IIS and NTS 4

IIS and NTS 4.0 Hardening Guide

Contents
Overview
Instructions
Table 1: Install & Setup
Table 2: Configuration
Table 3: Hardening
Table 4: Registry Edits
Table 5: Securing Permissions
Table 6: Firewall ACL
Table 7: SSHD
Additional Resources

Overview

This document is applicable ONLY to NTS 4.0 running IIS 4.0. If any other application is running on the server to support its function (e.g., Cold Fusion), then that application must also be secured. The steps in this guide should be performed on new installations only to avoid unpredictable results. This hardening procedure should NOT be used on general-purpose NT servers on an internal LAN (e.g., file servers), as it removes several of the services that NT uses for default functionality.

Instructions

Follow the steps in Tables 1 - 3 to install, setup, configure and harden your NT server. Registry edit instructions are found in Table 4, and special hardening instructions in Tables 5 - 7 for Securing Permissions, Firewall Access Control Lists, and SSHD.

Support Tables

Table 1: NT Server Installation and Setup

Step

Action

Install NT 4.0 Server and Service Pack 6a:

NTFS Format ALL partitions.
Standalone server, not a PDC.
Member of a workgroup, not a domain.

Install IE 4.0 SP2 /Install IE 4.0 SP2 browser-only:

No active desktop.

Install Option pack:

Choose custom install and select the following items ONLY:

Internet Information Server

• Internet Service Manager

• World Wide Web Server

Microsoft Data Access Components 1.5

• Data Sources

• MDAC: ADO, OBDC, and OLE DB

• Remote Data Service 1.5

– RDS Core Files

Microsoft Management Console

NT Option Pack Common Files

Transaction Server

• Transaction Server Core Components

Install the latest applicable SP and Hotfixes:

As of 07/20/2001:

SP6a	Service Pack 6a for Win NT
q241041	Enabling NetBT to Open IP Ports Exclusively
q243404	WINOBJ.EXE May Let You View Securable Objects Created/Opened by JET500.DLL
q243405	Device Drivers Create their Corresponding DeviceObject with FILE_DEVICE_SECURE_OPEN Device Characteristics
q244599	Fixes Required in TCSEC C2 Security Evaluation Configuration for Windows NT 4.0 Service Pack 6a. Windows NT Appears to Hang When You Log Off After Installing Service Pack 6.
q188806	NTFS Alternate Data Stream Name of a File May Return Source
MS99-039	Domain Resolution and FTP Download Vulnerabilities
MS99-053	Windows Multithreaded SSL ISAPI Filter Vulnerability
MS99-058	Virtual Directory Naming Vulnerability
MS99-061	Escape Character Parsing Vulnerability
MS00-006	Malformed Hit-Highlighting Argument Vulnerability
MS00-018	Chunked Encoding Post Vulnerability
MS00-019	Virtualized UNC Share Vulnerability
MS00-023	Myriad Escaped Characters Vulnerability
MS00-030	Malformed Extension Data in URL Vulnerability
MS00-031	Undelimited .HTR Request and File Fragment Reading via .HTR Vulnerabilities
MS00-057	File Permission Canonicalization Vulnerability
MS00-060	IIS Cross-Site Scripting Vulnerabilities
MS00-063	Invalid URL" Vulnerability
MS00-080	Session ID Cookie Marking Vulnerability
MS00-086	Web Server File Request Parsing Vulnerability
MS00-100	Malformed Web Form Submission Vulnerability
MS01-004	Malformed .HTR Request Allows Reading of File Fragments
MS01-025	Index Server Search Function Contains Unchecked Buffer
MS01-026	Superfluous Decoding Operation Could Allow Command Execution via IIS
MS01-033	Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise

Install WWW site on separate partition or disk from the operating system.

Choose the Default Local Administration for Transaction Server.

Install the latest compatible version of MDAC (2.6 RTM as of 10/30/00)

Table 2: Configuration of the NT Server

Step

Action

Set Permissions:

Use File Manager to recursively set permissions on the root directory of all partitions to:

Administrators: FULL CONTROL
System: FULL CONTROL

Set Screen Saver:

To protect the console of the server, set up the screen saver for the administrator's profile:

Go to Display > Screen Saver > Logon Screen Saver and select Enable Password Protect. Click OK.

Configure Services:

A. Disable the following services:

Alerter
ClipBook Server
Computer Browser
DHCP Client
Directory Replicator
FTP publishing service
License Logging Service
Messenger
Netlogon
Network DDE
Network DDE DSDM
Network Monitor
Plug and Play (disable after all hardware configuration)
Remote Access Server
Remote Procedure Call (RPC) locate
Schedule
Server
Simple Services
Spooler
TCP/IP Netbios Helper
Telephone Service

B. Disable the following optional services, if desired:

SNMP service
SNMP trap
UPS

C. Set the following services to automatic:

Eventlog ( required )
NT LM Security Provider (required)
RPC service (required)
WWW (required)
Workstation (leave service on: will be disabled later in the document)
MSDTC (required)
Protected Storage (required)

10.

Set SNMP Properties and Change Community Strings (if SNMP Service installed):

Go to Network Control Panel > Services > Properties > Security > Accepted Community Names. Select Public community name and click on Edit.

Enter [YOUR COMMUNITY STRING]

Note: Set Strong password

Click [OK] to accept changes. Click [OK] to close the MS SNMP Properties.

11.

Remove all IIS Sample directories:

IIS	d:\inetpub\iissamples
Admin Scripts	d:\inetpub\scripts
Admin Samples	c:\winnt\system32\inetsrv\adminsamples
IISADMPWD	c:\winnt\system32\inetsrv\iisadmpwd
IISADMIN	c:\winnt\system32\inetsrv\iisadmin
Data access	c:\Program Files\Common Files\System\msadc\Samples

12.

Remove the following directories from Internet Services Manager (ISM):

IISSamples
Scripts
IISAdmin
IISHelp
IISADMPWD (This directory allows you to reset Windows NT passwords on an intranet)

13.

Choose Home Directory > Configuration:

Remove any unnecessary Application Mappings, as below.

NOTE: Remove them all and add back in as needed!

Extension Filetype

.asa Asp files to declare objects with session or application scope

.asp Active server pages

.bat Batch files

.cdx Scripts to create Channel Definition files

.cer Scripts for digital certs

.htr Scripts for remote password change

.htw Index server hit highlighting

.ida Index server performance monitoring

.idc Internet Dbase connection

.idq Index server query definition

.printer Internet Printing

.shtm , .shtml, .stm Server Side Includes

14.

Remove all unless you explicitly need one for a specific known purpose!

For the remaining extensions, consider limiting the HTTP verbs the extension will accept. Instead of using all the verbs (DELETE, GET, HEAD, PUT, and TRACE), use only GET for static Web pages and PUT if you have forms on your site; this way we explicitly allow only the minimum actions needed per extension.

Click OK to get out of edit mode.

15.

Disable the default website:

In ISM: Right-click on the "Default Web Site" and select Stop.

Note: Do not use the default website and disable/delete the administrative one.

16.

Disable Parent paths:

Go to Properties on the Web Site > Home Directory > Configuration > App Options.

Uncheck Enable Parent Paths.

17.

Enable network lockout of admin account:

Use the NT Resource Kit's passprop utility to run the following command:

passprop /adminlockout /complex

18.

Allow only necessary ports on the host:

Go to Network Control Panel > Protocols > TCP/IP Protocol > Properties > Advanced.

Select Enable Security and click Configure.

Change Permit All to Permit Only Explicitly Needed Ports:

TCP Ports		UDP Ports		IP Protocols
80	HTTP	161	SNMP	6
443	SSL	162	SNMP	8
22	SSH

19.

Ensure that TCP/IP is the only protocol installed:

In the Network Control Panel under the Protocols tab, remove all except for TCP.

20.

Disable NetBIOS:

In the Network Control Panel under the Bindings tab, right-click on "NetBIOS Interface" and choose Disable.

21.

Move and ACL Critical Files:

Remove the following files from the system32 directory and copy them to an admin-created directory,

AND ACL the files so only administrators have full access to these files:

Create a directory called c:\utils and place the following files in the directory:

xcopy.exe, wscript.exe, cscript.exe, net.exe, ftp.exe, tftp.exe, telnet.exe, arp.exe, edlin.exe, ping.exe, route.exe, at.exe, finger.exe, posix.exe, rsh.exe atsvc.exe qbasic.exe runonce.exe syskey.exe cacls.exe ipconfig.exe, rcp.exe, secfixup.exe, nbtstat.exe, rdisk.exe, debug.exe, regedt32.exe, regedit.exe, edit.com, netstat.exe, tracert.exe, nslookup.exe, rexec.exe, cmd.exe, nslookup.exe, command.com

Table 3: Run bastion.inf Hardening Script

Step	Action
22.	Download bastioninf.zip and run the following command: secedit /configure /cfg bastion.inf /db %temp%\ secedit.sdb /verbose /log %temp%\seclog.txt
23.	Note: The changes that will be made by this script are as follows: Password policy: Enforce password uniqueness by remembering last passwords: 6 Minimum password age: 2 Maximum password age: 42 Minimum password length: 10 Complex passwords (passfilt.dll): Enabled User must logon to change password: Enabled Account lockout policy Account lockout count: 5 Lockout account time forever Reset lockout count after: 720 minutes
24.	Audit policy: Audit account management Success: Failure Audit logon events Success: Failure Audit object access: Failure Audit policy change Success: Failure Audit privilege use: Failure Audit process tracking: No auditing Audit system events Success: Failure
25.	User rights assignment: SeAssignPrimaryTokenPrivilege: No one SeAuditPrivilege: No one SeBackupPrivilege: Administrators SeCreatePagefilePrivilege: Administrators SeCreatePermanentPrivilege: No one SeCreateTokenPrivilege: No one SeDebugPrivilege: No one SeIncreaseBasePriorityPrivilege: Administrators SeIncreaseQuotaPrivilege: Administrators SeInteractiveLogonRight: Administrators SeLoadDriverPrivilege: Administrators SeLockMemoryPrivilege: No one SeNetworkLogonRight: No one SeProfileSingleProcessPrivilege: Administrators SeRemoteShutdownPrivilege: No one SeRestorePrivilege: Administrators SeSecurityPrivilege: Administrators SeShutdownPrivilege: Administrators SeSystemEnvironmentPrivilege: Administrators SeSystemProfilePrivilege: Administrators SeSystemTimePrivilege: Administrators SeTakeOwnershipPrivilege: Administrators SeTcbPrivilege: No one SeMachineAccountPrivilege: No one SeChangeNotifyPrivilege: Everyone SeBatchLogonRight: No one SeServiceLogonRight: No one
26.	Event log settings: The Application, System and Security logs are configured to be up to 100MB each. They will overwrite events as needed, but only entries older than 30 days. Anonymous access to the logs is disabled.
27.	Registry Values: The policy will also apply the following changes to the registry: KEY Type Value MACHINE\SOFTWARE\Microsoft\DataFactory\HandlerInfo\ HandlerRequired REG_DWORD 1 MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\ NtfsDisable8dot3NameCreation REG_DWORD 1 MACHINE\Software\Microsoft\Windows NT\Version\Winlogon\AllocateCDRoms REG_SZ 1 MACHINE\System\CurrentControlSet\Control\Lsa\ AuditBaseObjects REG_DWORD 1 MACHINE\System\CurrentControlSet\Control\Lsa\Su MACHINE\System\CurrentControlSet\Control\Print\ Providers\LanMan PrintServices\AddPrintDrivers REG_DWORD 1 MACHINE\System\CurrentControlSet\Services\Rdr\ Parameters\EnablePlainTextPassword REG_DWORD 0 MACHINE\System\CurrentControlSet\Services\LanManServer\ Parameters\AutoDisconnect REG_DWORD 15 MACHINE\System\CurrentControlSet\Services\LanManServer\ Parameters\AutoShareWks REG_DWORD 0 MACHINE\System\CurrentControlSet\Services\LanManServer\ Parameters\AutoShareServer REG_DWORD 0 MACHINE\System\CurrentControlSet\Services\LanManServer\ Parameters\EnableForcedLogOff REG_DWORD 1 MACHINE\System\CurrentControlSet\Services\LanManServer\ Parameters\RequireSecuritySignature REG_DWORD 1 MACHINE\System\CurrentControlSet\Services\LanManServer\ Parameters\EnableSecuritySignature REG_DWORD 1 MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\ RequireSecuritySignature REG_DWORD 1 MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\ EnableSecuritySignature REG_DWORD 1 MACHINE\System\CurrentControlSet\Services\Netlogon\ Parameters\RequireSignOrSeal REG_DWORD 1 MACHINE\System\CurrentControlSet\Services\Netlogon\ Parameters\ SealSecureChannel REG_DWORD 1 MACHINE\System\CurrentControlSet\Services\Netlogon\ Parameters\ SignSecureChannel REG_DWORD 1 MACHINE\System\CurrentControlSet\Control\Lsa\ RestrictAnonymous REG_DWORD 1 MACHINE\System\CurrentControlSet\Control\Session Manager\ ProtectionMode REG_DWORD 1 MACHINE\System\CurrentControlSet\Control\Lsa\ LmCompatibilityLevel REG_DWORD 2 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText REG_SZ This is a private system. Unauthorized use is prohibited. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ Winlogon\LegalNoticeCaption REG_SZ CISD MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName REG_SZ 1 MACHINE\System\CurrentControlSet\Control\Lsa\ CrashOnAuditFail REG_DWORD 1 MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown REG_DWORD 1 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ Winlogon\CachedLogonsCount REG_SZ 0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ Winlogon\AllocateFloppies REG_SZ 1 MACHINE\Software\Microsoft\Windows NT\Current bmitControl REG_DWORD 0 MACHINE\System\CurrentControlSet\Control\Lsa\ FullPrivilegeAuditing REG_BINARY 1 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ Winlogon\ShutdownWithoutLogon REG_SZ 1
28.	File system and Registry Access Control Lists: The ACLs applied to the file system and the registry are identical to what Microsoft ships as the "Highly secure workstation" template in SCE. For details check the bastion.inf file with the SCE snap-in in MMC
29.	Administrator Account: The bastion.inf policy renames the Administrator account to "root". Set a strong password on the admin account and rename the account to something unique for your environment.

Table 4: Additional Registry Edits

Step

Action

30.

Remove OS/2 and POSIX subsystems:

Remove any keys in this directory:

HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\OS/2 Subsystem for NT

Remove Os2LibPath key by removing the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Session Manager\Environment\Os2LibPath

Remove Optional, Posix and OS/2 keys by removing the following keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Session Manager\SubSystems\Optional

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Session Manager\SubSystems\Posix

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Session Manager\SubSystems\Os2

Delete the following directory and all subdirectories.

c:\winnt\system32\os2

31.

Remove RDS vulnerability:

Delete the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \W3SVCParameters\ADCLaunch\RDSServer.DataFactory

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \W3SVC\Parameters\ADCLaunch\AdvancedDataFactory

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \W3SVCParameters\ADCLaunch\VbBusObj.VbBusObjCls

32.

Remove unnecessary services from Network services:

Remove:	Netbios, Computer Browser, Server, Workstation
Leave:	RPC Configuration, SNMP (if necessary).

Note: When you remove the Workstation service, you will get a message every time you start the Network application in Control Panel: "Windows NT Networking is not installed. Do you want to install it now?" Ignore this question by answering NO.

Table 5: Securing Permissions

Step

Action

33.

Secure the Internet Guest User account:

In User Manager:

Under Local users and groups rename Internet Guest Account to an obscure name. Set a STRONG PASSWORD.
Ensure guest account is disabled.
Remove the renamed Internet Guest Account from the guest group.

Permissions:

Set permissions for the renamed Internet Guest Account on all volumes to "No Access".
Change the renamed Internet Guest Account permissions to “Read Only” for a few specific directories in order to allow the web server to function properly:

Default Path Enviroment Variable

c:\   %SystemDrive%

c:\winnt   %SystemRoot%
d:\InetPub\wwwroot   wherever your IIS root is

Note: Do not recurse permissions for the above directories!

34.

Modify User Rights:

In User Manager, Select [Policies] and "User Rights":

Right:	Grant To:
Access this computer from network	Administrators
Log on locally	Administrators, renamed Internet Guest Account, and Users
Shut down the system	Administrators
Force shutdown from a remote system
Change System Time	Administrators

35.

Lock down "Users":

Recursively set permissions for the built-in NT group "Users" to "No Access" for all volumes:

Since a newly created user is automatically added to the “Users” group, new users, by default, will not have access to any information on any of the volumes.

Table 6: Firewall ACL

This hardening alone is not enough to ensure security. The box must be placed behind a firewall or router.

Step

Action

36.

Example ACL for router to permit only HTTP, SSH, SSL, and SNMP:

access-list 150 permit tcp any host yourwebserver eq 80

access-list 150 permit tcp any host yourwebserver eq 443

access-list 150 permit tcp SSH Client networks yourwebserver eq 22

access-list 150 permit udp SNMP Server networks host yourwebserver eq 161

access-list 150 permit udp SNMP Server networks host yourwebserver eq 161

access-list 150 permit udp SNMP Server networks host yourwebserver eq 162

access-list 150 permit udp SNMP Server network host yourwebserver eq 162.

Table 7: SSHD for NT Remote Management

Ok. Now you need to be able to access this machine remotely. Here are the current ports of SSHD for NT we are using. NOTE: There are issues with the cygwin.dll and separating simultaneous user space. Use with caution! I highly reccomend you buy the commercial SSH2 version from SSH.COM

Step	Action
37.	Download and unzip sshdnt.zip
38.	Run install.bat This batch file should do the following: Create a server key. Install SSHD as a service. Start the sshd service. Note: Check to make sure SSHD is installed as a service and running. If it is not, refer to "sshd_install.txt" for instructions on how to create a server key and install SSHD as a service.
39.	Edit the passwd file (in c:\etc) to add additional users in this format: <Username>:x:<User ID>:<Group ID>:<Full Name>:<home directory>: Example: administrator:x:1:10:Local Administrator:/bin:
40.	Using scp SCP use on NT DMZ host Move file you need to Unix box running sshd (e.g. host.com) Use srt or terra to connect to NT host running sshd Type scp.exe <username>@<hostname with file>: <filename><path to place file> Examples: To move the file "net.txt" from a Unix host (e.g. host.com) to the directory /bin on an NT host running sshd (with IP address 10.0.0.20) do the following: Login to host.com scp net.txt administrator@10.0.0.20:/bin To pull test.exe from an NT host running sshd (with IP address 10.0.0.20) to my user directory on host.com do the following: Login to host.com scp administrator@10.0.0.20:test.exe /home/user

Additional Resources

IIS RDS Vulnerability NTBugtraq; Russ Cooper
http://www.ntbugtraq.com/default.asp?sid=1&pid=47&aid=47
Microsoft IIS security Checklist; Michael Howard
http://www.microsoft.com/technet/security/iischk.asp
Windows NT C2 Configuration Checklist
http://www.microsoft.com/technet/security/c2config.asp
Windows NT Bastion Host HP; Stefan Norberg
http://people.hp.se/stnor/
WINNT Magazine article on hardening NT 4.0, Gavin Reid http://www.winnetmag.com/Web/Article/ArticleID/22282/Web_22282.html

V1.2 July/27/2001

Note: For information/questions, please contact: Gavin Reid, gavreid@cisco.com, 2AE4 4564 2239 F93F E52A AE25 D635 8397 03AA E562