNiSans suggestions to a tea.

You may also want to dig up some doco on the web on hardening a Win2k machine. If you are not familiar with the term hardening, basically it is locking down the OS and running only the services that are essential in running the webserver.

You should be able to find a whole heap of stuff in the forums on hardening or securing a Win2K server.

Good luck!!!

[Virtus]

Also you might want to log everything, logs are a admins best friend.. =)
only bummer is my iis logs are around 1gb pr month... heh but its well worth it...

[SittingDuck]

first thing to do is make your IIS appear as and apache sever, this will fool at lot of people! I'm not sure how it is done but try google for it.

The second point is is the web site you are putting on the server secure. If it's plan HTML then there no problem, if you have written it in ASP or something simular then there might be problems. So what is the web site written in?

SittingDuck

[Tedob1]

I suggest not using frontpage. Remove all front page extentions from your computer and all the ms default and example stuff from the directory. Have only what you intend to use in the www folder and don’t allow browsing the directory.

[slarty]

first thing to do is make your IIS appear as and apache sever

I disagree entirely. This is effectively trying to practise "security by obscurity". You might fool a few people, but viruses/worms (and presumably skiddie tools too) are so stupid they'll attack your server regardless of its signature.

Hiding the signature of a server does not help security, contrary to popular belief. Someone can work out what the server is running anyway by fingerprinting rather than reading the banner.

Also the signature of IIS cannot be hidden by "official" means so you will have to install some dodgey third party piece of software, which is a risk in itself.

[SittingDuck]

sorry I should have made it a bit clearer, the masking of the server should also be done with other security measures, it patching, and the correct configuration of the server. Slarty you are right on it's own it is no good.

SittingDuck

[detoxsmurf]

Install the service pack before you put it on your network! Due to a miscommunication we put a w2k server live on our network (unpatched). It only took 8 minutes for the server to be infected with nimda.

[s0nIc]

There is also one tool called MS Securty Baseline.. it basically scans your box for any MS Security flaws... especially for IIS.