|
Hardening of the Web Server and Operating System
|
| bet | 16/38 | | Sana | 22.07.2021 | | Hajmi | 0,67 Mb. | | #15596 |
Windows 2003 and later server editions are highly recommended because of enhanced security and stability over Windows 2000 server. Follow the guidelines from Microsoft to harden the web server and the base operating system. The IISLockdown tool available from Microsoft’s download site can be used to automate several security steps in order to reduce the vulnerability of the Windows 2000 web server. General recommendations from Microsoft include:
Applying the latest patches to the operating system and Internet Information Services. Use the Microsoft Baseline Security Analyzer (MSBA) to detect patches and updates that may be missing from the current installation.
Do not install IIS as part of the operating system installation. Rather, install it later, after you have updated and patched the base operating system. Then install IIS, apply patches, and harden the IIS configuration.
When installing IIS do not install File Transfer Protocol (FTP Server), Microsoft Front Page 2000 Server Extensions, Internet Service Manager (HTML), NNTP Service, Visual InterDev RAD Remote Deployment Support. However, SMTP needs to be installed to support email capability of Web Plus.
Disable unnecessary protocols: Disable NetBIOS and SMB on the Internet-facing network interface card (NIC); remove Web Distributed Authoring and Versioning (WebDAV).
Delete or disable unused accounts: Rename Administrator account, disable Guest account, disable the IUSR account, create a custom anonymous Web account, enforce strong password policies, restrict remote logons, and disable Null sessions. The custom anonymous account created to replace IUSR account should have the least privilege. If you run IISLockdown, add your custom user to the Web Anonymous Users group that is created. IISLockdown denies access to system utilities and the ability to write to Web content directories for the Web Anonymous Users group.
Use strong access controls to protect sensitive files and directories. Set access at the directory level whenever possible.
Ensure that only the .NET Framework Redistributable package is installed on the server and no SDK utilities are installed. Do not install Visual Studio.NET on production servers. Debugging tools should not be available on the web server. Ensure that access to powerful system tools and utilities are, such as those contained in the \Program Files directory, is restricted. Remove all the sample files.
Relocate Web roots and virtual directories to a non-system partition to protect against directory traversal attacks.
|
| |
