Results 1 to 4 of 4

Thread: IIS 5.1 on Windows XP

  1. #1
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718

    IIS 5.1 on Windows XP

    I don't know how many ouf you guys are running IIS 5.1 on Windows XP to host sites but, I figured I'd run a couple things by you guys who are.
    For starters, I'm running an Intranet website using IIS 5.1 on XP. We have (2) 2003 Server DC's but, it's not good practice to setup your IIS on your DC's.(simply because you don't want to chance exposing your DC's any more than you have to). So we took an old XP box and setup it up there.
    It works fine but, I learned a few tricks along the way that I'm not sure you guys may know of. My guess is that you already know about the IIS Lockdown tool (if not, go here ). Also, by default, IIS 5.1 (which comes with XP) is defaulted to only allow 10 connections (other users will get an error if they attempt to connect past that limit). If you download MetaEdit 2.2, you can edit the metabase key MaxConnections for W3SVC and set it to anything less than 40.
    As I keep learning more tip and/or tricks, I'll let you guys know.

    I almost forgot to mention that snapfile has some IIS add-ons. One I was interetsed in was the IIS Password but after reading the EULA, it seemed that it came bundled with adware. Check it out and see what you think SnapFiles IIS Add-Ons
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  2. #2
    AO's MMA Fanatic! Computernerd22's Avatar
    Join Date
    Mar 2003
    Location
    Miami, FL
    Posts
    795
    As I keep learning more tip and/or tricks, I'll let you guys know.
    What applications are you running? FTP, SMTP, HTTP
    I know a few tricks myself security wise that is:

    Scan your IIS 5.1 SERVER with IIS Lockdown Wizard 2.1

    IIS Lockdown Wizard is a free tool that works by turning off unnecessary IIS features, thereby reducing attack surface available to attackers
    Also, UrlScan 2.5

    UrlScan version 2.5 is a free security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process
    Last thing you want the culprit seeing is this

    The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
    are HTTP methods which are used to debug web server connections.

    It has been shown that servers supporting this method are subject to
    cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when
    used in conjunction with various weaknesses in browsers.

    An attacker may use this flaw to trick your legitimate web users to give
    him their credentials.
    more tools can be found here: http://www.download.com/3120-20_4-0....t=IIS&tag=srch

    IIS Logging very important for several obvious reasons, check daily.

  3. #3
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey Hey,

    CN22,

    I find it odd that you mention IIS Lockdown 2.1 and then also mention URLScan... URLScan is included in IIS Lockdown 2.1... no need to obtain it seperately... Also the download link is http://www.microsoft.com/technet/sec.../locktool.mspx



    One of the more important things is updates... but that's true of anything... There are a lot of canned exploits in existance for IIS.... not only that.. but updates for any web apps it's running... These are key... web apps are a common area of entrance for malicious people... If you're running custom apps on it.. make sure you have a proper code audit done...

    I also highly recommend disabling WebDav... IISLockdown can assist with that.

    Peace,
    HT

  4. #4
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    Computernerd22,
    I'm only running HTTP for my IIS. I didn't install the FTP/SMTP options because I don't need those services. The Intranet this box is hosting is simply for referencing files on the LAN and/or specific site links. I already ran the IIS Lockdown tool because it's highly recommended (I do believe I had mentioned the IIS Lockdown tool and provided a link for it in my previous post ((and like HTRegz said, URLScan does indeed come with the IIS Lockdown tool)). In any event, should you find anything else, let me know as I will share anything I find as well.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •