|
The following steps may be followed to install and secure an NT IIS 4.0 Server:
The information below addresses the installation of a basic IIS Web Server. It does not cover every potential
configuration of IIS and its related services. Be sure to read Microsoft's latest version of the IIS 4.0
Security Checklist for additional recommendations. When you're finished reading it, read it again.
Install NT from original installation media (via CD or network share)
Install NT as a standalone
server. Where possible, do not make it a domain controller or member of a domain. Make sure the server is not directly
connected to the Internet during install. |
Install NT 4.0 Operating System on NTFS partition
Installing the OS on an NTFS permission will allow us to further secure critical files and directories using Access Control Lists (ACLs). NT can be installed on a FAT partition and this partition can later be "converted" to NTFS, however, the default ACLs are not applied during the conversion process. If this is the case, the scripts discussed below can assist in setting proper file and directory permissions. |
DO NOT use the default installation paths.
If at all possible, install your system files to a partition other than C: and a folder other than WINNT.
Place your Inetpub folder on a seperate partition from your system folder. |
DO NOT set a password for the administrator account during installation
This will be set later |
Install necessary protocols
If you don't need NetBEUI or IPX/SPX, don't install them |
Configure network cards and video adapters as needed
(many video drivers must be installed after updating the system with Service Pack 3 or above.) |
Install Service Pack 6a (SP6a) and related Hotfixes
See NT6a Patches. This page contains detailed information on Service Pack 6a and its related hotfixes.
Then apply Post-SP6a Security
Rollup. Next, apply any hotfixes not included in the Post-SP6a Security Rollup. |
Install Internet Explorer 4.01 SP2
The Option Pack includes IE 4.01 SP1, however, it is recommended to install SP2, available here. DO NOT install IE5. DO NOT install Active Desktop. Reboot as needed. |
Install the NT Option Pack
Choose custom installation. DO NOT install the sample applications and directories. REPEAT: DO NOT install sample applications and directories. Reboot as needed.
|
Re-apply Service Pack 6a and Hotfixes
Reboot. |
Install MDAC 2.1 SP2
available here. Reboot.
|
Disable / remove all sample applications and directories
if you installed them above (and didn't heed the warnings!)
| Item | Location |
| IIS | ?\inetpub\iissamples |
| IIS SDK | ?\inetpub\iissamples\sdk |
| Admin Scripts | ?\inetpub\AdminScripts |
| Data access | ?\Program Files\Common Files\System\msadc\Samples |
|
Apply the following additional Registry Keys:
HKEY_LOCAL_MACHINE\SYSTEMCurrentControlSet\Control\FileSystem
NtfsDisable8dot3NameCreation
REG_DWORD=1
HKEY_LOCAL_MACHINE\SYSTEMCurrentControlSet\Services\W3SVC\Parameters
SSIEnableCmdDirective
REG_DWORD=0
HKEY_LOCAL_MACHINE\SYSTEMCurrentControlSet\Services\AFD\Parameters
DynamicBacklogGrowthDelta
REG_DWORD=10
HKEY_LOCAL_MACHINE\SYSTEMCurrentControlSet\Services\AFD\Parameters
EnableDynamicBacklog
REG_DWORD=1
HKEY_LOCAL_MACHINE\SYSTEMCurrentControlSet\Services\AFD\Parameters
MinimumDynamicBacklog
REG_DWORD=20
HKEY_LOCAL_MACHINE\SYSTEMCurrentControlSet\Services\AFD\Parameters
MaximumDynamicBacklog
REG_DWORD=(not to exceed 5000 for each 32MB RAM)
HKEY_LOCAL_MACHINE\SYSTEMCurrentControlSet\Services\Tcpip\Parameters
EnableDeadGWDetect
REG_DWORD=0
HKEY_LOCAL_MACHINE\SYSTEMCurrentControlSet\Services\Tcpip\Parameters
EnableICMPRedirect
REG_DWORD=0
HKEY_LOCAL_MACHINE\SYSTEMCurrentControlSet\Services\Tcpip\Parameters
EnablePMTUDiscovery
REG_DWORD=0
HKEY_LOCAL_MACHINE\SYSTEMCurrentControlSet\Services\Tcpip\Parameters
KeepAliveTime
REG_DWORD=300000
HKEY_LOCAL_MACHINE\SYSTEMCurrentControlSet\Services\Tcpip\Parameters
IGMPLEVEL
REG_DWORD=0
HKEY_LOCAL_MACHINE\SYSTEMCurrentControlSet\Services\w3svc\Parameters
MaxClientRequestBuffer
REG_DWORD=16384
|
Rename the Administrator account and Set a Password
Create a strong seven or fourteen character password for the administrator account.
|
Unbind NetBIOS from TCP/IP
on the Internet connected NIC.
- Got to Control Panel | Network | Bindings.
- Choose to View Bindings for "All Adapters".
- Expand each adapter.
- Highlight "WINS Client(TCP/IP)" for the Internet connected interface and select 'Disable'.
|
Disable Unnecessary Services
Disable the following services in Network | Control Panel | Services
- Alerter
- ClipBook Server
- Computer Browser
- DHCP Client
- Messenger
- NetBIOS Interface
- NetLogon
- Network DDE & Network DDE DSDM
- Scheduler
- Server Service
- Simple TCP/IP Services
- Spooler
- TCP/IP NetBIOS Helper
- WINS Client (TCP/IP)
- Workstation Service
|
Choose appropriate authentication methods
- Anonymous
- Basic
- Windows NT Challenge/Response
- Client Certificates
Refer to Microsoft Knowledge Base Article Q229694 for further details.
|
Set virtual directory permissions
per Microsoft's Securing IIS document:
| File Type | ACL |
CGI etc
.EXE, .DLL, .CMD, .PL | Everyone (X)
Administrators (Full Control)
System (Full Control) |
Script Files
.ASP etc | Everyone (X)
Administrators (Full Control)
System (Full Control) |
Include Files
.INC, .SHTML, .SHTM | Everyone (X)
Administrators (Full Control)
System (Full Control) |
Static Content
.HTML, .GIF, .JPEG | Everyone (R)
Administrators (Full Control)
System (Full Control) |
|
Set IIS Log File ACLs
per Microsoft's Securing IIS document:
| File Type | ACL |
LOG etc
.LOG | Administrators (Full Control)
System (Full Control) |
|
| Disable unused ISAPI handlers
|
Apply the Post SP5 IIS 4.0 Patch Rollup
Q301625i.exe
Run HFNetChk on your server
Apply any missing patches.
|
|
|
Privacy Statement
Copyright 2006, SecurityFocus
|