"Deep in the sea are riches beyond compare.
But if you seek safety, it is on the shore."

Securing IIS

The folllowing steps may be used to install and configure a Microsoft Internet Information Services 5 server.

The information below addresses the installation of a basic IIS Web Server. It does not cover every potential configuration of IIS and its related services.

Install Windows 2000 from the original installation media (via CD)
Install Windows 2000 as a standalone server. Whenever possible do not make it a Domain Controller of the member of a domain. Make sure the server does not have an Internet connection during install.

Install the operating system on an NTFS partition
Installing the OS on an NTFS permission will allow us to further secure critical files and directories using Access Control Lists (ACLs). NT can be installed on a FAT partition and this partition can later be "converted" to NTFS, however, the default ACLs are not applied during the conversion process.

DO NOT use the default installation paths.
If at all possible, install your system files to a partition other than C: and a folder other than WINNT. Place your Intepub folder on a seperate partition from your system folder.

DO NOT set a password for the administrator account during installation
This will be set later.

Install only necessary protocols
Avoid installing NetBEUI and IPX/SPX if at all possible.

Configure network cards and video adapters as needed.
Cards that are not auto-detected will need to have drivers manually installed.

Install Service Pack 2 for Windows 2000
Install the Service Pack and any other hotfixes.

Remove or disable all sample applications and directories
Item Location
IIS ?\Inetpub\iissamples
Admin Scripts ?\Inetpub\AdminScripts
IIS Documentation %systemroot%\help\iishelp
Data Access ?\Program Files\common files\system\msadc

Secure the Telnet server
Create a local TelnetClients group. Add users allowed to access the Telnet server to this group. When this group is created, only members of this group can access the Telnet server. If you don't need Telnet, disable the service.

Set appropriate ACLs
The Microsoft reccomended ACLs are:
File Type ACL
CGI (.exe, .dll, .cmd, .pl) Everyone (X)
Administrators (Full Control)
System (Full Control)
Script Files (.asp) Everyone (X)
Administrators (Full Control)
System (Full Control)
Include files (.inc, .shtm, .shtml) Everyone (X)
Administrators (Full Control)
System (Full Control)
Static content (.txt, .gif, .jpg, .html) Everyone (R)
Administrators (Full Control)
System (Full Control)

Check ftproot and mailroot ACLs
By default the ACLs on these folders are set to Everyone (Full Control). More restrictive settings are reccomended, but will vary according to needs. If there is no need for these folders on the webserver, remove them and disable the corresponding services.

Set IIS log file ACLs
The Microsoft reccomended ACLs for %systemroot%\system32\logfiles are:
Administrators (Full Control)
System (Full Control)
Everyone (RWC)

Remove dangerous script mappings
If you don't use the following script types, remove their mappings:
Script Type Mapping
Web-based password reset .htr
Internet Database Connector .idc
Server-Side Includes .stm .shtml .shtm
Internet Printing .printer
Index Server .ida .idq .hta
It is important to note that most of these script mappings have been used to exploit IIS in the past. If you must use these script mappings, ensure you are up to date on all Service Packs and Hotfixes.