ตอน นี้ศึกษาเรื่อง Security อย่างเต็มรูปแบบไปเจอ Check list ของ Microsoft เอาไว้ติดตั้ง IIS Web Serverจำเป็นต้องตรวจสอบว่าตอนนี้Server เรามีช่องทางที่จะโดนhackได้ทางไหนบ้าง เข้าทำนองที่ว่ากันไว้ดีกว่าแก้
How to Use This Checklist
This checklist is a companion to Chapter 16, “Securing Your Web Server.” Use it to help implement a secure Web server, or as a quick evaluation snapshot of the corresponding chapter.
This checklist should evolve with steps that you discover to secure your Web server.
Patches and Updates
| Check |
Description |
 |
MBSA is run on a regular interval to check for latest operating system and components updates. |
|
The latest updates and patches are applied for Windows, IIS server, and the .NET Framework. (These are tested on development servers prior to deployment on the production servers.) |
|
Subscribe to the Microsoft Security Notification Service at http://www.microsoft.com/technet/security/bulletin/notify.asp. |
IISLockdown
| Check |
Description |
|
IISLockdown has been run on the server. |
|
URLScan is installed and configured. |
Services
| Check |
Description |
|
Unnecessary Windows services are disabled. |
|
Services are running with least-privileged accounts. |
|
FTP, SMTP, and NNTP services are disabled if they are not required. |
|
Telnet service is disabled. |
|
ASP .NET state service is disabled and is not used by your applications. |
Protocols
| Check |
Description |
|
WebDAV is disabled if not used by the application OR it is secured if it is required. For more information, see Microsoft Knowledge Base article 323470, “How To: Create a Secure WebDAV Publishing Directory.” |
|
TCP/IP stack is hardened. |
|
NetBIOS and SMB are disabled (closes ports 137, 138, 139, and 445). |
Accounts
| Check |
Description |
|
Unused accounts are removed from the server. |
|
Windows Guest account is disabled. |
|
Administrator account is renamed and has a strong password.. |
|
IUSR_MACHINE account is disabled if it is not used by the application. |
|
If your applications require anonymous access, a custom least-privileged anonymous account is created. |
|
The anonymous account does not have write access to Web content directories and cannot execute command-line tools. |
|
ASP.NET process account is configured for least privilege. (This only applies if you are not using the default ASPNET account, which is a least-privileged account.) |
|
Strong account and password policies are enforced for the server. |
|
Remote logons are restricted. (The “Access this computer from the network” user-right is removed from the Everyone group.) |
|
Accounts are not shared among administrators. |
|
Null sessions (anonymous logons) are disabled. |
|
Approval is required for account delegation. |
|
Users and administrators do not share accounts. |
|
No more than two accounts exist in the Administrators group. |
|
Administrators are required to log on locally OR the remote administration solution is secure. |
Files and Directories
| Check |
Description |
|
Files and directories are contained on NTFS volumes. |
|
Web site content is located on a non-system NTFS volume. |
|
Log files are located on a non-system NTFS volume and not on the same volume where the Web site content resides. |
|
The Everyone group is restricted (no access to WINNTsystem32 or Web directories). |
|
Web site root directory has deny write ACE for anonymous Internet accounts. |
|
Content directories have deny write ACE for anonymous Internet accounts. |
|
Remote IIS administration application is removed (WINNTSystem32InetsrvIISAdmin). |
|
Resource kit tools, utilities, and SDKs are removed. |
|
Sample applications are removed (WINNTHelpIISHelp, InetpubIISSamples). |
Shares
| Check |
Description |
|
All unnecessary shares are removed (including default administration shares). |
|
Access to required shares is restricted (the Everyone group does not have access). |
|
Administrative shares (C$ and Admin$) are removed if they are not required (Microsoft Management Server (SMS) and Microsoft Operations Manager (MOM) require these shares). |
Ports
| Check |
Description |
|
Internet-facing interfaces are restricted to port 80 (and 443 if SSL is used). |
|
Intranet traffic is encrypted (for example, with SSL) or restricted if you do not have a secure data center infrastructure. |
Registry
| Check |
Description |
|
Remote registry access is restricted. |
|
SAM is secured (HKLMSystemCurrentControlSetControlLSANoLMHash). This applies only to standalone servers. |
Auditing and Logging
| Check |
Description |
|
Failed logon attempts are audited. |
|
IIS log files are relocated and secured. |
|
Log files are configured with an appropriate size depending on the application security requirement. |
|
Log files are regularly archived and analyzed. |
|
Access to the Metabase.bin file is audited. |
|
IIS is configured for W3C Extended log file format auditing. |
Sites and Virtual Directories
| Check |
Description |
|
Web sites are located on a non-system partition. |
|
“Parent paths” setting is disabled. |
|
Potentially dangerous virtual directories, including IISSamples, IISAdmin, IISHelp, and Scripts virtual directories, are removed. |
|
MSADC virtual directory (RDS) is removed or secured. |
|
Include directories do not have Read Web permission. |
|
Virtual directories that allow anonymous access restrict Write and Execute Web permissions for the anonymous account. |
|
There is script source access only on folders that support content authoring. |
|
There is write access only on folders that support content authoring and these folder are configured for authentication (and SSL encryption, if required). |
|
FrontPage Server Extensions (FPSE) are removed if not used. If they are used, they are updated and access to FPSE is restricted. |
Script Mappings
| Check |
Description |
|
Extensions not used by the application are mapped to 404.dll (.idq, .htw, .ida, .shtml, .shtm, .stm, idc, .htr, .printer). |
|
Unnecessary ASP.NET file type extensions are mapped to “HttpForbiddenHandler” in Machine.config. |
ISAPI Filters
| Check |
Description |
|
Unnecessary or unused ISAPI filters are removed from the server. |
IIS Metabase
| Check |
Description |
|
Access to the metabase is restricted by using NTFS permissions (%systemroot%system32inetsrvmetabase.bin). |
|
IIS banner information is restricted (IP address in content location disabled). |
Server Certificates
| Check |
Description |
|
Certificate date ranges are valid. |
|
Certificates are used for their intended purpose (for example, the server certificate is not used for e-mail). |
|
The certificate’s public key is valid, all the way to a trusted root authority. |
|
The certificate has not been revoked. |
Machine.config
| Check |
Description |
|
Protected resources are mapped to HttpForbiddenHandler. |
|
Unused HttpModules are removed. |
|
Tracing is disabled <trace enable=”false”/> |
|
Debug compiles are turned off.
<compilation debug="false" explicit="true" defaultLanguage="vb">
|
Code Access Security
| Check |
Description |
|
Code access security is enabled on the server. |
|
All permissions have been removed from the local intranet zone. |
|
All permissions have been removed from the Internet zone. |
Other Check Points
| Check |
Description |
|
IISLockdown tool has been run on the server. |
|
HTTP requests are filtered. URLScan is installed and configured. |
|
Remote administration of the server is secured and configured for encryption, low session time-outs, and account lockouts. |
reference site: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/CL_SecWebs.asp
