iis 5/6 install and lockdown v3
TRANSCRIPT
CONSULTANTS INFO PACK
For GL Computing resellers and clients
IIS5 ndash Installation and lockdown for ACT Consultants Including Networking Basics
Volume
1
D E V E L O P E R M I K E L A Z A R U S G L C OM P U T I N G
T H I S D O CU M E N T I S A S U P P O R T D O CU M E N T F O R G L CO M P U T I N G R E S E L L E R S T O
A S S I S T T H E M I N R E S E L L I N G G L CO M P U T I N G S U P P O R T E D P R O D U CT S I N CL U D I N G A CT P R E M I U M F O R W E B
I T I S N O T T O B E CO P I E D R E P R O D U CE D O R D I S T R I B U T E D W I T H O U T T H E E X P R E S S W R I T T E N P E R M I S S I O N O F G L CO M P U T I N G
W H I L E T H E A U T H O R H A S T A K E N G R E A T CA R E T O E N S U R E T H E A CCU R A CY O F T H E
I N F O R M A T I O N CO N T A I N E D I N T H I S D O CU M E N T A L L M A T E R I A L S A R E P R O V I D E D W I T H O U T W A R R A N T Y W H A T S O E V E R - I N CL U D I N G B U T N O T L I M I T E D T O T H E
I M P L I E D W A R R E N T I E S M E R CH A N T A B I L I T Y O R F I T N E S S F O R A P A R T I CU L A R P U R P O S E
A CT A N D A CT F O R W E B A R E R E G I S T E R E D T R A D E M A R K S O F I N T E R A CT CO M M E R CE CO R P O R A T I O N B E S T S O F T W A R E O R S A G E S O F T W A R E I N V A R I O U S CO U N T R I E S
W I N D O W S I S A T R A D E M A R K O F M I CR O S O F T CO R P O R A T I O N A L L O T H E R P R O D U CT N A M E S A R E T R A D E M A R K S O R R E G I S T E R E D T R A D E M A R K S O F T H E I R R E S P E CT I V E
CO M P A N I E S
A GL Computing support initiative
GL Computing 2004
PO Box 161 Paddington 2021
Phone 02-9361-6766
httpwwwGLComputingcomau
GL Computing Page 3 682004
Table of Contents
C H A P T E R 1
Server and Networking Basics
C H A P T E R 2
IIS ndash What is it
C H A P T E R 3
Installing IIS
C H A P T E R 4
Protect against What
C H A P Y E R 5
Configuring and Securing IIS
A P P E N D I X
More tips for the sensibly paranoid
GL Computing Page 4 682004
Server and Networking Basics
t is essential for your comfort in consulting to IIS clients and their IT staff that you have a good understanding of the core terms and protocols in use on an IIS server This includes terms that will occur later in this document as well as terms that you may need to address in on-going support
For this reason we have put what would normally be in a glossary at the beginning of this document
IIS is the Microsoft Internet Information Server As such some of the terms have specific definitions that may not be as accurate for other Internet servers
Chapter
1
I
GL Computing Page 5 682004
Term Definition
Server Vs
Workstation
ACT for Web supports NT4 (sp6a) Workstation or Server and Windows 2000 Professional or Server (11 and later also supports XP Pro and 12 and later supports on Windows 2003) So what are the basic differences between WorkstationProfessional and the Server versions of the operating systems First the Server versions are pre-set and biased to processing background tasks over fore-ground which can make IIS operate fasterhellip but this can be reconfigured on the workstation version to get pretty close More importantly the Workstations versions can only support 10 concurrent users Considering the hits from other random internet traffic this can limit you to 6-8 concurrent users accessing your ACT database on the internet So if looking for reliable connections for more than 5 users you will need to use the Server versions
NTFS New Technology File System This file system has many improvements over the FAT1632 file systems To begin with it is transaction-based - ie it uses a transaction log to assist in maintaining data integrity This does not mean that you cannot lose data but it does mean that you have a much greater chance of accessing your file system even if a system crash occurs This capability stems from the use of the transaction log to roll back outstanding disk writes the next time Windows is booted It also uses this log to check the disk for errors instead of scanning each file allocation table entry as does the FAT file system It also adds a security model that we will be using to protect our servers This document will assume you are running Windows 2000 with an NTFS file system
NTFS Security The NTFS file system includes the capability to assign access control entries (ACEs) to an access control list (ACL) The ACE contains a group identifier or a user identifier encapsulated in a security descriptor which can be used to limit access to a particular directory or file This access can include such capabilities as read write delete execute or even ownership An ACL on the other hand is the container that encapsulates one or more ACE entries
What this means to you is that we can determine through NTFS security which users and groups can access files and folders on your server and what access they have You cannot do this with FAT16 or FAT32 file systems
GL Computing Page 6 682004
Term Definition
Multithreading A thread is the minimum executable resource The difference between a thread and a process is that a process is the container for an address space whereas a thread executes within that address space A process by itself is not executable it is the thread that is scheduled and executed What is unique about threads is that a single process can have more than one thread of execution These threads providing that they are not dependant on each other can be executed concurrently in Windows operating systems However it is important to understand that while IIS is inherently multithreaded ACT itself (and most importantly itrsquos SDK) is not ldquothread awarerdquo This means that it can only handle one call at a time and needs to complete processing it before the next call is made
What this means to you is that multiple-processors in a server cannot be properly utilised A single fast processor is the best way to operate for a stand-alone ACT For Web environment
Workgroups Vs
Domains
A workgroup is a casual affiliation of computers that are grouped logically into a single access point This cuts down on the clutter when your users browse for resources on the network Instead of seeing all the resources that are shared on the network they first see the shared resources of the workgroup to which they belong
All security in a workgroup is based on the local (the one sharing the resource) computer This is a serious administrative chore because it requires that all workgroup computers have the same user accounts defined if you want to allow other computer users to access your shared resources transparently (without supplying a different user account and password) in a user access environment
A domain is similar to a workgroup because it provides the same grouping capability as a workgroup but with one major difference A domain has a centralized user database that resides on the domain controller All user logon authentication is based on this central user database This makes Administration much easier as nearly all the users are the same from any machine on the Domain
It is very important to note that the IUSR guest account even on a domain is still a local only account and is also not part of any group including EVERYONE This means it can be better controlled than creating a specific account
GL Computing Page 7 682004
Term Definition
Domain
Controllers
The Domain controller is the server that authorises the user logons to the network The DC contains the master copy of the user database which includes all your global groups user accounts and computer accounts In addition to this your DC is used to authenticate your users when they log onto the network or access a shared resource Your DC also includes the tools you will use for centralized administration such as User Manager for Domains Server Manager for Domains DHCP server WINS server and a host of additional tools Other DCs replicate the information for load balancing and backup purposes
In NT there is a concept of PDCs (Primary Domain Controllers) and BDCs (Backup Domain Controllers) This meant that when the PDC went down a BDP would need to be promoted to the PDC by an Administrator In Windows 2000 this is no-longer an issue as DCs in Windows 2000 and 2003 are peers
Do not use a DC as a web server if possible The Domain Controller is constantly processing authentication requests Running IIS on the PDC will decrease performance It could also expose the DC to attacks that render the entire network as non-secure
ClientServer Client server technology is where the server (IIS SQL Server etc) houses the data and most of the intensive data processing sections of the application while the client (Internet Explorer or a specific client application) handles the user interface This means that there is much less bandwidth on the network much less requirements for client hardware and usually much less administration - as most of these functions are controlled on the server only The client sends a request for information to the server and the server application does the database intensive processing and just sends back the results
TCPIP Transmission Control Protocol Internet Protocol These are the core protocols that the entire Internet is based on Created by US Universities in the 60s and later expanded by the US Department of Defence it is the most popular protocol for connecting non-heterogeneous systems (ie computers that are not of the same type) They provide communications across interconnected networks of computers with diverse hardware architectures and various operating systems TCPIP includes standards for how computers communicate and conventions for connecting networks and routing traffic
URL Universal Resource Locator A URL is the full internet address including the access protocol (http ftp nntp https etc) the domain internet address (IP or name) and optionally a path and or file user and password The IP can be in decimal or standard-dot form A full URL can be of the form protocoluserpassdomainportpathfilenameext
This has since been changed for HTTPHTTPS by Microsoft Internet Explorer as per httpsupportmicrosoftcomdefaultaspxkbid=834489 ndash this can affect sites if using Windows login as opposed to Anonymous
GL Computing Page 8 682004
Term Definition
DHCP Dynamic Host Configuration Protocol DHCP provides a means to dynamically allocate IP addresses to computers on a network The administrator assigns a range of IP addresses to the DHCP server and each client computer on the LAN has its TCPIP software configured to request an IP address from the DHCP server The request and grant process uses a lease concept with a controllable time period The advantage of this is that the administrator doesnrsquot have to manually assign the IP address of each machine
A server should be assigned a permanent static IP rather than a dynamic one if possible
DNS Domain Name System The DNS is a general-purpose hierarchical distributed replicated data query service (database) used mainly for translating hostnames (domain names) into IP addresses ndash eg when a user looks for wwwGLComputingcomau it should return itrsquos correct IP address DNS can be configured to use a sequence of name servers based on the domains in the name being looked for until a match is found An organisation may have several DNS servers to spread the load All of which replicate with each other and the global DNS via their ISP A full global replication of a change to an IP can take 24-48 hours The name resolution client can be configured to search for host information in the following order first in the local etchosts file second in NIS (Network Information Service) and third in DNS This sequencing of Naming Services is sometimes called name service switching
WINS Windows Internet Naming Service The WINS service resolves Netbios names to their IP address in a similar fashion to the way DNS resolves Host names to IP addresses
NAT Network Address Translation The ability of a router to use one external routable IP address and provide connectivity for a number of network clients by translating their private (non-routable) IPs to the public one and then relaying the incoming data to the client that requested it It allows a secure machine or firewall to handle the incoming data and direct specific ports to specific machines without those machines IPs being accessible from the lsquonet
Private IP addresses are of the form 192168xx or 10xxx (where x is 0-255)
GL Computing Page 9 682004
Term Definition
MDAC The Microsoft data Access Components provide a suite of tools for accessing different database objects and provides a common user interface to access all of them ndash often called Universal Data Access (UDA) MDAC include ActiveX Data Objects (ADO and ADONET) OLE DB ODBC and others Problems referencing ODBC drivers in ACT for Web are often due to incorrect versions of MDAC V25 is usually recommended
It is important to note that unlike other software products a later version is not necessarily better as Microsoft withdrew some functionality in 26 and later versions If you need to install 26 or 27 you will need to also install the FoxPro and Jet drivers separately for ACT for Web ACT for Web 12 and later now also supports MDAC 28 for Windows Server 2003 support
If you arent sure which version of MDAC is installed on your system you can find out by following these steps (Note This involves using RegEdit and should only be done by an experienced computer user)
Press ltStartgt and select Run
Type REGEDIT into the command line (omit the quotes)
Navigate to the following key
HKEY_LOCAL_MACHINESoftwareMicrosoftDataAccess
Look for a value named Version This value contains the current version of MDAC
installed on your computer
Microsoft also has a utility called the Component Checker which can be used to diagnose your current MDAC version as well as find problems in your MDAC installation The Component Checker can be downloaded from httpmsdn2microsoftcomen-usdataaa937730aspx
DCOM Distributed Component Object Model The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network in a reliable secure and efficient manner Previously called Network OLE DCOM is designed for use across multiple network transports including Internet protocols such as HTTP DCOM is based on the Open Software Foundations DCE-RPC specification and will work with both Java applets and ActiveXreg components through its use of the Component Object Model (COM)
DCOM program permissions are set using dcomcnfgexe For information on how this relates to ACT For Web httpitdominoactcomactnsfdocid13988
GL Computing Page 10 682004
Device Definition
Firewalls A firewall is essentially any number of security schemes designed to prevent unauthorised access to a computer system or network The schemes can range from simple NAT security as above through port filtering IP filtering and other data determining methods They can include threat monitoring call-back and activity pattern testing
A server can be positioned ldquobehindrdquo the firewall thereby reducing the ldquosurface areardquo available to a hacker or it can be located in a DMZ (demilitarized zone) to be a more public server As the IIS server will be hosting our client data it is better to locate it behind the firewall and only permit that data that it needs to handle
We will discuss more about Firewalls later in the security section
Hubs Vs
Switches
These connect devices on the same LAN When data is sent to one port on the hub it is copied to all ports on the hub so all segments of the LAN will see the data A switch (or switching hub) only forwards packets to specific ports rather than broadcasting them to every port In this way the connection between the ports and devices can deliver the full bandwidth available without risk of collisions
A hub will also be restricted to the speed of the slowest device on the LAN segment
Routers Vs
Bridges
Routers and Bridges allow you to connect different networks ndash eg your LAN to your ISPrsquos network Routers (OSI Layer 3 ndash network) and Bridges (OSI Layer 2 ndash Data Link) operate at different levels of the OSI reference model (Open Systems Interconnect ndash the model for network architecture and protocols used to implement it) We will not be going into the OSI model here but suffice it to say that Routers and Bridges accomplish a similar task in different ways and you as ACCs can treat them the same way for the purpose of an ACT For Web implementation
Command Description
Ping Ping is the simplest command to tell if a remote system is running and available It verifies the IP connectivity by sending an ICMP (Internet Control Message Protocol) Echo request Pinging a domain name returns the IP address from the DNS server and the time to reach it and return
Tracert If you canrsquot ping a system (and you think it should be running) you might try TRACERT ndash this will ping each machine between you and the remote system usually allowing you to determine where the failure or bottleneck is
IPCONFIG IPCONFIG is a command that displays the TCPIP network configuration values and can be used to refresh the DHCP and DNS settings Becoming familiar with IPCONFIG and itrsquos parameters will be of long-term benefit to you ndash for older operating systems (Win 9XME) use WINIPCFG
NSLOOKUP NSLOOKUP is a command used to query and diagnose issues with the DNS server This is useful if you are checking for problems reaching a clientrsquos server
GL Computing Page 11 682004
IIS ndash What is it
IS is the Microsoft Internet Information Server It is Microsoftrsquos set of services that support web site configuration management and publishing as well as various other Internet services It includes various development tools and software development kits
IIS like all web applications is a clientserver application ndash in that it does nothing without a client such as a web browser or FTP client software
The information below is in two areas The Servers and the Application Development platforms In both areas only one is really relevant to ACT for Web (the WWW Server and ASP) The other information is provided so that you understand the differences The lists are also not exhaustive and there are other servers and application development tools for IIS
The Servers are the programs that the client software directly connects with on the IIS server They answer the requests from the lsquonet to read files and send information
The Application Development platforms allow the WWW Server to run programs and scripts A plain HTML document that the Web daemon retrieves is static which means it exists in a constant state a text file that doesnt change A CGI or ASP program on the other hand is executed in real-time so that it can output dynamic information For example lets say that you wanted to hook up your database to the World Wide Web to allow people from all over the world to query it Basically you need to create a program that the WWW Server will execute to transmit information to the database engine and receive the results back again and display them to the client
Chapter
2
I
GL Computing Page 12 682004
For full information on IIS we recommend looking at httpwwwMicrosoftcomIIS
httpwwwmicrosoftcomtechnettreeviewdefaultaspurl=technetprodtechnolwindowsserver2003proddocsdatacentergs_whatschangedasp
Other useful sites include
wwwiisfaqcom
wwwiisanswerscom
wwwiis-resourcescom
wwwzensecuritycouk
wwwnsagovsnacindexhtml
Letrsquos have a look at the functions of IIS that we need to know about in a little more detail
Server Description
WWW Server The WWW server uses the HyperText Transmission Protocol (HTTP) to communicate with its client application (a web browser) Typically on Port 80 the WWW is a content-rich environment It encompasses the majority of network traffic on the Internet You can use it to display (on your web browser) text static graphics images animated graphics images 3-D worlds and audiovideo files It can also be used to access databases such as ACT for Web via various development tools
FTP FTP Publishing Service is a File Transfer Protocol (FTP) server The FTP Publishing Service is much less complex than the WWW Publishing Service The FTP Publishing Service is used primarily as a data repository It is usually on Port 21
SMTP The SMTP service uses the Simple Mail Transfer Protocol to send email across the lsquonet POP3 (the Post Office Protocol - the ability to retrieve email) is not part of the IIS suite The default port for SMTP is Port 25
NNTP The NNTP service uses the Network News Transport Protocol to provide discussion servers and groups similar to the ACC news server NNTP servers should default to Port 119
GL Computing Page 13 682004
Dev Tool Description
CGI The Common Gateway Interface (CGI) is a legacy application development platform supported under IIS Itrsquos a standard for many different web server platforms CGI scripts can be written in a variety of languages including Perl C and C++
ISAPI ISAPI ndash The Internet Server Application Programming Interface was Microsoftrsquos proprietary programming interface developed for IIS as a replacement for CGI It brings the power of OLE (Object Linking and Embedding) to the WWW The main advantage it offers over CGI is that it is much faster when performing the same tasks and consumes less resources Instead of running each application as a separate process (as in CGI) the ISAPIdll (Dynamic Link Library) is already loaded into the IIS address space and handles any commands for it
There is a downside to ISAPI DLLs Because they share the same address space as the HTTP server it is possible that an errant ISAPI application could crash the WWW Publishing Server as well
ASP Because of the risks writing ISAPI applications Microsoft developed ASP (Active Server Pages) The functionality for ASP is handled by the ASPdll file It is similar in its advantages over CGI without the problems of ISAPI Additionally because Microsoft made ASP development considerably easier with the tools provided there are many more ASP developers and support for applications written to use ASP
ACT for Web is written using ASP so add-on development for ACT for Web would require a good knowledge of ASP To gain some knowledge of ASP development you might try looking at wwwasp101com
Additional information on the latest incarnation of ASP ASPNET is available from wwwaspnet
ActiveX ActiveX controls are components that use the Microsoft COM technologies (Component Object Model ndash an open software architecture developed by DEC and Microsoft allowing interoperation between OLE and the ObjectBroker)
They are Windows programs that can be executed by a browser ActiveX controls have full access to the Windows operating system
XML Extensible Markup Language is a newer method designed for the interchange of documents and data It is a format for transferring data across the Internet It not only includes the data but self-describing information about the data Office 2003 can also use XML
SOAP The Simple Object Access Protocol makes use of HTTP to exchange structured data over the Web using an XML format
GL Computing Page 14 682004
Installing IIS
t is important to note at this time that these procedures are targeted at installing a server dedicated to serving an ACT database to the lsquonet via ACT for Web The server could also serve the database locally as a LAN server to ACT clients in a ldquohybridrdquo implementation
This document will assume that you have performed a ldquocleanrdquo install of Windows 2000 Server to your machine but NOT installed any IIS components In the Lockdown area we will discuss the differences if you are locking down a server that already has IIS installed by someone else with more components than we will be installing in this section
It is advisable not to perform these functions while connected to the internet and only to connect after we have completed the securing part We also recommend applying the latest service packs and critical updates to the Windows 2000 operating system
Installing IIS is quite simple
Open the Control Panel (Start | Settings | Control Panel) and go to AddRemove
Programs
Chapter
3
I
GL Computing Page 15 682004
Then click AddRemove Windows Components
GL Computing Page 16 682004
The only option that you need to have ticked in this dialog box is Internet Information Services (IIS) We should take this further by clicking on the ldquoDetailsrdquo button
In this area the only necessary options are the Common Files (these are necessary for IIS) and World Wide Web Server (this service will be hosting ACT for Web)
We will also install the Internet Information services Snap-In as this make administering IIS considerably easier and the Documentation as having the Help system handy can be a good option If you donrsquot want the documentation you can always access the Microsoft web site and search their knowledge base TechNet or MSDN
None of the other subcomponents belonging to IIS are necessary and as such should NOT be installed unless you know you will require them for some other task Other options increase the ldquosurface areardquo available for attack on the server and will need to be configured to make them less vulnerable We will look at some of these options in the next section
Click ldquoOKrdquo and IIS will be installed
Although it is not always required we strongly recommend a re-boot of the server after installing or removing Windows components
GL Computing Page 17 682004
Protect against what
N this Chapter we will attempt to describe what types of attackers are out there and give you some ideas of the methods they may use to compromise your systems
Types of Attackers
Letrsquos start by categorising the types of attackers you may need to protect your systems from
Attacker Description
Script Kiddie This is the most common form of attack and the one which we will most need to protect our servers from These are usually kids looking for easy to hack servers so that they can take control of them and use them to attack others
Typically they will use Trojans (which your anti-virus should have detected and removed) or exploit known weaknesses in the server operating system which a combination of the Microsoft critical updates and our own lock-down procedures should keep you relatively secure from
Valuable Data This is typically done by someone who knows that specific data on your site is of significant value to the attacker It may be done by a nasty competitor who wants your data or someone who thinks you may have Credit Card numbers (or similar data) on your system If you are planning to keep Credit Cards etc in your database you will need to be very careful about your security and liability
We do not recommend keeping this type of data in an ACT database
Prestige Site This is where your site is well enough known that the hacker can get credibility from being able to by-pass your security This is unlikely to be an issue for any ACT for Web installation
Chapter
4
I
GL Computing Page 18 682004
Enemy Attack This is where someone feels so annoyed by you or your organisation that they feel like teaching you a lesson The toughest of these to protect against is an ex-employee that feels they have been wronged and knows the security of your system
Internal
Attack
This type typically does the most damage as they may know your security and usually have a legitimate reason for accessing your system Sometimes the Valuable Data Prestige Site or Enemy Attack types will also use an internal person to make their task easier The defences we are putting up will not assist in stopping this type of attack The only solutions are to ensure you have good backup procedures regularly read and inspect log files and make sure users only have access to the parts of the system that they need access to
Typically the ldquoScript Kiddierdquo will use known security flaws in the operating system and or known Trojans The other attackers will use a combination of these and ldquoun-knownrdquo attacks and are typically more skilled
We will attempt to keep your server secure from both known and un-known attacks
Known Attacks
The first defence is to make sure you are protected against the ldquoknownrdquo attacks The most common form of these is via Trojans
A Trojan (based on the story of the Trojan horse) is a piece of software that can get loaded on your server and makes it available for an attacker to access The functions it can provide to an attacker can vary ndash including damaging your data providing access for others to see your data or using itself to launch attacks on other systems
There are two main ways to prevent these
One is to ensure you have a good anti-virus running and that you keep it up-to-date GL Computing currently recommends Symantec (used to be Norton) Anti-Virus Corporate Edition for servers This should find and prevent Trojans from being installed andor remove them if already installed
The other is to make sure your firewall prevents the attacker from accessing the
Trojan if itrsquos on your system As they are usually called from specific ports this provides pretty good security against most known attacks
Many attacks like Nimda SQL-Slammer and others used operating system exploits that Microsoft had patched months earlier ndash and yet many administrators (including Microsoftrsquos own) had not patched their all their servers that were available from the Internet from these Consequently many millions of dollars in damaged data and system down-time were caused
You should make sure that all the Service Packs and Critical Updates are applied to your server Most hackercracker attempts (especially those by Script Kiddies) are done using security holes in Windows that Microsoft has already issued patches for knowing that many administrators do not apply these fixes It is a good practise to regularly check for updates
GL Computing Page 19 682004
from the Microsoft site httpwindowsupdatemicrosoftcom
Unknown Attacks
It may seem unusual to talk about preventing an ldquoUnknown Attackrdquo but that is exactly what is necessary to provide adequate defence ndash preventing as much as possible attacks that use previously undiscovered exploits
Essentially this means reducing the ldquoSurface Areardquo of attack ndash that is reducing the available entry points and services that are available for an external source to connect to your server and run tasks that you do not want them to run
Configuring the IIS server to remove the services that can be used to hook into your server will be covered in the next chapter For now wersquoll discuss reducing the entry points that are available Wersquoll look at the services in the next chapter
Port Blocking
By entry points we usually mean the ports that are open to your server and the IPs that can connect to it
There are two main transport layer protocols used on the lsquonet ndash TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) Both of these can use 64k (65536) channels of communications or ldquoportsrdquo to connect to specific applications on the server machine
So the simple rule to start with is only to permit those ports that you know you need to be allowed through your server
The default port for web servers is port 80 but it can be set to any port the administrator chooses Using a non-standard port is a simple way to help keep the server hidden means the user will need to put the port number in their URL
The most complete list of registered port numbers can be obtained from httpwwwianaorgassignmentsport-numbers
The following ports should nearly always be blocked from OUTBOUND transmissions 135 137 138 139 443 (unless using SSL) 593
IP Blocking
If you know the IP ranges used by the users who will be accessing your server you can set either the firewall or the IIS server to only permit those IPs that belong to your users to access the server Wersquoll show how to do this on the IIS server in the next chapter
GL Computing Page 20 682004
Configuring and Securing IIS
nce again it is necessary to state that these procedures if followed exactly are designed for a server that will be dedicated to serving an ACT database ndash either solely for ACT for Web or in a hybrid with local LAN users
We will also attempt to address those issues and components in IIS that you may find installed on servers that are already in operation or that will also be used for other tasks However we suggest that you work with the Administrator of the network to determine that your lock-down procedures do not also disable applications or functions that your clients may wish to run on the server
It is also important to note that security can never be guaranteed on the internet and so you must be careful as Consultants what contractual agreements you make when doing this type of work for clients
Chapter
5
O
GL Computing Page 21 682004
To modify the IIS settings in Windows 2000 we can use the Computer Management snapin at either
Start | Programs | Administrative Tools | Computer Management
Or selecting Manage from the Right-click menu on My Computer
This will bring up the Computer Management Console
It is important that you become familiar with this interface and itrsquos operation
Another method to access this is by Start | Programs | Administrative Tools | Internet Services Manager
GL Computing Page 22 682004
If you are setting up on a server that is already installed you might find services or virtual folders already there that are already being used
Removing them would not be a good idea if your client is using them for another purpose If you do not have access to the system administrator or they are not sure select ldquoStoprdquo to simply stop the service from accepting requests and check with the administrator
This should be done on the Administration sites FTP and SMTP services unless you are sure they are being used on the server
In the Default Web Site (could be re-named) you should delete the virtual folders IIS Help IIS Admin samples MSADC (MS Active Directory Connector) vti (FrontPage) They all include ASP and Java scripts that may have vulnerabilities found in them and are most likely not used or needed on the server If no other application is being run on the IIS server at the time you can remove any of the virtual folders in the web site The idea being that we remove anything not specifically required for our implementation this helps reduce the available ldquosurface areardquo for an attacker It is advisable to check with the system administrator Once you know you can remove them Right-click on the item and select delete
Next open the Default Web Site properties (by Right-Click then properties) which should look something like
GL Computing Page 23 682004
On the Documents Tab remove all the items there and add webgif or some other small gif that you have loaded in the default folder defined in the Home Directory tab (usually CInetpubwwwroot folder)
This means that any potential hacker just looking for a site will see something small but giving nothing away as to the content of the site
If the site is being used for another site you may need to leave another default document that is used by they site
You may want to point the Printers virtual folder at this gif file also because it sometimes re-appears and the idea is to leave nothing pointing at an application where vulnerabilities may be discovered in the future
Note You will need to re-add Defaulthtm to the actweb virtual folder after you have installed ACT For Web
To do this right-click on the Actweb virtual folder select the Documents tab and Add ldquoDefaulthtmrdquo
GL Computing Page 24 682004
Next on the Home Directory tab click on the Configuration button Remove all the Mappings except for ASA and ASP (which are required for ACT for Web to operate) It will then look something like
This is to prevent any holes in other applications being used to infiltrate your site
Next remove (or rename if you are not sure if they may be needed later) the folders that you have removed the virtual folders for earlier
GL Computing Page 25 682004
Remove Internet Guest Account (IUSR_machine_name) access from cmdexe commandcom tftpexe httpodbcdll and defaultida ndash by adding in Security properties and selecting Deny (only for IUSR) You may need to do a search of the hard disk to get all the versions of these files
This is to prevent a user being able to point to those files and execute them which has been a common hacking exploit
GL Computing Page 26 682004
If you want increased security you can remove Anonymous access and use Windows Integrated Authentication This enables you to use the additional Windows and domain logins prior to the ACT Login
Note different versions of Windows may differ slightly
1 Right-click the My Computer icon and then click Manage from the shortcut menu The Computer Management window appears
2 Expand the Services and Applications option then expand the Internet Information Services option and then select the Default Web Site option so that you can see your ActWeb virtual directory in the right pane (this is the standard installation location your ActWeb virtual directory location may differ)
3 Right-click the ActWeb virtual directory and then click Properties from the shortcut menu The ActWeb Properties dialog appears
4 Under the Directory Security tab in the Anonymous access and authentication control section click Edit The Authentication Methods dialog appears
GL Computing Page 27 682004
5 Clear the Anonymous access check box and verify that the Integrated Windows authentication check box is enabled The other check boxes are dependent on your specific security requirements and are not related to ACT for Webs configuration Note Digest authentication for Windows domain servers is an option on IIS 51 or later
6 Click OK on these two windows Your ACT for Web site is now protected by the Integrated Windows authentication You may need to close your browser and re-open it in order to receive the proper login prompt
IMPORTANT NOTE The IUSR_[machine name] account will no longer be used by IIS with this configuration You will need to make sure the user account you attempt to log in has proper permissions set for it in DCOMCNFG and in the security properties of the folder containing your ACT Database as well as the installation folder for ACT for Web (default Cwebsites)
For more information on how to do this please read httpitdominoactcomactnsfdocid200391584653
GL Computing Page 28 682004
Additional security can be achieved by making your web site more difficult to find by potential hackers Two simple ways to do this are
1 Change the default web site to another TCP port in the Web Site properties Try not to use any of the other common ports that you may wish to use later Yoursquoll need to state the port when logging in eg httpdomaincomportactweb Using SSL (Secure Sockets Layer ) on port 443 will also add to the security of your data by adding encryption to the flow across the internet This will use an https protocol instead of http when entering the URL into your browser
2 Search engines send out ldquospidersrdquo to obtain information on sites available on the web This means that searching googlecom or other search engines for the phrase ACT for Web Login (in quotes) may point to your site (good for public web sites less good for your corporate database) If you would like to prevent a site from being catalogued in a search engines database you can take steps to address this Keep in mind that if you have existing websites they may have already begun to take the steps to interact with the spiders that may crawl their site
Visit the following links for more information about meta-tags and the robotstxt file Keep in mind that it is impossible to prevent any directly accessible resource on a site from being linked to by external sites be it by their partner sites competitive sites or search engines However these methods are generally accepted by the popular search engines
httpwwwrobotstxtorgwcrobotshtml
httpwwwsearchengineworldcomrobotsrobots_tutorialhtm
httpwwwrobotstxtorgwcmeta-userhtml
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
D E V E L O P E R M I K E L A Z A R U S G L C OM P U T I N G
T H I S D O CU M E N T I S A S U P P O R T D O CU M E N T F O R G L CO M P U T I N G R E S E L L E R S T O
A S S I S T T H E M I N R E S E L L I N G G L CO M P U T I N G S U P P O R T E D P R O D U CT S I N CL U D I N G A CT P R E M I U M F O R W E B
I T I S N O T T O B E CO P I E D R E P R O D U CE D O R D I S T R I B U T E D W I T H O U T T H E E X P R E S S W R I T T E N P E R M I S S I O N O F G L CO M P U T I N G
W H I L E T H E A U T H O R H A S T A K E N G R E A T CA R E T O E N S U R E T H E A CCU R A CY O F T H E
I N F O R M A T I O N CO N T A I N E D I N T H I S D O CU M E N T A L L M A T E R I A L S A R E P R O V I D E D W I T H O U T W A R R A N T Y W H A T S O E V E R - I N CL U D I N G B U T N O T L I M I T E D T O T H E
I M P L I E D W A R R E N T I E S M E R CH A N T A B I L I T Y O R F I T N E S S F O R A P A R T I CU L A R P U R P O S E
A CT A N D A CT F O R W E B A R E R E G I S T E R E D T R A D E M A R K S O F I N T E R A CT CO M M E R CE CO R P O R A T I O N B E S T S O F T W A R E O R S A G E S O F T W A R E I N V A R I O U S CO U N T R I E S
W I N D O W S I S A T R A D E M A R K O F M I CR O S O F T CO R P O R A T I O N A L L O T H E R P R O D U CT N A M E S A R E T R A D E M A R K S O R R E G I S T E R E D T R A D E M A R K S O F T H E I R R E S P E CT I V E
CO M P A N I E S
A GL Computing support initiative
GL Computing 2004
PO Box 161 Paddington 2021
Phone 02-9361-6766
httpwwwGLComputingcomau
GL Computing Page 3 682004
Table of Contents
C H A P T E R 1
Server and Networking Basics
C H A P T E R 2
IIS ndash What is it
C H A P T E R 3
Installing IIS
C H A P T E R 4
Protect against What
C H A P Y E R 5
Configuring and Securing IIS
A P P E N D I X
More tips for the sensibly paranoid
GL Computing Page 4 682004
Server and Networking Basics
t is essential for your comfort in consulting to IIS clients and their IT staff that you have a good understanding of the core terms and protocols in use on an IIS server This includes terms that will occur later in this document as well as terms that you may need to address in on-going support
For this reason we have put what would normally be in a glossary at the beginning of this document
IIS is the Microsoft Internet Information Server As such some of the terms have specific definitions that may not be as accurate for other Internet servers
Chapter
1
I
GL Computing Page 5 682004
Term Definition
Server Vs
Workstation
ACT for Web supports NT4 (sp6a) Workstation or Server and Windows 2000 Professional or Server (11 and later also supports XP Pro and 12 and later supports on Windows 2003) So what are the basic differences between WorkstationProfessional and the Server versions of the operating systems First the Server versions are pre-set and biased to processing background tasks over fore-ground which can make IIS operate fasterhellip but this can be reconfigured on the workstation version to get pretty close More importantly the Workstations versions can only support 10 concurrent users Considering the hits from other random internet traffic this can limit you to 6-8 concurrent users accessing your ACT database on the internet So if looking for reliable connections for more than 5 users you will need to use the Server versions
NTFS New Technology File System This file system has many improvements over the FAT1632 file systems To begin with it is transaction-based - ie it uses a transaction log to assist in maintaining data integrity This does not mean that you cannot lose data but it does mean that you have a much greater chance of accessing your file system even if a system crash occurs This capability stems from the use of the transaction log to roll back outstanding disk writes the next time Windows is booted It also uses this log to check the disk for errors instead of scanning each file allocation table entry as does the FAT file system It also adds a security model that we will be using to protect our servers This document will assume you are running Windows 2000 with an NTFS file system
NTFS Security The NTFS file system includes the capability to assign access control entries (ACEs) to an access control list (ACL) The ACE contains a group identifier or a user identifier encapsulated in a security descriptor which can be used to limit access to a particular directory or file This access can include such capabilities as read write delete execute or even ownership An ACL on the other hand is the container that encapsulates one or more ACE entries
What this means to you is that we can determine through NTFS security which users and groups can access files and folders on your server and what access they have You cannot do this with FAT16 or FAT32 file systems
GL Computing Page 6 682004
Term Definition
Multithreading A thread is the minimum executable resource The difference between a thread and a process is that a process is the container for an address space whereas a thread executes within that address space A process by itself is not executable it is the thread that is scheduled and executed What is unique about threads is that a single process can have more than one thread of execution These threads providing that they are not dependant on each other can be executed concurrently in Windows operating systems However it is important to understand that while IIS is inherently multithreaded ACT itself (and most importantly itrsquos SDK) is not ldquothread awarerdquo This means that it can only handle one call at a time and needs to complete processing it before the next call is made
What this means to you is that multiple-processors in a server cannot be properly utilised A single fast processor is the best way to operate for a stand-alone ACT For Web environment
Workgroups Vs
Domains
A workgroup is a casual affiliation of computers that are grouped logically into a single access point This cuts down on the clutter when your users browse for resources on the network Instead of seeing all the resources that are shared on the network they first see the shared resources of the workgroup to which they belong
All security in a workgroup is based on the local (the one sharing the resource) computer This is a serious administrative chore because it requires that all workgroup computers have the same user accounts defined if you want to allow other computer users to access your shared resources transparently (without supplying a different user account and password) in a user access environment
A domain is similar to a workgroup because it provides the same grouping capability as a workgroup but with one major difference A domain has a centralized user database that resides on the domain controller All user logon authentication is based on this central user database This makes Administration much easier as nearly all the users are the same from any machine on the Domain
It is very important to note that the IUSR guest account even on a domain is still a local only account and is also not part of any group including EVERYONE This means it can be better controlled than creating a specific account
GL Computing Page 7 682004
Term Definition
Domain
Controllers
The Domain controller is the server that authorises the user logons to the network The DC contains the master copy of the user database which includes all your global groups user accounts and computer accounts In addition to this your DC is used to authenticate your users when they log onto the network or access a shared resource Your DC also includes the tools you will use for centralized administration such as User Manager for Domains Server Manager for Domains DHCP server WINS server and a host of additional tools Other DCs replicate the information for load balancing and backup purposes
In NT there is a concept of PDCs (Primary Domain Controllers) and BDCs (Backup Domain Controllers) This meant that when the PDC went down a BDP would need to be promoted to the PDC by an Administrator In Windows 2000 this is no-longer an issue as DCs in Windows 2000 and 2003 are peers
Do not use a DC as a web server if possible The Domain Controller is constantly processing authentication requests Running IIS on the PDC will decrease performance It could also expose the DC to attacks that render the entire network as non-secure
ClientServer Client server technology is where the server (IIS SQL Server etc) houses the data and most of the intensive data processing sections of the application while the client (Internet Explorer or a specific client application) handles the user interface This means that there is much less bandwidth on the network much less requirements for client hardware and usually much less administration - as most of these functions are controlled on the server only The client sends a request for information to the server and the server application does the database intensive processing and just sends back the results
TCPIP Transmission Control Protocol Internet Protocol These are the core protocols that the entire Internet is based on Created by US Universities in the 60s and later expanded by the US Department of Defence it is the most popular protocol for connecting non-heterogeneous systems (ie computers that are not of the same type) They provide communications across interconnected networks of computers with diverse hardware architectures and various operating systems TCPIP includes standards for how computers communicate and conventions for connecting networks and routing traffic
URL Universal Resource Locator A URL is the full internet address including the access protocol (http ftp nntp https etc) the domain internet address (IP or name) and optionally a path and or file user and password The IP can be in decimal or standard-dot form A full URL can be of the form protocoluserpassdomainportpathfilenameext
This has since been changed for HTTPHTTPS by Microsoft Internet Explorer as per httpsupportmicrosoftcomdefaultaspxkbid=834489 ndash this can affect sites if using Windows login as opposed to Anonymous
GL Computing Page 8 682004
Term Definition
DHCP Dynamic Host Configuration Protocol DHCP provides a means to dynamically allocate IP addresses to computers on a network The administrator assigns a range of IP addresses to the DHCP server and each client computer on the LAN has its TCPIP software configured to request an IP address from the DHCP server The request and grant process uses a lease concept with a controllable time period The advantage of this is that the administrator doesnrsquot have to manually assign the IP address of each machine
A server should be assigned a permanent static IP rather than a dynamic one if possible
DNS Domain Name System The DNS is a general-purpose hierarchical distributed replicated data query service (database) used mainly for translating hostnames (domain names) into IP addresses ndash eg when a user looks for wwwGLComputingcomau it should return itrsquos correct IP address DNS can be configured to use a sequence of name servers based on the domains in the name being looked for until a match is found An organisation may have several DNS servers to spread the load All of which replicate with each other and the global DNS via their ISP A full global replication of a change to an IP can take 24-48 hours The name resolution client can be configured to search for host information in the following order first in the local etchosts file second in NIS (Network Information Service) and third in DNS This sequencing of Naming Services is sometimes called name service switching
WINS Windows Internet Naming Service The WINS service resolves Netbios names to their IP address in a similar fashion to the way DNS resolves Host names to IP addresses
NAT Network Address Translation The ability of a router to use one external routable IP address and provide connectivity for a number of network clients by translating their private (non-routable) IPs to the public one and then relaying the incoming data to the client that requested it It allows a secure machine or firewall to handle the incoming data and direct specific ports to specific machines without those machines IPs being accessible from the lsquonet
Private IP addresses are of the form 192168xx or 10xxx (where x is 0-255)
GL Computing Page 9 682004
Term Definition
MDAC The Microsoft data Access Components provide a suite of tools for accessing different database objects and provides a common user interface to access all of them ndash often called Universal Data Access (UDA) MDAC include ActiveX Data Objects (ADO and ADONET) OLE DB ODBC and others Problems referencing ODBC drivers in ACT for Web are often due to incorrect versions of MDAC V25 is usually recommended
It is important to note that unlike other software products a later version is not necessarily better as Microsoft withdrew some functionality in 26 and later versions If you need to install 26 or 27 you will need to also install the FoxPro and Jet drivers separately for ACT for Web ACT for Web 12 and later now also supports MDAC 28 for Windows Server 2003 support
If you arent sure which version of MDAC is installed on your system you can find out by following these steps (Note This involves using RegEdit and should only be done by an experienced computer user)
Press ltStartgt and select Run
Type REGEDIT into the command line (omit the quotes)
Navigate to the following key
HKEY_LOCAL_MACHINESoftwareMicrosoftDataAccess
Look for a value named Version This value contains the current version of MDAC
installed on your computer
Microsoft also has a utility called the Component Checker which can be used to diagnose your current MDAC version as well as find problems in your MDAC installation The Component Checker can be downloaded from httpmsdn2microsoftcomen-usdataaa937730aspx
DCOM Distributed Component Object Model The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network in a reliable secure and efficient manner Previously called Network OLE DCOM is designed for use across multiple network transports including Internet protocols such as HTTP DCOM is based on the Open Software Foundations DCE-RPC specification and will work with both Java applets and ActiveXreg components through its use of the Component Object Model (COM)
DCOM program permissions are set using dcomcnfgexe For information on how this relates to ACT For Web httpitdominoactcomactnsfdocid13988
GL Computing Page 10 682004
Device Definition
Firewalls A firewall is essentially any number of security schemes designed to prevent unauthorised access to a computer system or network The schemes can range from simple NAT security as above through port filtering IP filtering and other data determining methods They can include threat monitoring call-back and activity pattern testing
A server can be positioned ldquobehindrdquo the firewall thereby reducing the ldquosurface areardquo available to a hacker or it can be located in a DMZ (demilitarized zone) to be a more public server As the IIS server will be hosting our client data it is better to locate it behind the firewall and only permit that data that it needs to handle
We will discuss more about Firewalls later in the security section
Hubs Vs
Switches
These connect devices on the same LAN When data is sent to one port on the hub it is copied to all ports on the hub so all segments of the LAN will see the data A switch (or switching hub) only forwards packets to specific ports rather than broadcasting them to every port In this way the connection between the ports and devices can deliver the full bandwidth available without risk of collisions
A hub will also be restricted to the speed of the slowest device on the LAN segment
Routers Vs
Bridges
Routers and Bridges allow you to connect different networks ndash eg your LAN to your ISPrsquos network Routers (OSI Layer 3 ndash network) and Bridges (OSI Layer 2 ndash Data Link) operate at different levels of the OSI reference model (Open Systems Interconnect ndash the model for network architecture and protocols used to implement it) We will not be going into the OSI model here but suffice it to say that Routers and Bridges accomplish a similar task in different ways and you as ACCs can treat them the same way for the purpose of an ACT For Web implementation
Command Description
Ping Ping is the simplest command to tell if a remote system is running and available It verifies the IP connectivity by sending an ICMP (Internet Control Message Protocol) Echo request Pinging a domain name returns the IP address from the DNS server and the time to reach it and return
Tracert If you canrsquot ping a system (and you think it should be running) you might try TRACERT ndash this will ping each machine between you and the remote system usually allowing you to determine where the failure or bottleneck is
IPCONFIG IPCONFIG is a command that displays the TCPIP network configuration values and can be used to refresh the DHCP and DNS settings Becoming familiar with IPCONFIG and itrsquos parameters will be of long-term benefit to you ndash for older operating systems (Win 9XME) use WINIPCFG
NSLOOKUP NSLOOKUP is a command used to query and diagnose issues with the DNS server This is useful if you are checking for problems reaching a clientrsquos server
GL Computing Page 11 682004
IIS ndash What is it
IS is the Microsoft Internet Information Server It is Microsoftrsquos set of services that support web site configuration management and publishing as well as various other Internet services It includes various development tools and software development kits
IIS like all web applications is a clientserver application ndash in that it does nothing without a client such as a web browser or FTP client software
The information below is in two areas The Servers and the Application Development platforms In both areas only one is really relevant to ACT for Web (the WWW Server and ASP) The other information is provided so that you understand the differences The lists are also not exhaustive and there are other servers and application development tools for IIS
The Servers are the programs that the client software directly connects with on the IIS server They answer the requests from the lsquonet to read files and send information
The Application Development platforms allow the WWW Server to run programs and scripts A plain HTML document that the Web daemon retrieves is static which means it exists in a constant state a text file that doesnt change A CGI or ASP program on the other hand is executed in real-time so that it can output dynamic information For example lets say that you wanted to hook up your database to the World Wide Web to allow people from all over the world to query it Basically you need to create a program that the WWW Server will execute to transmit information to the database engine and receive the results back again and display them to the client
Chapter
2
I
GL Computing Page 12 682004
For full information on IIS we recommend looking at httpwwwMicrosoftcomIIS
httpwwwmicrosoftcomtechnettreeviewdefaultaspurl=technetprodtechnolwindowsserver2003proddocsdatacentergs_whatschangedasp
Other useful sites include
wwwiisfaqcom
wwwiisanswerscom
wwwiis-resourcescom
wwwzensecuritycouk
wwwnsagovsnacindexhtml
Letrsquos have a look at the functions of IIS that we need to know about in a little more detail
Server Description
WWW Server The WWW server uses the HyperText Transmission Protocol (HTTP) to communicate with its client application (a web browser) Typically on Port 80 the WWW is a content-rich environment It encompasses the majority of network traffic on the Internet You can use it to display (on your web browser) text static graphics images animated graphics images 3-D worlds and audiovideo files It can also be used to access databases such as ACT for Web via various development tools
FTP FTP Publishing Service is a File Transfer Protocol (FTP) server The FTP Publishing Service is much less complex than the WWW Publishing Service The FTP Publishing Service is used primarily as a data repository It is usually on Port 21
SMTP The SMTP service uses the Simple Mail Transfer Protocol to send email across the lsquonet POP3 (the Post Office Protocol - the ability to retrieve email) is not part of the IIS suite The default port for SMTP is Port 25
NNTP The NNTP service uses the Network News Transport Protocol to provide discussion servers and groups similar to the ACC news server NNTP servers should default to Port 119
GL Computing Page 13 682004
Dev Tool Description
CGI The Common Gateway Interface (CGI) is a legacy application development platform supported under IIS Itrsquos a standard for many different web server platforms CGI scripts can be written in a variety of languages including Perl C and C++
ISAPI ISAPI ndash The Internet Server Application Programming Interface was Microsoftrsquos proprietary programming interface developed for IIS as a replacement for CGI It brings the power of OLE (Object Linking and Embedding) to the WWW The main advantage it offers over CGI is that it is much faster when performing the same tasks and consumes less resources Instead of running each application as a separate process (as in CGI) the ISAPIdll (Dynamic Link Library) is already loaded into the IIS address space and handles any commands for it
There is a downside to ISAPI DLLs Because they share the same address space as the HTTP server it is possible that an errant ISAPI application could crash the WWW Publishing Server as well
ASP Because of the risks writing ISAPI applications Microsoft developed ASP (Active Server Pages) The functionality for ASP is handled by the ASPdll file It is similar in its advantages over CGI without the problems of ISAPI Additionally because Microsoft made ASP development considerably easier with the tools provided there are many more ASP developers and support for applications written to use ASP
ACT for Web is written using ASP so add-on development for ACT for Web would require a good knowledge of ASP To gain some knowledge of ASP development you might try looking at wwwasp101com
Additional information on the latest incarnation of ASP ASPNET is available from wwwaspnet
ActiveX ActiveX controls are components that use the Microsoft COM technologies (Component Object Model ndash an open software architecture developed by DEC and Microsoft allowing interoperation between OLE and the ObjectBroker)
They are Windows programs that can be executed by a browser ActiveX controls have full access to the Windows operating system
XML Extensible Markup Language is a newer method designed for the interchange of documents and data It is a format for transferring data across the Internet It not only includes the data but self-describing information about the data Office 2003 can also use XML
SOAP The Simple Object Access Protocol makes use of HTTP to exchange structured data over the Web using an XML format
GL Computing Page 14 682004
Installing IIS
t is important to note at this time that these procedures are targeted at installing a server dedicated to serving an ACT database to the lsquonet via ACT for Web The server could also serve the database locally as a LAN server to ACT clients in a ldquohybridrdquo implementation
This document will assume that you have performed a ldquocleanrdquo install of Windows 2000 Server to your machine but NOT installed any IIS components In the Lockdown area we will discuss the differences if you are locking down a server that already has IIS installed by someone else with more components than we will be installing in this section
It is advisable not to perform these functions while connected to the internet and only to connect after we have completed the securing part We also recommend applying the latest service packs and critical updates to the Windows 2000 operating system
Installing IIS is quite simple
Open the Control Panel (Start | Settings | Control Panel) and go to AddRemove
Programs
Chapter
3
I
GL Computing Page 15 682004
Then click AddRemove Windows Components
GL Computing Page 16 682004
The only option that you need to have ticked in this dialog box is Internet Information Services (IIS) We should take this further by clicking on the ldquoDetailsrdquo button
In this area the only necessary options are the Common Files (these are necessary for IIS) and World Wide Web Server (this service will be hosting ACT for Web)
We will also install the Internet Information services Snap-In as this make administering IIS considerably easier and the Documentation as having the Help system handy can be a good option If you donrsquot want the documentation you can always access the Microsoft web site and search their knowledge base TechNet or MSDN
None of the other subcomponents belonging to IIS are necessary and as such should NOT be installed unless you know you will require them for some other task Other options increase the ldquosurface areardquo available for attack on the server and will need to be configured to make them less vulnerable We will look at some of these options in the next section
Click ldquoOKrdquo and IIS will be installed
Although it is not always required we strongly recommend a re-boot of the server after installing or removing Windows components
GL Computing Page 17 682004
Protect against what
N this Chapter we will attempt to describe what types of attackers are out there and give you some ideas of the methods they may use to compromise your systems
Types of Attackers
Letrsquos start by categorising the types of attackers you may need to protect your systems from
Attacker Description
Script Kiddie This is the most common form of attack and the one which we will most need to protect our servers from These are usually kids looking for easy to hack servers so that they can take control of them and use them to attack others
Typically they will use Trojans (which your anti-virus should have detected and removed) or exploit known weaknesses in the server operating system which a combination of the Microsoft critical updates and our own lock-down procedures should keep you relatively secure from
Valuable Data This is typically done by someone who knows that specific data on your site is of significant value to the attacker It may be done by a nasty competitor who wants your data or someone who thinks you may have Credit Card numbers (or similar data) on your system If you are planning to keep Credit Cards etc in your database you will need to be very careful about your security and liability
We do not recommend keeping this type of data in an ACT database
Prestige Site This is where your site is well enough known that the hacker can get credibility from being able to by-pass your security This is unlikely to be an issue for any ACT for Web installation
Chapter
4
I
GL Computing Page 18 682004
Enemy Attack This is where someone feels so annoyed by you or your organisation that they feel like teaching you a lesson The toughest of these to protect against is an ex-employee that feels they have been wronged and knows the security of your system
Internal
Attack
This type typically does the most damage as they may know your security and usually have a legitimate reason for accessing your system Sometimes the Valuable Data Prestige Site or Enemy Attack types will also use an internal person to make their task easier The defences we are putting up will not assist in stopping this type of attack The only solutions are to ensure you have good backup procedures regularly read and inspect log files and make sure users only have access to the parts of the system that they need access to
Typically the ldquoScript Kiddierdquo will use known security flaws in the operating system and or known Trojans The other attackers will use a combination of these and ldquoun-knownrdquo attacks and are typically more skilled
We will attempt to keep your server secure from both known and un-known attacks
Known Attacks
The first defence is to make sure you are protected against the ldquoknownrdquo attacks The most common form of these is via Trojans
A Trojan (based on the story of the Trojan horse) is a piece of software that can get loaded on your server and makes it available for an attacker to access The functions it can provide to an attacker can vary ndash including damaging your data providing access for others to see your data or using itself to launch attacks on other systems
There are two main ways to prevent these
One is to ensure you have a good anti-virus running and that you keep it up-to-date GL Computing currently recommends Symantec (used to be Norton) Anti-Virus Corporate Edition for servers This should find and prevent Trojans from being installed andor remove them if already installed
The other is to make sure your firewall prevents the attacker from accessing the
Trojan if itrsquos on your system As they are usually called from specific ports this provides pretty good security against most known attacks
Many attacks like Nimda SQL-Slammer and others used operating system exploits that Microsoft had patched months earlier ndash and yet many administrators (including Microsoftrsquos own) had not patched their all their servers that were available from the Internet from these Consequently many millions of dollars in damaged data and system down-time were caused
You should make sure that all the Service Packs and Critical Updates are applied to your server Most hackercracker attempts (especially those by Script Kiddies) are done using security holes in Windows that Microsoft has already issued patches for knowing that many administrators do not apply these fixes It is a good practise to regularly check for updates
GL Computing Page 19 682004
from the Microsoft site httpwindowsupdatemicrosoftcom
Unknown Attacks
It may seem unusual to talk about preventing an ldquoUnknown Attackrdquo but that is exactly what is necessary to provide adequate defence ndash preventing as much as possible attacks that use previously undiscovered exploits
Essentially this means reducing the ldquoSurface Areardquo of attack ndash that is reducing the available entry points and services that are available for an external source to connect to your server and run tasks that you do not want them to run
Configuring the IIS server to remove the services that can be used to hook into your server will be covered in the next chapter For now wersquoll discuss reducing the entry points that are available Wersquoll look at the services in the next chapter
Port Blocking
By entry points we usually mean the ports that are open to your server and the IPs that can connect to it
There are two main transport layer protocols used on the lsquonet ndash TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) Both of these can use 64k (65536) channels of communications or ldquoportsrdquo to connect to specific applications on the server machine
So the simple rule to start with is only to permit those ports that you know you need to be allowed through your server
The default port for web servers is port 80 but it can be set to any port the administrator chooses Using a non-standard port is a simple way to help keep the server hidden means the user will need to put the port number in their URL
The most complete list of registered port numbers can be obtained from httpwwwianaorgassignmentsport-numbers
The following ports should nearly always be blocked from OUTBOUND transmissions 135 137 138 139 443 (unless using SSL) 593
IP Blocking
If you know the IP ranges used by the users who will be accessing your server you can set either the firewall or the IIS server to only permit those IPs that belong to your users to access the server Wersquoll show how to do this on the IIS server in the next chapter
GL Computing Page 20 682004
Configuring and Securing IIS
nce again it is necessary to state that these procedures if followed exactly are designed for a server that will be dedicated to serving an ACT database ndash either solely for ACT for Web or in a hybrid with local LAN users
We will also attempt to address those issues and components in IIS that you may find installed on servers that are already in operation or that will also be used for other tasks However we suggest that you work with the Administrator of the network to determine that your lock-down procedures do not also disable applications or functions that your clients may wish to run on the server
It is also important to note that security can never be guaranteed on the internet and so you must be careful as Consultants what contractual agreements you make when doing this type of work for clients
Chapter
5
O
GL Computing Page 21 682004
To modify the IIS settings in Windows 2000 we can use the Computer Management snapin at either
Start | Programs | Administrative Tools | Computer Management
Or selecting Manage from the Right-click menu on My Computer
This will bring up the Computer Management Console
It is important that you become familiar with this interface and itrsquos operation
Another method to access this is by Start | Programs | Administrative Tools | Internet Services Manager
GL Computing Page 22 682004
If you are setting up on a server that is already installed you might find services or virtual folders already there that are already being used
Removing them would not be a good idea if your client is using them for another purpose If you do not have access to the system administrator or they are not sure select ldquoStoprdquo to simply stop the service from accepting requests and check with the administrator
This should be done on the Administration sites FTP and SMTP services unless you are sure they are being used on the server
In the Default Web Site (could be re-named) you should delete the virtual folders IIS Help IIS Admin samples MSADC (MS Active Directory Connector) vti (FrontPage) They all include ASP and Java scripts that may have vulnerabilities found in them and are most likely not used or needed on the server If no other application is being run on the IIS server at the time you can remove any of the virtual folders in the web site The idea being that we remove anything not specifically required for our implementation this helps reduce the available ldquosurface areardquo for an attacker It is advisable to check with the system administrator Once you know you can remove them Right-click on the item and select delete
Next open the Default Web Site properties (by Right-Click then properties) which should look something like
GL Computing Page 23 682004
On the Documents Tab remove all the items there and add webgif or some other small gif that you have loaded in the default folder defined in the Home Directory tab (usually CInetpubwwwroot folder)
This means that any potential hacker just looking for a site will see something small but giving nothing away as to the content of the site
If the site is being used for another site you may need to leave another default document that is used by they site
You may want to point the Printers virtual folder at this gif file also because it sometimes re-appears and the idea is to leave nothing pointing at an application where vulnerabilities may be discovered in the future
Note You will need to re-add Defaulthtm to the actweb virtual folder after you have installed ACT For Web
To do this right-click on the Actweb virtual folder select the Documents tab and Add ldquoDefaulthtmrdquo
GL Computing Page 24 682004
Next on the Home Directory tab click on the Configuration button Remove all the Mappings except for ASA and ASP (which are required for ACT for Web to operate) It will then look something like
This is to prevent any holes in other applications being used to infiltrate your site
Next remove (or rename if you are not sure if they may be needed later) the folders that you have removed the virtual folders for earlier
GL Computing Page 25 682004
Remove Internet Guest Account (IUSR_machine_name) access from cmdexe commandcom tftpexe httpodbcdll and defaultida ndash by adding in Security properties and selecting Deny (only for IUSR) You may need to do a search of the hard disk to get all the versions of these files
This is to prevent a user being able to point to those files and execute them which has been a common hacking exploit
GL Computing Page 26 682004
If you want increased security you can remove Anonymous access and use Windows Integrated Authentication This enables you to use the additional Windows and domain logins prior to the ACT Login
Note different versions of Windows may differ slightly
1 Right-click the My Computer icon and then click Manage from the shortcut menu The Computer Management window appears
2 Expand the Services and Applications option then expand the Internet Information Services option and then select the Default Web Site option so that you can see your ActWeb virtual directory in the right pane (this is the standard installation location your ActWeb virtual directory location may differ)
3 Right-click the ActWeb virtual directory and then click Properties from the shortcut menu The ActWeb Properties dialog appears
4 Under the Directory Security tab in the Anonymous access and authentication control section click Edit The Authentication Methods dialog appears
GL Computing Page 27 682004
5 Clear the Anonymous access check box and verify that the Integrated Windows authentication check box is enabled The other check boxes are dependent on your specific security requirements and are not related to ACT for Webs configuration Note Digest authentication for Windows domain servers is an option on IIS 51 or later
6 Click OK on these two windows Your ACT for Web site is now protected by the Integrated Windows authentication You may need to close your browser and re-open it in order to receive the proper login prompt
IMPORTANT NOTE The IUSR_[machine name] account will no longer be used by IIS with this configuration You will need to make sure the user account you attempt to log in has proper permissions set for it in DCOMCNFG and in the security properties of the folder containing your ACT Database as well as the installation folder for ACT for Web (default Cwebsites)
For more information on how to do this please read httpitdominoactcomactnsfdocid200391584653
GL Computing Page 28 682004
Additional security can be achieved by making your web site more difficult to find by potential hackers Two simple ways to do this are
1 Change the default web site to another TCP port in the Web Site properties Try not to use any of the other common ports that you may wish to use later Yoursquoll need to state the port when logging in eg httpdomaincomportactweb Using SSL (Secure Sockets Layer ) on port 443 will also add to the security of your data by adding encryption to the flow across the internet This will use an https protocol instead of http when entering the URL into your browser
2 Search engines send out ldquospidersrdquo to obtain information on sites available on the web This means that searching googlecom or other search engines for the phrase ACT for Web Login (in quotes) may point to your site (good for public web sites less good for your corporate database) If you would like to prevent a site from being catalogued in a search engines database you can take steps to address this Keep in mind that if you have existing websites they may have already begun to take the steps to interact with the spiders that may crawl their site
Visit the following links for more information about meta-tags and the robotstxt file Keep in mind that it is impossible to prevent any directly accessible resource on a site from being linked to by external sites be it by their partner sites competitive sites or search engines However these methods are generally accepted by the popular search engines
httpwwwrobotstxtorgwcrobotshtml
httpwwwsearchengineworldcomrobotsrobots_tutorialhtm
httpwwwrobotstxtorgwcmeta-userhtml
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 3 682004
Table of Contents
C H A P T E R 1
Server and Networking Basics
C H A P T E R 2
IIS ndash What is it
C H A P T E R 3
Installing IIS
C H A P T E R 4
Protect against What
C H A P Y E R 5
Configuring and Securing IIS
A P P E N D I X
More tips for the sensibly paranoid
GL Computing Page 4 682004
Server and Networking Basics
t is essential for your comfort in consulting to IIS clients and their IT staff that you have a good understanding of the core terms and protocols in use on an IIS server This includes terms that will occur later in this document as well as terms that you may need to address in on-going support
For this reason we have put what would normally be in a glossary at the beginning of this document
IIS is the Microsoft Internet Information Server As such some of the terms have specific definitions that may not be as accurate for other Internet servers
Chapter
1
I
GL Computing Page 5 682004
Term Definition
Server Vs
Workstation
ACT for Web supports NT4 (sp6a) Workstation or Server and Windows 2000 Professional or Server (11 and later also supports XP Pro and 12 and later supports on Windows 2003) So what are the basic differences between WorkstationProfessional and the Server versions of the operating systems First the Server versions are pre-set and biased to processing background tasks over fore-ground which can make IIS operate fasterhellip but this can be reconfigured on the workstation version to get pretty close More importantly the Workstations versions can only support 10 concurrent users Considering the hits from other random internet traffic this can limit you to 6-8 concurrent users accessing your ACT database on the internet So if looking for reliable connections for more than 5 users you will need to use the Server versions
NTFS New Technology File System This file system has many improvements over the FAT1632 file systems To begin with it is transaction-based - ie it uses a transaction log to assist in maintaining data integrity This does not mean that you cannot lose data but it does mean that you have a much greater chance of accessing your file system even if a system crash occurs This capability stems from the use of the transaction log to roll back outstanding disk writes the next time Windows is booted It also uses this log to check the disk for errors instead of scanning each file allocation table entry as does the FAT file system It also adds a security model that we will be using to protect our servers This document will assume you are running Windows 2000 with an NTFS file system
NTFS Security The NTFS file system includes the capability to assign access control entries (ACEs) to an access control list (ACL) The ACE contains a group identifier or a user identifier encapsulated in a security descriptor which can be used to limit access to a particular directory or file This access can include such capabilities as read write delete execute or even ownership An ACL on the other hand is the container that encapsulates one or more ACE entries
What this means to you is that we can determine through NTFS security which users and groups can access files and folders on your server and what access they have You cannot do this with FAT16 or FAT32 file systems
GL Computing Page 6 682004
Term Definition
Multithreading A thread is the minimum executable resource The difference between a thread and a process is that a process is the container for an address space whereas a thread executes within that address space A process by itself is not executable it is the thread that is scheduled and executed What is unique about threads is that a single process can have more than one thread of execution These threads providing that they are not dependant on each other can be executed concurrently in Windows operating systems However it is important to understand that while IIS is inherently multithreaded ACT itself (and most importantly itrsquos SDK) is not ldquothread awarerdquo This means that it can only handle one call at a time and needs to complete processing it before the next call is made
What this means to you is that multiple-processors in a server cannot be properly utilised A single fast processor is the best way to operate for a stand-alone ACT For Web environment
Workgroups Vs
Domains
A workgroup is a casual affiliation of computers that are grouped logically into a single access point This cuts down on the clutter when your users browse for resources on the network Instead of seeing all the resources that are shared on the network they first see the shared resources of the workgroup to which they belong
All security in a workgroup is based on the local (the one sharing the resource) computer This is a serious administrative chore because it requires that all workgroup computers have the same user accounts defined if you want to allow other computer users to access your shared resources transparently (without supplying a different user account and password) in a user access environment
A domain is similar to a workgroup because it provides the same grouping capability as a workgroup but with one major difference A domain has a centralized user database that resides on the domain controller All user logon authentication is based on this central user database This makes Administration much easier as nearly all the users are the same from any machine on the Domain
It is very important to note that the IUSR guest account even on a domain is still a local only account and is also not part of any group including EVERYONE This means it can be better controlled than creating a specific account
GL Computing Page 7 682004
Term Definition
Domain
Controllers
The Domain controller is the server that authorises the user logons to the network The DC contains the master copy of the user database which includes all your global groups user accounts and computer accounts In addition to this your DC is used to authenticate your users when they log onto the network or access a shared resource Your DC also includes the tools you will use for centralized administration such as User Manager for Domains Server Manager for Domains DHCP server WINS server and a host of additional tools Other DCs replicate the information for load balancing and backup purposes
In NT there is a concept of PDCs (Primary Domain Controllers) and BDCs (Backup Domain Controllers) This meant that when the PDC went down a BDP would need to be promoted to the PDC by an Administrator In Windows 2000 this is no-longer an issue as DCs in Windows 2000 and 2003 are peers
Do not use a DC as a web server if possible The Domain Controller is constantly processing authentication requests Running IIS on the PDC will decrease performance It could also expose the DC to attacks that render the entire network as non-secure
ClientServer Client server technology is where the server (IIS SQL Server etc) houses the data and most of the intensive data processing sections of the application while the client (Internet Explorer or a specific client application) handles the user interface This means that there is much less bandwidth on the network much less requirements for client hardware and usually much less administration - as most of these functions are controlled on the server only The client sends a request for information to the server and the server application does the database intensive processing and just sends back the results
TCPIP Transmission Control Protocol Internet Protocol These are the core protocols that the entire Internet is based on Created by US Universities in the 60s and later expanded by the US Department of Defence it is the most popular protocol for connecting non-heterogeneous systems (ie computers that are not of the same type) They provide communications across interconnected networks of computers with diverse hardware architectures and various operating systems TCPIP includes standards for how computers communicate and conventions for connecting networks and routing traffic
URL Universal Resource Locator A URL is the full internet address including the access protocol (http ftp nntp https etc) the domain internet address (IP or name) and optionally a path and or file user and password The IP can be in decimal or standard-dot form A full URL can be of the form protocoluserpassdomainportpathfilenameext
This has since been changed for HTTPHTTPS by Microsoft Internet Explorer as per httpsupportmicrosoftcomdefaultaspxkbid=834489 ndash this can affect sites if using Windows login as opposed to Anonymous
GL Computing Page 8 682004
Term Definition
DHCP Dynamic Host Configuration Protocol DHCP provides a means to dynamically allocate IP addresses to computers on a network The administrator assigns a range of IP addresses to the DHCP server and each client computer on the LAN has its TCPIP software configured to request an IP address from the DHCP server The request and grant process uses a lease concept with a controllable time period The advantage of this is that the administrator doesnrsquot have to manually assign the IP address of each machine
A server should be assigned a permanent static IP rather than a dynamic one if possible
DNS Domain Name System The DNS is a general-purpose hierarchical distributed replicated data query service (database) used mainly for translating hostnames (domain names) into IP addresses ndash eg when a user looks for wwwGLComputingcomau it should return itrsquos correct IP address DNS can be configured to use a sequence of name servers based on the domains in the name being looked for until a match is found An organisation may have several DNS servers to spread the load All of which replicate with each other and the global DNS via their ISP A full global replication of a change to an IP can take 24-48 hours The name resolution client can be configured to search for host information in the following order first in the local etchosts file second in NIS (Network Information Service) and third in DNS This sequencing of Naming Services is sometimes called name service switching
WINS Windows Internet Naming Service The WINS service resolves Netbios names to their IP address in a similar fashion to the way DNS resolves Host names to IP addresses
NAT Network Address Translation The ability of a router to use one external routable IP address and provide connectivity for a number of network clients by translating their private (non-routable) IPs to the public one and then relaying the incoming data to the client that requested it It allows a secure machine or firewall to handle the incoming data and direct specific ports to specific machines without those machines IPs being accessible from the lsquonet
Private IP addresses are of the form 192168xx or 10xxx (where x is 0-255)
GL Computing Page 9 682004
Term Definition
MDAC The Microsoft data Access Components provide a suite of tools for accessing different database objects and provides a common user interface to access all of them ndash often called Universal Data Access (UDA) MDAC include ActiveX Data Objects (ADO and ADONET) OLE DB ODBC and others Problems referencing ODBC drivers in ACT for Web are often due to incorrect versions of MDAC V25 is usually recommended
It is important to note that unlike other software products a later version is not necessarily better as Microsoft withdrew some functionality in 26 and later versions If you need to install 26 or 27 you will need to also install the FoxPro and Jet drivers separately for ACT for Web ACT for Web 12 and later now also supports MDAC 28 for Windows Server 2003 support
If you arent sure which version of MDAC is installed on your system you can find out by following these steps (Note This involves using RegEdit and should only be done by an experienced computer user)
Press ltStartgt and select Run
Type REGEDIT into the command line (omit the quotes)
Navigate to the following key
HKEY_LOCAL_MACHINESoftwareMicrosoftDataAccess
Look for a value named Version This value contains the current version of MDAC
installed on your computer
Microsoft also has a utility called the Component Checker which can be used to diagnose your current MDAC version as well as find problems in your MDAC installation The Component Checker can be downloaded from httpmsdn2microsoftcomen-usdataaa937730aspx
DCOM Distributed Component Object Model The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network in a reliable secure and efficient manner Previously called Network OLE DCOM is designed for use across multiple network transports including Internet protocols such as HTTP DCOM is based on the Open Software Foundations DCE-RPC specification and will work with both Java applets and ActiveXreg components through its use of the Component Object Model (COM)
DCOM program permissions are set using dcomcnfgexe For information on how this relates to ACT For Web httpitdominoactcomactnsfdocid13988
GL Computing Page 10 682004
Device Definition
Firewalls A firewall is essentially any number of security schemes designed to prevent unauthorised access to a computer system or network The schemes can range from simple NAT security as above through port filtering IP filtering and other data determining methods They can include threat monitoring call-back and activity pattern testing
A server can be positioned ldquobehindrdquo the firewall thereby reducing the ldquosurface areardquo available to a hacker or it can be located in a DMZ (demilitarized zone) to be a more public server As the IIS server will be hosting our client data it is better to locate it behind the firewall and only permit that data that it needs to handle
We will discuss more about Firewalls later in the security section
Hubs Vs
Switches
These connect devices on the same LAN When data is sent to one port on the hub it is copied to all ports on the hub so all segments of the LAN will see the data A switch (or switching hub) only forwards packets to specific ports rather than broadcasting them to every port In this way the connection between the ports and devices can deliver the full bandwidth available without risk of collisions
A hub will also be restricted to the speed of the slowest device on the LAN segment
Routers Vs
Bridges
Routers and Bridges allow you to connect different networks ndash eg your LAN to your ISPrsquos network Routers (OSI Layer 3 ndash network) and Bridges (OSI Layer 2 ndash Data Link) operate at different levels of the OSI reference model (Open Systems Interconnect ndash the model for network architecture and protocols used to implement it) We will not be going into the OSI model here but suffice it to say that Routers and Bridges accomplish a similar task in different ways and you as ACCs can treat them the same way for the purpose of an ACT For Web implementation
Command Description
Ping Ping is the simplest command to tell if a remote system is running and available It verifies the IP connectivity by sending an ICMP (Internet Control Message Protocol) Echo request Pinging a domain name returns the IP address from the DNS server and the time to reach it and return
Tracert If you canrsquot ping a system (and you think it should be running) you might try TRACERT ndash this will ping each machine between you and the remote system usually allowing you to determine where the failure or bottleneck is
IPCONFIG IPCONFIG is a command that displays the TCPIP network configuration values and can be used to refresh the DHCP and DNS settings Becoming familiar with IPCONFIG and itrsquos parameters will be of long-term benefit to you ndash for older operating systems (Win 9XME) use WINIPCFG
NSLOOKUP NSLOOKUP is a command used to query and diagnose issues with the DNS server This is useful if you are checking for problems reaching a clientrsquos server
GL Computing Page 11 682004
IIS ndash What is it
IS is the Microsoft Internet Information Server It is Microsoftrsquos set of services that support web site configuration management and publishing as well as various other Internet services It includes various development tools and software development kits
IIS like all web applications is a clientserver application ndash in that it does nothing without a client such as a web browser or FTP client software
The information below is in two areas The Servers and the Application Development platforms In both areas only one is really relevant to ACT for Web (the WWW Server and ASP) The other information is provided so that you understand the differences The lists are also not exhaustive and there are other servers and application development tools for IIS
The Servers are the programs that the client software directly connects with on the IIS server They answer the requests from the lsquonet to read files and send information
The Application Development platforms allow the WWW Server to run programs and scripts A plain HTML document that the Web daemon retrieves is static which means it exists in a constant state a text file that doesnt change A CGI or ASP program on the other hand is executed in real-time so that it can output dynamic information For example lets say that you wanted to hook up your database to the World Wide Web to allow people from all over the world to query it Basically you need to create a program that the WWW Server will execute to transmit information to the database engine and receive the results back again and display them to the client
Chapter
2
I
GL Computing Page 12 682004
For full information on IIS we recommend looking at httpwwwMicrosoftcomIIS
httpwwwmicrosoftcomtechnettreeviewdefaultaspurl=technetprodtechnolwindowsserver2003proddocsdatacentergs_whatschangedasp
Other useful sites include
wwwiisfaqcom
wwwiisanswerscom
wwwiis-resourcescom
wwwzensecuritycouk
wwwnsagovsnacindexhtml
Letrsquos have a look at the functions of IIS that we need to know about in a little more detail
Server Description
WWW Server The WWW server uses the HyperText Transmission Protocol (HTTP) to communicate with its client application (a web browser) Typically on Port 80 the WWW is a content-rich environment It encompasses the majority of network traffic on the Internet You can use it to display (on your web browser) text static graphics images animated graphics images 3-D worlds and audiovideo files It can also be used to access databases such as ACT for Web via various development tools
FTP FTP Publishing Service is a File Transfer Protocol (FTP) server The FTP Publishing Service is much less complex than the WWW Publishing Service The FTP Publishing Service is used primarily as a data repository It is usually on Port 21
SMTP The SMTP service uses the Simple Mail Transfer Protocol to send email across the lsquonet POP3 (the Post Office Protocol - the ability to retrieve email) is not part of the IIS suite The default port for SMTP is Port 25
NNTP The NNTP service uses the Network News Transport Protocol to provide discussion servers and groups similar to the ACC news server NNTP servers should default to Port 119
GL Computing Page 13 682004
Dev Tool Description
CGI The Common Gateway Interface (CGI) is a legacy application development platform supported under IIS Itrsquos a standard for many different web server platforms CGI scripts can be written in a variety of languages including Perl C and C++
ISAPI ISAPI ndash The Internet Server Application Programming Interface was Microsoftrsquos proprietary programming interface developed for IIS as a replacement for CGI It brings the power of OLE (Object Linking and Embedding) to the WWW The main advantage it offers over CGI is that it is much faster when performing the same tasks and consumes less resources Instead of running each application as a separate process (as in CGI) the ISAPIdll (Dynamic Link Library) is already loaded into the IIS address space and handles any commands for it
There is a downside to ISAPI DLLs Because they share the same address space as the HTTP server it is possible that an errant ISAPI application could crash the WWW Publishing Server as well
ASP Because of the risks writing ISAPI applications Microsoft developed ASP (Active Server Pages) The functionality for ASP is handled by the ASPdll file It is similar in its advantages over CGI without the problems of ISAPI Additionally because Microsoft made ASP development considerably easier with the tools provided there are many more ASP developers and support for applications written to use ASP
ACT for Web is written using ASP so add-on development for ACT for Web would require a good knowledge of ASP To gain some knowledge of ASP development you might try looking at wwwasp101com
Additional information on the latest incarnation of ASP ASPNET is available from wwwaspnet
ActiveX ActiveX controls are components that use the Microsoft COM technologies (Component Object Model ndash an open software architecture developed by DEC and Microsoft allowing interoperation between OLE and the ObjectBroker)
They are Windows programs that can be executed by a browser ActiveX controls have full access to the Windows operating system
XML Extensible Markup Language is a newer method designed for the interchange of documents and data It is a format for transferring data across the Internet It not only includes the data but self-describing information about the data Office 2003 can also use XML
SOAP The Simple Object Access Protocol makes use of HTTP to exchange structured data over the Web using an XML format
GL Computing Page 14 682004
Installing IIS
t is important to note at this time that these procedures are targeted at installing a server dedicated to serving an ACT database to the lsquonet via ACT for Web The server could also serve the database locally as a LAN server to ACT clients in a ldquohybridrdquo implementation
This document will assume that you have performed a ldquocleanrdquo install of Windows 2000 Server to your machine but NOT installed any IIS components In the Lockdown area we will discuss the differences if you are locking down a server that already has IIS installed by someone else with more components than we will be installing in this section
It is advisable not to perform these functions while connected to the internet and only to connect after we have completed the securing part We also recommend applying the latest service packs and critical updates to the Windows 2000 operating system
Installing IIS is quite simple
Open the Control Panel (Start | Settings | Control Panel) and go to AddRemove
Programs
Chapter
3
I
GL Computing Page 15 682004
Then click AddRemove Windows Components
GL Computing Page 16 682004
The only option that you need to have ticked in this dialog box is Internet Information Services (IIS) We should take this further by clicking on the ldquoDetailsrdquo button
In this area the only necessary options are the Common Files (these are necessary for IIS) and World Wide Web Server (this service will be hosting ACT for Web)
We will also install the Internet Information services Snap-In as this make administering IIS considerably easier and the Documentation as having the Help system handy can be a good option If you donrsquot want the documentation you can always access the Microsoft web site and search their knowledge base TechNet or MSDN
None of the other subcomponents belonging to IIS are necessary and as such should NOT be installed unless you know you will require them for some other task Other options increase the ldquosurface areardquo available for attack on the server and will need to be configured to make them less vulnerable We will look at some of these options in the next section
Click ldquoOKrdquo and IIS will be installed
Although it is not always required we strongly recommend a re-boot of the server after installing or removing Windows components
GL Computing Page 17 682004
Protect against what
N this Chapter we will attempt to describe what types of attackers are out there and give you some ideas of the methods they may use to compromise your systems
Types of Attackers
Letrsquos start by categorising the types of attackers you may need to protect your systems from
Attacker Description
Script Kiddie This is the most common form of attack and the one which we will most need to protect our servers from These are usually kids looking for easy to hack servers so that they can take control of them and use them to attack others
Typically they will use Trojans (which your anti-virus should have detected and removed) or exploit known weaknesses in the server operating system which a combination of the Microsoft critical updates and our own lock-down procedures should keep you relatively secure from
Valuable Data This is typically done by someone who knows that specific data on your site is of significant value to the attacker It may be done by a nasty competitor who wants your data or someone who thinks you may have Credit Card numbers (or similar data) on your system If you are planning to keep Credit Cards etc in your database you will need to be very careful about your security and liability
We do not recommend keeping this type of data in an ACT database
Prestige Site This is where your site is well enough known that the hacker can get credibility from being able to by-pass your security This is unlikely to be an issue for any ACT for Web installation
Chapter
4
I
GL Computing Page 18 682004
Enemy Attack This is where someone feels so annoyed by you or your organisation that they feel like teaching you a lesson The toughest of these to protect against is an ex-employee that feels they have been wronged and knows the security of your system
Internal
Attack
This type typically does the most damage as they may know your security and usually have a legitimate reason for accessing your system Sometimes the Valuable Data Prestige Site or Enemy Attack types will also use an internal person to make their task easier The defences we are putting up will not assist in stopping this type of attack The only solutions are to ensure you have good backup procedures regularly read and inspect log files and make sure users only have access to the parts of the system that they need access to
Typically the ldquoScript Kiddierdquo will use known security flaws in the operating system and or known Trojans The other attackers will use a combination of these and ldquoun-knownrdquo attacks and are typically more skilled
We will attempt to keep your server secure from both known and un-known attacks
Known Attacks
The first defence is to make sure you are protected against the ldquoknownrdquo attacks The most common form of these is via Trojans
A Trojan (based on the story of the Trojan horse) is a piece of software that can get loaded on your server and makes it available for an attacker to access The functions it can provide to an attacker can vary ndash including damaging your data providing access for others to see your data or using itself to launch attacks on other systems
There are two main ways to prevent these
One is to ensure you have a good anti-virus running and that you keep it up-to-date GL Computing currently recommends Symantec (used to be Norton) Anti-Virus Corporate Edition for servers This should find and prevent Trojans from being installed andor remove them if already installed
The other is to make sure your firewall prevents the attacker from accessing the
Trojan if itrsquos on your system As they are usually called from specific ports this provides pretty good security against most known attacks
Many attacks like Nimda SQL-Slammer and others used operating system exploits that Microsoft had patched months earlier ndash and yet many administrators (including Microsoftrsquos own) had not patched their all their servers that were available from the Internet from these Consequently many millions of dollars in damaged data and system down-time were caused
You should make sure that all the Service Packs and Critical Updates are applied to your server Most hackercracker attempts (especially those by Script Kiddies) are done using security holes in Windows that Microsoft has already issued patches for knowing that many administrators do not apply these fixes It is a good practise to regularly check for updates
GL Computing Page 19 682004
from the Microsoft site httpwindowsupdatemicrosoftcom
Unknown Attacks
It may seem unusual to talk about preventing an ldquoUnknown Attackrdquo but that is exactly what is necessary to provide adequate defence ndash preventing as much as possible attacks that use previously undiscovered exploits
Essentially this means reducing the ldquoSurface Areardquo of attack ndash that is reducing the available entry points and services that are available for an external source to connect to your server and run tasks that you do not want them to run
Configuring the IIS server to remove the services that can be used to hook into your server will be covered in the next chapter For now wersquoll discuss reducing the entry points that are available Wersquoll look at the services in the next chapter
Port Blocking
By entry points we usually mean the ports that are open to your server and the IPs that can connect to it
There are two main transport layer protocols used on the lsquonet ndash TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) Both of these can use 64k (65536) channels of communications or ldquoportsrdquo to connect to specific applications on the server machine
So the simple rule to start with is only to permit those ports that you know you need to be allowed through your server
The default port for web servers is port 80 but it can be set to any port the administrator chooses Using a non-standard port is a simple way to help keep the server hidden means the user will need to put the port number in their URL
The most complete list of registered port numbers can be obtained from httpwwwianaorgassignmentsport-numbers
The following ports should nearly always be blocked from OUTBOUND transmissions 135 137 138 139 443 (unless using SSL) 593
IP Blocking
If you know the IP ranges used by the users who will be accessing your server you can set either the firewall or the IIS server to only permit those IPs that belong to your users to access the server Wersquoll show how to do this on the IIS server in the next chapter
GL Computing Page 20 682004
Configuring and Securing IIS
nce again it is necessary to state that these procedures if followed exactly are designed for a server that will be dedicated to serving an ACT database ndash either solely for ACT for Web or in a hybrid with local LAN users
We will also attempt to address those issues and components in IIS that you may find installed on servers that are already in operation or that will also be used for other tasks However we suggest that you work with the Administrator of the network to determine that your lock-down procedures do not also disable applications or functions that your clients may wish to run on the server
It is also important to note that security can never be guaranteed on the internet and so you must be careful as Consultants what contractual agreements you make when doing this type of work for clients
Chapter
5
O
GL Computing Page 21 682004
To modify the IIS settings in Windows 2000 we can use the Computer Management snapin at either
Start | Programs | Administrative Tools | Computer Management
Or selecting Manage from the Right-click menu on My Computer
This will bring up the Computer Management Console
It is important that you become familiar with this interface and itrsquos operation
Another method to access this is by Start | Programs | Administrative Tools | Internet Services Manager
GL Computing Page 22 682004
If you are setting up on a server that is already installed you might find services or virtual folders already there that are already being used
Removing them would not be a good idea if your client is using them for another purpose If you do not have access to the system administrator or they are not sure select ldquoStoprdquo to simply stop the service from accepting requests and check with the administrator
This should be done on the Administration sites FTP and SMTP services unless you are sure they are being used on the server
In the Default Web Site (could be re-named) you should delete the virtual folders IIS Help IIS Admin samples MSADC (MS Active Directory Connector) vti (FrontPage) They all include ASP and Java scripts that may have vulnerabilities found in them and are most likely not used or needed on the server If no other application is being run on the IIS server at the time you can remove any of the virtual folders in the web site The idea being that we remove anything not specifically required for our implementation this helps reduce the available ldquosurface areardquo for an attacker It is advisable to check with the system administrator Once you know you can remove them Right-click on the item and select delete
Next open the Default Web Site properties (by Right-Click then properties) which should look something like
GL Computing Page 23 682004
On the Documents Tab remove all the items there and add webgif or some other small gif that you have loaded in the default folder defined in the Home Directory tab (usually CInetpubwwwroot folder)
This means that any potential hacker just looking for a site will see something small but giving nothing away as to the content of the site
If the site is being used for another site you may need to leave another default document that is used by they site
You may want to point the Printers virtual folder at this gif file also because it sometimes re-appears and the idea is to leave nothing pointing at an application where vulnerabilities may be discovered in the future
Note You will need to re-add Defaulthtm to the actweb virtual folder after you have installed ACT For Web
To do this right-click on the Actweb virtual folder select the Documents tab and Add ldquoDefaulthtmrdquo
GL Computing Page 24 682004
Next on the Home Directory tab click on the Configuration button Remove all the Mappings except for ASA and ASP (which are required for ACT for Web to operate) It will then look something like
This is to prevent any holes in other applications being used to infiltrate your site
Next remove (or rename if you are not sure if they may be needed later) the folders that you have removed the virtual folders for earlier
GL Computing Page 25 682004
Remove Internet Guest Account (IUSR_machine_name) access from cmdexe commandcom tftpexe httpodbcdll and defaultida ndash by adding in Security properties and selecting Deny (only for IUSR) You may need to do a search of the hard disk to get all the versions of these files
This is to prevent a user being able to point to those files and execute them which has been a common hacking exploit
GL Computing Page 26 682004
If you want increased security you can remove Anonymous access and use Windows Integrated Authentication This enables you to use the additional Windows and domain logins prior to the ACT Login
Note different versions of Windows may differ slightly
1 Right-click the My Computer icon and then click Manage from the shortcut menu The Computer Management window appears
2 Expand the Services and Applications option then expand the Internet Information Services option and then select the Default Web Site option so that you can see your ActWeb virtual directory in the right pane (this is the standard installation location your ActWeb virtual directory location may differ)
3 Right-click the ActWeb virtual directory and then click Properties from the shortcut menu The ActWeb Properties dialog appears
4 Under the Directory Security tab in the Anonymous access and authentication control section click Edit The Authentication Methods dialog appears
GL Computing Page 27 682004
5 Clear the Anonymous access check box and verify that the Integrated Windows authentication check box is enabled The other check boxes are dependent on your specific security requirements and are not related to ACT for Webs configuration Note Digest authentication for Windows domain servers is an option on IIS 51 or later
6 Click OK on these two windows Your ACT for Web site is now protected by the Integrated Windows authentication You may need to close your browser and re-open it in order to receive the proper login prompt
IMPORTANT NOTE The IUSR_[machine name] account will no longer be used by IIS with this configuration You will need to make sure the user account you attempt to log in has proper permissions set for it in DCOMCNFG and in the security properties of the folder containing your ACT Database as well as the installation folder for ACT for Web (default Cwebsites)
For more information on how to do this please read httpitdominoactcomactnsfdocid200391584653
GL Computing Page 28 682004
Additional security can be achieved by making your web site more difficult to find by potential hackers Two simple ways to do this are
1 Change the default web site to another TCP port in the Web Site properties Try not to use any of the other common ports that you may wish to use later Yoursquoll need to state the port when logging in eg httpdomaincomportactweb Using SSL (Secure Sockets Layer ) on port 443 will also add to the security of your data by adding encryption to the flow across the internet This will use an https protocol instead of http when entering the URL into your browser
2 Search engines send out ldquospidersrdquo to obtain information on sites available on the web This means that searching googlecom or other search engines for the phrase ACT for Web Login (in quotes) may point to your site (good for public web sites less good for your corporate database) If you would like to prevent a site from being catalogued in a search engines database you can take steps to address this Keep in mind that if you have existing websites they may have already begun to take the steps to interact with the spiders that may crawl their site
Visit the following links for more information about meta-tags and the robotstxt file Keep in mind that it is impossible to prevent any directly accessible resource on a site from being linked to by external sites be it by their partner sites competitive sites or search engines However these methods are generally accepted by the popular search engines
httpwwwrobotstxtorgwcrobotshtml
httpwwwsearchengineworldcomrobotsrobots_tutorialhtm
httpwwwrobotstxtorgwcmeta-userhtml
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 4 682004
Server and Networking Basics
t is essential for your comfort in consulting to IIS clients and their IT staff that you have a good understanding of the core terms and protocols in use on an IIS server This includes terms that will occur later in this document as well as terms that you may need to address in on-going support
For this reason we have put what would normally be in a glossary at the beginning of this document
IIS is the Microsoft Internet Information Server As such some of the terms have specific definitions that may not be as accurate for other Internet servers
Chapter
1
I
GL Computing Page 5 682004
Term Definition
Server Vs
Workstation
ACT for Web supports NT4 (sp6a) Workstation or Server and Windows 2000 Professional or Server (11 and later also supports XP Pro and 12 and later supports on Windows 2003) So what are the basic differences between WorkstationProfessional and the Server versions of the operating systems First the Server versions are pre-set and biased to processing background tasks over fore-ground which can make IIS operate fasterhellip but this can be reconfigured on the workstation version to get pretty close More importantly the Workstations versions can only support 10 concurrent users Considering the hits from other random internet traffic this can limit you to 6-8 concurrent users accessing your ACT database on the internet So if looking for reliable connections for more than 5 users you will need to use the Server versions
NTFS New Technology File System This file system has many improvements over the FAT1632 file systems To begin with it is transaction-based - ie it uses a transaction log to assist in maintaining data integrity This does not mean that you cannot lose data but it does mean that you have a much greater chance of accessing your file system even if a system crash occurs This capability stems from the use of the transaction log to roll back outstanding disk writes the next time Windows is booted It also uses this log to check the disk for errors instead of scanning each file allocation table entry as does the FAT file system It also adds a security model that we will be using to protect our servers This document will assume you are running Windows 2000 with an NTFS file system
NTFS Security The NTFS file system includes the capability to assign access control entries (ACEs) to an access control list (ACL) The ACE contains a group identifier or a user identifier encapsulated in a security descriptor which can be used to limit access to a particular directory or file This access can include such capabilities as read write delete execute or even ownership An ACL on the other hand is the container that encapsulates one or more ACE entries
What this means to you is that we can determine through NTFS security which users and groups can access files and folders on your server and what access they have You cannot do this with FAT16 or FAT32 file systems
GL Computing Page 6 682004
Term Definition
Multithreading A thread is the minimum executable resource The difference between a thread and a process is that a process is the container for an address space whereas a thread executes within that address space A process by itself is not executable it is the thread that is scheduled and executed What is unique about threads is that a single process can have more than one thread of execution These threads providing that they are not dependant on each other can be executed concurrently in Windows operating systems However it is important to understand that while IIS is inherently multithreaded ACT itself (and most importantly itrsquos SDK) is not ldquothread awarerdquo This means that it can only handle one call at a time and needs to complete processing it before the next call is made
What this means to you is that multiple-processors in a server cannot be properly utilised A single fast processor is the best way to operate for a stand-alone ACT For Web environment
Workgroups Vs
Domains
A workgroup is a casual affiliation of computers that are grouped logically into a single access point This cuts down on the clutter when your users browse for resources on the network Instead of seeing all the resources that are shared on the network they first see the shared resources of the workgroup to which they belong
All security in a workgroup is based on the local (the one sharing the resource) computer This is a serious administrative chore because it requires that all workgroup computers have the same user accounts defined if you want to allow other computer users to access your shared resources transparently (without supplying a different user account and password) in a user access environment
A domain is similar to a workgroup because it provides the same grouping capability as a workgroup but with one major difference A domain has a centralized user database that resides on the domain controller All user logon authentication is based on this central user database This makes Administration much easier as nearly all the users are the same from any machine on the Domain
It is very important to note that the IUSR guest account even on a domain is still a local only account and is also not part of any group including EVERYONE This means it can be better controlled than creating a specific account
GL Computing Page 7 682004
Term Definition
Domain
Controllers
The Domain controller is the server that authorises the user logons to the network The DC contains the master copy of the user database which includes all your global groups user accounts and computer accounts In addition to this your DC is used to authenticate your users when they log onto the network or access a shared resource Your DC also includes the tools you will use for centralized administration such as User Manager for Domains Server Manager for Domains DHCP server WINS server and a host of additional tools Other DCs replicate the information for load balancing and backup purposes
In NT there is a concept of PDCs (Primary Domain Controllers) and BDCs (Backup Domain Controllers) This meant that when the PDC went down a BDP would need to be promoted to the PDC by an Administrator In Windows 2000 this is no-longer an issue as DCs in Windows 2000 and 2003 are peers
Do not use a DC as a web server if possible The Domain Controller is constantly processing authentication requests Running IIS on the PDC will decrease performance It could also expose the DC to attacks that render the entire network as non-secure
ClientServer Client server technology is where the server (IIS SQL Server etc) houses the data and most of the intensive data processing sections of the application while the client (Internet Explorer or a specific client application) handles the user interface This means that there is much less bandwidth on the network much less requirements for client hardware and usually much less administration - as most of these functions are controlled on the server only The client sends a request for information to the server and the server application does the database intensive processing and just sends back the results
TCPIP Transmission Control Protocol Internet Protocol These are the core protocols that the entire Internet is based on Created by US Universities in the 60s and later expanded by the US Department of Defence it is the most popular protocol for connecting non-heterogeneous systems (ie computers that are not of the same type) They provide communications across interconnected networks of computers with diverse hardware architectures and various operating systems TCPIP includes standards for how computers communicate and conventions for connecting networks and routing traffic
URL Universal Resource Locator A URL is the full internet address including the access protocol (http ftp nntp https etc) the domain internet address (IP or name) and optionally a path and or file user and password The IP can be in decimal or standard-dot form A full URL can be of the form protocoluserpassdomainportpathfilenameext
This has since been changed for HTTPHTTPS by Microsoft Internet Explorer as per httpsupportmicrosoftcomdefaultaspxkbid=834489 ndash this can affect sites if using Windows login as opposed to Anonymous
GL Computing Page 8 682004
Term Definition
DHCP Dynamic Host Configuration Protocol DHCP provides a means to dynamically allocate IP addresses to computers on a network The administrator assigns a range of IP addresses to the DHCP server and each client computer on the LAN has its TCPIP software configured to request an IP address from the DHCP server The request and grant process uses a lease concept with a controllable time period The advantage of this is that the administrator doesnrsquot have to manually assign the IP address of each machine
A server should be assigned a permanent static IP rather than a dynamic one if possible
DNS Domain Name System The DNS is a general-purpose hierarchical distributed replicated data query service (database) used mainly for translating hostnames (domain names) into IP addresses ndash eg when a user looks for wwwGLComputingcomau it should return itrsquos correct IP address DNS can be configured to use a sequence of name servers based on the domains in the name being looked for until a match is found An organisation may have several DNS servers to spread the load All of which replicate with each other and the global DNS via their ISP A full global replication of a change to an IP can take 24-48 hours The name resolution client can be configured to search for host information in the following order first in the local etchosts file second in NIS (Network Information Service) and third in DNS This sequencing of Naming Services is sometimes called name service switching
WINS Windows Internet Naming Service The WINS service resolves Netbios names to their IP address in a similar fashion to the way DNS resolves Host names to IP addresses
NAT Network Address Translation The ability of a router to use one external routable IP address and provide connectivity for a number of network clients by translating their private (non-routable) IPs to the public one and then relaying the incoming data to the client that requested it It allows a secure machine or firewall to handle the incoming data and direct specific ports to specific machines without those machines IPs being accessible from the lsquonet
Private IP addresses are of the form 192168xx or 10xxx (where x is 0-255)
GL Computing Page 9 682004
Term Definition
MDAC The Microsoft data Access Components provide a suite of tools for accessing different database objects and provides a common user interface to access all of them ndash often called Universal Data Access (UDA) MDAC include ActiveX Data Objects (ADO and ADONET) OLE DB ODBC and others Problems referencing ODBC drivers in ACT for Web are often due to incorrect versions of MDAC V25 is usually recommended
It is important to note that unlike other software products a later version is not necessarily better as Microsoft withdrew some functionality in 26 and later versions If you need to install 26 or 27 you will need to also install the FoxPro and Jet drivers separately for ACT for Web ACT for Web 12 and later now also supports MDAC 28 for Windows Server 2003 support
If you arent sure which version of MDAC is installed on your system you can find out by following these steps (Note This involves using RegEdit and should only be done by an experienced computer user)
Press ltStartgt and select Run
Type REGEDIT into the command line (omit the quotes)
Navigate to the following key
HKEY_LOCAL_MACHINESoftwareMicrosoftDataAccess
Look for a value named Version This value contains the current version of MDAC
installed on your computer
Microsoft also has a utility called the Component Checker which can be used to diagnose your current MDAC version as well as find problems in your MDAC installation The Component Checker can be downloaded from httpmsdn2microsoftcomen-usdataaa937730aspx
DCOM Distributed Component Object Model The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network in a reliable secure and efficient manner Previously called Network OLE DCOM is designed for use across multiple network transports including Internet protocols such as HTTP DCOM is based on the Open Software Foundations DCE-RPC specification and will work with both Java applets and ActiveXreg components through its use of the Component Object Model (COM)
DCOM program permissions are set using dcomcnfgexe For information on how this relates to ACT For Web httpitdominoactcomactnsfdocid13988
GL Computing Page 10 682004
Device Definition
Firewalls A firewall is essentially any number of security schemes designed to prevent unauthorised access to a computer system or network The schemes can range from simple NAT security as above through port filtering IP filtering and other data determining methods They can include threat monitoring call-back and activity pattern testing
A server can be positioned ldquobehindrdquo the firewall thereby reducing the ldquosurface areardquo available to a hacker or it can be located in a DMZ (demilitarized zone) to be a more public server As the IIS server will be hosting our client data it is better to locate it behind the firewall and only permit that data that it needs to handle
We will discuss more about Firewalls later in the security section
Hubs Vs
Switches
These connect devices on the same LAN When data is sent to one port on the hub it is copied to all ports on the hub so all segments of the LAN will see the data A switch (or switching hub) only forwards packets to specific ports rather than broadcasting them to every port In this way the connection between the ports and devices can deliver the full bandwidth available without risk of collisions
A hub will also be restricted to the speed of the slowest device on the LAN segment
Routers Vs
Bridges
Routers and Bridges allow you to connect different networks ndash eg your LAN to your ISPrsquos network Routers (OSI Layer 3 ndash network) and Bridges (OSI Layer 2 ndash Data Link) operate at different levels of the OSI reference model (Open Systems Interconnect ndash the model for network architecture and protocols used to implement it) We will not be going into the OSI model here but suffice it to say that Routers and Bridges accomplish a similar task in different ways and you as ACCs can treat them the same way for the purpose of an ACT For Web implementation
Command Description
Ping Ping is the simplest command to tell if a remote system is running and available It verifies the IP connectivity by sending an ICMP (Internet Control Message Protocol) Echo request Pinging a domain name returns the IP address from the DNS server and the time to reach it and return
Tracert If you canrsquot ping a system (and you think it should be running) you might try TRACERT ndash this will ping each machine between you and the remote system usually allowing you to determine where the failure or bottleneck is
IPCONFIG IPCONFIG is a command that displays the TCPIP network configuration values and can be used to refresh the DHCP and DNS settings Becoming familiar with IPCONFIG and itrsquos parameters will be of long-term benefit to you ndash for older operating systems (Win 9XME) use WINIPCFG
NSLOOKUP NSLOOKUP is a command used to query and diagnose issues with the DNS server This is useful if you are checking for problems reaching a clientrsquos server
GL Computing Page 11 682004
IIS ndash What is it
IS is the Microsoft Internet Information Server It is Microsoftrsquos set of services that support web site configuration management and publishing as well as various other Internet services It includes various development tools and software development kits
IIS like all web applications is a clientserver application ndash in that it does nothing without a client such as a web browser or FTP client software
The information below is in two areas The Servers and the Application Development platforms In both areas only one is really relevant to ACT for Web (the WWW Server and ASP) The other information is provided so that you understand the differences The lists are also not exhaustive and there are other servers and application development tools for IIS
The Servers are the programs that the client software directly connects with on the IIS server They answer the requests from the lsquonet to read files and send information
The Application Development platforms allow the WWW Server to run programs and scripts A plain HTML document that the Web daemon retrieves is static which means it exists in a constant state a text file that doesnt change A CGI or ASP program on the other hand is executed in real-time so that it can output dynamic information For example lets say that you wanted to hook up your database to the World Wide Web to allow people from all over the world to query it Basically you need to create a program that the WWW Server will execute to transmit information to the database engine and receive the results back again and display them to the client
Chapter
2
I
GL Computing Page 12 682004
For full information on IIS we recommend looking at httpwwwMicrosoftcomIIS
httpwwwmicrosoftcomtechnettreeviewdefaultaspurl=technetprodtechnolwindowsserver2003proddocsdatacentergs_whatschangedasp
Other useful sites include
wwwiisfaqcom
wwwiisanswerscom
wwwiis-resourcescom
wwwzensecuritycouk
wwwnsagovsnacindexhtml
Letrsquos have a look at the functions of IIS that we need to know about in a little more detail
Server Description
WWW Server The WWW server uses the HyperText Transmission Protocol (HTTP) to communicate with its client application (a web browser) Typically on Port 80 the WWW is a content-rich environment It encompasses the majority of network traffic on the Internet You can use it to display (on your web browser) text static graphics images animated graphics images 3-D worlds and audiovideo files It can also be used to access databases such as ACT for Web via various development tools
FTP FTP Publishing Service is a File Transfer Protocol (FTP) server The FTP Publishing Service is much less complex than the WWW Publishing Service The FTP Publishing Service is used primarily as a data repository It is usually on Port 21
SMTP The SMTP service uses the Simple Mail Transfer Protocol to send email across the lsquonet POP3 (the Post Office Protocol - the ability to retrieve email) is not part of the IIS suite The default port for SMTP is Port 25
NNTP The NNTP service uses the Network News Transport Protocol to provide discussion servers and groups similar to the ACC news server NNTP servers should default to Port 119
GL Computing Page 13 682004
Dev Tool Description
CGI The Common Gateway Interface (CGI) is a legacy application development platform supported under IIS Itrsquos a standard for many different web server platforms CGI scripts can be written in a variety of languages including Perl C and C++
ISAPI ISAPI ndash The Internet Server Application Programming Interface was Microsoftrsquos proprietary programming interface developed for IIS as a replacement for CGI It brings the power of OLE (Object Linking and Embedding) to the WWW The main advantage it offers over CGI is that it is much faster when performing the same tasks and consumes less resources Instead of running each application as a separate process (as in CGI) the ISAPIdll (Dynamic Link Library) is already loaded into the IIS address space and handles any commands for it
There is a downside to ISAPI DLLs Because they share the same address space as the HTTP server it is possible that an errant ISAPI application could crash the WWW Publishing Server as well
ASP Because of the risks writing ISAPI applications Microsoft developed ASP (Active Server Pages) The functionality for ASP is handled by the ASPdll file It is similar in its advantages over CGI without the problems of ISAPI Additionally because Microsoft made ASP development considerably easier with the tools provided there are many more ASP developers and support for applications written to use ASP
ACT for Web is written using ASP so add-on development for ACT for Web would require a good knowledge of ASP To gain some knowledge of ASP development you might try looking at wwwasp101com
Additional information on the latest incarnation of ASP ASPNET is available from wwwaspnet
ActiveX ActiveX controls are components that use the Microsoft COM technologies (Component Object Model ndash an open software architecture developed by DEC and Microsoft allowing interoperation between OLE and the ObjectBroker)
They are Windows programs that can be executed by a browser ActiveX controls have full access to the Windows operating system
XML Extensible Markup Language is a newer method designed for the interchange of documents and data It is a format for transferring data across the Internet It not only includes the data but self-describing information about the data Office 2003 can also use XML
SOAP The Simple Object Access Protocol makes use of HTTP to exchange structured data over the Web using an XML format
GL Computing Page 14 682004
Installing IIS
t is important to note at this time that these procedures are targeted at installing a server dedicated to serving an ACT database to the lsquonet via ACT for Web The server could also serve the database locally as a LAN server to ACT clients in a ldquohybridrdquo implementation
This document will assume that you have performed a ldquocleanrdquo install of Windows 2000 Server to your machine but NOT installed any IIS components In the Lockdown area we will discuss the differences if you are locking down a server that already has IIS installed by someone else with more components than we will be installing in this section
It is advisable not to perform these functions while connected to the internet and only to connect after we have completed the securing part We also recommend applying the latest service packs and critical updates to the Windows 2000 operating system
Installing IIS is quite simple
Open the Control Panel (Start | Settings | Control Panel) and go to AddRemove
Programs
Chapter
3
I
GL Computing Page 15 682004
Then click AddRemove Windows Components
GL Computing Page 16 682004
The only option that you need to have ticked in this dialog box is Internet Information Services (IIS) We should take this further by clicking on the ldquoDetailsrdquo button
In this area the only necessary options are the Common Files (these are necessary for IIS) and World Wide Web Server (this service will be hosting ACT for Web)
We will also install the Internet Information services Snap-In as this make administering IIS considerably easier and the Documentation as having the Help system handy can be a good option If you donrsquot want the documentation you can always access the Microsoft web site and search their knowledge base TechNet or MSDN
None of the other subcomponents belonging to IIS are necessary and as such should NOT be installed unless you know you will require them for some other task Other options increase the ldquosurface areardquo available for attack on the server and will need to be configured to make them less vulnerable We will look at some of these options in the next section
Click ldquoOKrdquo and IIS will be installed
Although it is not always required we strongly recommend a re-boot of the server after installing or removing Windows components
GL Computing Page 17 682004
Protect against what
N this Chapter we will attempt to describe what types of attackers are out there and give you some ideas of the methods they may use to compromise your systems
Types of Attackers
Letrsquos start by categorising the types of attackers you may need to protect your systems from
Attacker Description
Script Kiddie This is the most common form of attack and the one which we will most need to protect our servers from These are usually kids looking for easy to hack servers so that they can take control of them and use them to attack others
Typically they will use Trojans (which your anti-virus should have detected and removed) or exploit known weaknesses in the server operating system which a combination of the Microsoft critical updates and our own lock-down procedures should keep you relatively secure from
Valuable Data This is typically done by someone who knows that specific data on your site is of significant value to the attacker It may be done by a nasty competitor who wants your data or someone who thinks you may have Credit Card numbers (or similar data) on your system If you are planning to keep Credit Cards etc in your database you will need to be very careful about your security and liability
We do not recommend keeping this type of data in an ACT database
Prestige Site This is where your site is well enough known that the hacker can get credibility from being able to by-pass your security This is unlikely to be an issue for any ACT for Web installation
Chapter
4
I
GL Computing Page 18 682004
Enemy Attack This is where someone feels so annoyed by you or your organisation that they feel like teaching you a lesson The toughest of these to protect against is an ex-employee that feels they have been wronged and knows the security of your system
Internal
Attack
This type typically does the most damage as they may know your security and usually have a legitimate reason for accessing your system Sometimes the Valuable Data Prestige Site or Enemy Attack types will also use an internal person to make their task easier The defences we are putting up will not assist in stopping this type of attack The only solutions are to ensure you have good backup procedures regularly read and inspect log files and make sure users only have access to the parts of the system that they need access to
Typically the ldquoScript Kiddierdquo will use known security flaws in the operating system and or known Trojans The other attackers will use a combination of these and ldquoun-knownrdquo attacks and are typically more skilled
We will attempt to keep your server secure from both known and un-known attacks
Known Attacks
The first defence is to make sure you are protected against the ldquoknownrdquo attacks The most common form of these is via Trojans
A Trojan (based on the story of the Trojan horse) is a piece of software that can get loaded on your server and makes it available for an attacker to access The functions it can provide to an attacker can vary ndash including damaging your data providing access for others to see your data or using itself to launch attacks on other systems
There are two main ways to prevent these
One is to ensure you have a good anti-virus running and that you keep it up-to-date GL Computing currently recommends Symantec (used to be Norton) Anti-Virus Corporate Edition for servers This should find and prevent Trojans from being installed andor remove them if already installed
The other is to make sure your firewall prevents the attacker from accessing the
Trojan if itrsquos on your system As they are usually called from specific ports this provides pretty good security against most known attacks
Many attacks like Nimda SQL-Slammer and others used operating system exploits that Microsoft had patched months earlier ndash and yet many administrators (including Microsoftrsquos own) had not patched their all their servers that were available from the Internet from these Consequently many millions of dollars in damaged data and system down-time were caused
You should make sure that all the Service Packs and Critical Updates are applied to your server Most hackercracker attempts (especially those by Script Kiddies) are done using security holes in Windows that Microsoft has already issued patches for knowing that many administrators do not apply these fixes It is a good practise to regularly check for updates
GL Computing Page 19 682004
from the Microsoft site httpwindowsupdatemicrosoftcom
Unknown Attacks
It may seem unusual to talk about preventing an ldquoUnknown Attackrdquo but that is exactly what is necessary to provide adequate defence ndash preventing as much as possible attacks that use previously undiscovered exploits
Essentially this means reducing the ldquoSurface Areardquo of attack ndash that is reducing the available entry points and services that are available for an external source to connect to your server and run tasks that you do not want them to run
Configuring the IIS server to remove the services that can be used to hook into your server will be covered in the next chapter For now wersquoll discuss reducing the entry points that are available Wersquoll look at the services in the next chapter
Port Blocking
By entry points we usually mean the ports that are open to your server and the IPs that can connect to it
There are two main transport layer protocols used on the lsquonet ndash TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) Both of these can use 64k (65536) channels of communications or ldquoportsrdquo to connect to specific applications on the server machine
So the simple rule to start with is only to permit those ports that you know you need to be allowed through your server
The default port for web servers is port 80 but it can be set to any port the administrator chooses Using a non-standard port is a simple way to help keep the server hidden means the user will need to put the port number in their URL
The most complete list of registered port numbers can be obtained from httpwwwianaorgassignmentsport-numbers
The following ports should nearly always be blocked from OUTBOUND transmissions 135 137 138 139 443 (unless using SSL) 593
IP Blocking
If you know the IP ranges used by the users who will be accessing your server you can set either the firewall or the IIS server to only permit those IPs that belong to your users to access the server Wersquoll show how to do this on the IIS server in the next chapter
GL Computing Page 20 682004
Configuring and Securing IIS
nce again it is necessary to state that these procedures if followed exactly are designed for a server that will be dedicated to serving an ACT database ndash either solely for ACT for Web or in a hybrid with local LAN users
We will also attempt to address those issues and components in IIS that you may find installed on servers that are already in operation or that will also be used for other tasks However we suggest that you work with the Administrator of the network to determine that your lock-down procedures do not also disable applications or functions that your clients may wish to run on the server
It is also important to note that security can never be guaranteed on the internet and so you must be careful as Consultants what contractual agreements you make when doing this type of work for clients
Chapter
5
O
GL Computing Page 21 682004
To modify the IIS settings in Windows 2000 we can use the Computer Management snapin at either
Start | Programs | Administrative Tools | Computer Management
Or selecting Manage from the Right-click menu on My Computer
This will bring up the Computer Management Console
It is important that you become familiar with this interface and itrsquos operation
Another method to access this is by Start | Programs | Administrative Tools | Internet Services Manager
GL Computing Page 22 682004
If you are setting up on a server that is already installed you might find services or virtual folders already there that are already being used
Removing them would not be a good idea if your client is using them for another purpose If you do not have access to the system administrator or they are not sure select ldquoStoprdquo to simply stop the service from accepting requests and check with the administrator
This should be done on the Administration sites FTP and SMTP services unless you are sure they are being used on the server
In the Default Web Site (could be re-named) you should delete the virtual folders IIS Help IIS Admin samples MSADC (MS Active Directory Connector) vti (FrontPage) They all include ASP and Java scripts that may have vulnerabilities found in them and are most likely not used or needed on the server If no other application is being run on the IIS server at the time you can remove any of the virtual folders in the web site The idea being that we remove anything not specifically required for our implementation this helps reduce the available ldquosurface areardquo for an attacker It is advisable to check with the system administrator Once you know you can remove them Right-click on the item and select delete
Next open the Default Web Site properties (by Right-Click then properties) which should look something like
GL Computing Page 23 682004
On the Documents Tab remove all the items there and add webgif or some other small gif that you have loaded in the default folder defined in the Home Directory tab (usually CInetpubwwwroot folder)
This means that any potential hacker just looking for a site will see something small but giving nothing away as to the content of the site
If the site is being used for another site you may need to leave another default document that is used by they site
You may want to point the Printers virtual folder at this gif file also because it sometimes re-appears and the idea is to leave nothing pointing at an application where vulnerabilities may be discovered in the future
Note You will need to re-add Defaulthtm to the actweb virtual folder after you have installed ACT For Web
To do this right-click on the Actweb virtual folder select the Documents tab and Add ldquoDefaulthtmrdquo
GL Computing Page 24 682004
Next on the Home Directory tab click on the Configuration button Remove all the Mappings except for ASA and ASP (which are required for ACT for Web to operate) It will then look something like
This is to prevent any holes in other applications being used to infiltrate your site
Next remove (or rename if you are not sure if they may be needed later) the folders that you have removed the virtual folders for earlier
GL Computing Page 25 682004
Remove Internet Guest Account (IUSR_machine_name) access from cmdexe commandcom tftpexe httpodbcdll and defaultida ndash by adding in Security properties and selecting Deny (only for IUSR) You may need to do a search of the hard disk to get all the versions of these files
This is to prevent a user being able to point to those files and execute them which has been a common hacking exploit
GL Computing Page 26 682004
If you want increased security you can remove Anonymous access and use Windows Integrated Authentication This enables you to use the additional Windows and domain logins prior to the ACT Login
Note different versions of Windows may differ slightly
1 Right-click the My Computer icon and then click Manage from the shortcut menu The Computer Management window appears
2 Expand the Services and Applications option then expand the Internet Information Services option and then select the Default Web Site option so that you can see your ActWeb virtual directory in the right pane (this is the standard installation location your ActWeb virtual directory location may differ)
3 Right-click the ActWeb virtual directory and then click Properties from the shortcut menu The ActWeb Properties dialog appears
4 Under the Directory Security tab in the Anonymous access and authentication control section click Edit The Authentication Methods dialog appears
GL Computing Page 27 682004
5 Clear the Anonymous access check box and verify that the Integrated Windows authentication check box is enabled The other check boxes are dependent on your specific security requirements and are not related to ACT for Webs configuration Note Digest authentication for Windows domain servers is an option on IIS 51 or later
6 Click OK on these two windows Your ACT for Web site is now protected by the Integrated Windows authentication You may need to close your browser and re-open it in order to receive the proper login prompt
IMPORTANT NOTE The IUSR_[machine name] account will no longer be used by IIS with this configuration You will need to make sure the user account you attempt to log in has proper permissions set for it in DCOMCNFG and in the security properties of the folder containing your ACT Database as well as the installation folder for ACT for Web (default Cwebsites)
For more information on how to do this please read httpitdominoactcomactnsfdocid200391584653
GL Computing Page 28 682004
Additional security can be achieved by making your web site more difficult to find by potential hackers Two simple ways to do this are
1 Change the default web site to another TCP port in the Web Site properties Try not to use any of the other common ports that you may wish to use later Yoursquoll need to state the port when logging in eg httpdomaincomportactweb Using SSL (Secure Sockets Layer ) on port 443 will also add to the security of your data by adding encryption to the flow across the internet This will use an https protocol instead of http when entering the URL into your browser
2 Search engines send out ldquospidersrdquo to obtain information on sites available on the web This means that searching googlecom or other search engines for the phrase ACT for Web Login (in quotes) may point to your site (good for public web sites less good for your corporate database) If you would like to prevent a site from being catalogued in a search engines database you can take steps to address this Keep in mind that if you have existing websites they may have already begun to take the steps to interact with the spiders that may crawl their site
Visit the following links for more information about meta-tags and the robotstxt file Keep in mind that it is impossible to prevent any directly accessible resource on a site from being linked to by external sites be it by their partner sites competitive sites or search engines However these methods are generally accepted by the popular search engines
httpwwwrobotstxtorgwcrobotshtml
httpwwwsearchengineworldcomrobotsrobots_tutorialhtm
httpwwwrobotstxtorgwcmeta-userhtml
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 5 682004
Term Definition
Server Vs
Workstation
ACT for Web supports NT4 (sp6a) Workstation or Server and Windows 2000 Professional or Server (11 and later also supports XP Pro and 12 and later supports on Windows 2003) So what are the basic differences between WorkstationProfessional and the Server versions of the operating systems First the Server versions are pre-set and biased to processing background tasks over fore-ground which can make IIS operate fasterhellip but this can be reconfigured on the workstation version to get pretty close More importantly the Workstations versions can only support 10 concurrent users Considering the hits from other random internet traffic this can limit you to 6-8 concurrent users accessing your ACT database on the internet So if looking for reliable connections for more than 5 users you will need to use the Server versions
NTFS New Technology File System This file system has many improvements over the FAT1632 file systems To begin with it is transaction-based - ie it uses a transaction log to assist in maintaining data integrity This does not mean that you cannot lose data but it does mean that you have a much greater chance of accessing your file system even if a system crash occurs This capability stems from the use of the transaction log to roll back outstanding disk writes the next time Windows is booted It also uses this log to check the disk for errors instead of scanning each file allocation table entry as does the FAT file system It also adds a security model that we will be using to protect our servers This document will assume you are running Windows 2000 with an NTFS file system
NTFS Security The NTFS file system includes the capability to assign access control entries (ACEs) to an access control list (ACL) The ACE contains a group identifier or a user identifier encapsulated in a security descriptor which can be used to limit access to a particular directory or file This access can include such capabilities as read write delete execute or even ownership An ACL on the other hand is the container that encapsulates one or more ACE entries
What this means to you is that we can determine through NTFS security which users and groups can access files and folders on your server and what access they have You cannot do this with FAT16 or FAT32 file systems
GL Computing Page 6 682004
Term Definition
Multithreading A thread is the minimum executable resource The difference between a thread and a process is that a process is the container for an address space whereas a thread executes within that address space A process by itself is not executable it is the thread that is scheduled and executed What is unique about threads is that a single process can have more than one thread of execution These threads providing that they are not dependant on each other can be executed concurrently in Windows operating systems However it is important to understand that while IIS is inherently multithreaded ACT itself (and most importantly itrsquos SDK) is not ldquothread awarerdquo This means that it can only handle one call at a time and needs to complete processing it before the next call is made
What this means to you is that multiple-processors in a server cannot be properly utilised A single fast processor is the best way to operate for a stand-alone ACT For Web environment
Workgroups Vs
Domains
A workgroup is a casual affiliation of computers that are grouped logically into a single access point This cuts down on the clutter when your users browse for resources on the network Instead of seeing all the resources that are shared on the network they first see the shared resources of the workgroup to which they belong
All security in a workgroup is based on the local (the one sharing the resource) computer This is a serious administrative chore because it requires that all workgroup computers have the same user accounts defined if you want to allow other computer users to access your shared resources transparently (without supplying a different user account and password) in a user access environment
A domain is similar to a workgroup because it provides the same grouping capability as a workgroup but with one major difference A domain has a centralized user database that resides on the domain controller All user logon authentication is based on this central user database This makes Administration much easier as nearly all the users are the same from any machine on the Domain
It is very important to note that the IUSR guest account even on a domain is still a local only account and is also not part of any group including EVERYONE This means it can be better controlled than creating a specific account
GL Computing Page 7 682004
Term Definition
Domain
Controllers
The Domain controller is the server that authorises the user logons to the network The DC contains the master copy of the user database which includes all your global groups user accounts and computer accounts In addition to this your DC is used to authenticate your users when they log onto the network or access a shared resource Your DC also includes the tools you will use for centralized administration such as User Manager for Domains Server Manager for Domains DHCP server WINS server and a host of additional tools Other DCs replicate the information for load balancing and backup purposes
In NT there is a concept of PDCs (Primary Domain Controllers) and BDCs (Backup Domain Controllers) This meant that when the PDC went down a BDP would need to be promoted to the PDC by an Administrator In Windows 2000 this is no-longer an issue as DCs in Windows 2000 and 2003 are peers
Do not use a DC as a web server if possible The Domain Controller is constantly processing authentication requests Running IIS on the PDC will decrease performance It could also expose the DC to attacks that render the entire network as non-secure
ClientServer Client server technology is where the server (IIS SQL Server etc) houses the data and most of the intensive data processing sections of the application while the client (Internet Explorer or a specific client application) handles the user interface This means that there is much less bandwidth on the network much less requirements for client hardware and usually much less administration - as most of these functions are controlled on the server only The client sends a request for information to the server and the server application does the database intensive processing and just sends back the results
TCPIP Transmission Control Protocol Internet Protocol These are the core protocols that the entire Internet is based on Created by US Universities in the 60s and later expanded by the US Department of Defence it is the most popular protocol for connecting non-heterogeneous systems (ie computers that are not of the same type) They provide communications across interconnected networks of computers with diverse hardware architectures and various operating systems TCPIP includes standards for how computers communicate and conventions for connecting networks and routing traffic
URL Universal Resource Locator A URL is the full internet address including the access protocol (http ftp nntp https etc) the domain internet address (IP or name) and optionally a path and or file user and password The IP can be in decimal or standard-dot form A full URL can be of the form protocoluserpassdomainportpathfilenameext
This has since been changed for HTTPHTTPS by Microsoft Internet Explorer as per httpsupportmicrosoftcomdefaultaspxkbid=834489 ndash this can affect sites if using Windows login as opposed to Anonymous
GL Computing Page 8 682004
Term Definition
DHCP Dynamic Host Configuration Protocol DHCP provides a means to dynamically allocate IP addresses to computers on a network The administrator assigns a range of IP addresses to the DHCP server and each client computer on the LAN has its TCPIP software configured to request an IP address from the DHCP server The request and grant process uses a lease concept with a controllable time period The advantage of this is that the administrator doesnrsquot have to manually assign the IP address of each machine
A server should be assigned a permanent static IP rather than a dynamic one if possible
DNS Domain Name System The DNS is a general-purpose hierarchical distributed replicated data query service (database) used mainly for translating hostnames (domain names) into IP addresses ndash eg when a user looks for wwwGLComputingcomau it should return itrsquos correct IP address DNS can be configured to use a sequence of name servers based on the domains in the name being looked for until a match is found An organisation may have several DNS servers to spread the load All of which replicate with each other and the global DNS via their ISP A full global replication of a change to an IP can take 24-48 hours The name resolution client can be configured to search for host information in the following order first in the local etchosts file second in NIS (Network Information Service) and third in DNS This sequencing of Naming Services is sometimes called name service switching
WINS Windows Internet Naming Service The WINS service resolves Netbios names to their IP address in a similar fashion to the way DNS resolves Host names to IP addresses
NAT Network Address Translation The ability of a router to use one external routable IP address and provide connectivity for a number of network clients by translating their private (non-routable) IPs to the public one and then relaying the incoming data to the client that requested it It allows a secure machine or firewall to handle the incoming data and direct specific ports to specific machines without those machines IPs being accessible from the lsquonet
Private IP addresses are of the form 192168xx or 10xxx (where x is 0-255)
GL Computing Page 9 682004
Term Definition
MDAC The Microsoft data Access Components provide a suite of tools for accessing different database objects and provides a common user interface to access all of them ndash often called Universal Data Access (UDA) MDAC include ActiveX Data Objects (ADO and ADONET) OLE DB ODBC and others Problems referencing ODBC drivers in ACT for Web are often due to incorrect versions of MDAC V25 is usually recommended
It is important to note that unlike other software products a later version is not necessarily better as Microsoft withdrew some functionality in 26 and later versions If you need to install 26 or 27 you will need to also install the FoxPro and Jet drivers separately for ACT for Web ACT for Web 12 and later now also supports MDAC 28 for Windows Server 2003 support
If you arent sure which version of MDAC is installed on your system you can find out by following these steps (Note This involves using RegEdit and should only be done by an experienced computer user)
Press ltStartgt and select Run
Type REGEDIT into the command line (omit the quotes)
Navigate to the following key
HKEY_LOCAL_MACHINESoftwareMicrosoftDataAccess
Look for a value named Version This value contains the current version of MDAC
installed on your computer
Microsoft also has a utility called the Component Checker which can be used to diagnose your current MDAC version as well as find problems in your MDAC installation The Component Checker can be downloaded from httpmsdn2microsoftcomen-usdataaa937730aspx
DCOM Distributed Component Object Model The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network in a reliable secure and efficient manner Previously called Network OLE DCOM is designed for use across multiple network transports including Internet protocols such as HTTP DCOM is based on the Open Software Foundations DCE-RPC specification and will work with both Java applets and ActiveXreg components through its use of the Component Object Model (COM)
DCOM program permissions are set using dcomcnfgexe For information on how this relates to ACT For Web httpitdominoactcomactnsfdocid13988
GL Computing Page 10 682004
Device Definition
Firewalls A firewall is essentially any number of security schemes designed to prevent unauthorised access to a computer system or network The schemes can range from simple NAT security as above through port filtering IP filtering and other data determining methods They can include threat monitoring call-back and activity pattern testing
A server can be positioned ldquobehindrdquo the firewall thereby reducing the ldquosurface areardquo available to a hacker or it can be located in a DMZ (demilitarized zone) to be a more public server As the IIS server will be hosting our client data it is better to locate it behind the firewall and only permit that data that it needs to handle
We will discuss more about Firewalls later in the security section
Hubs Vs
Switches
These connect devices on the same LAN When data is sent to one port on the hub it is copied to all ports on the hub so all segments of the LAN will see the data A switch (or switching hub) only forwards packets to specific ports rather than broadcasting them to every port In this way the connection between the ports and devices can deliver the full bandwidth available without risk of collisions
A hub will also be restricted to the speed of the slowest device on the LAN segment
Routers Vs
Bridges
Routers and Bridges allow you to connect different networks ndash eg your LAN to your ISPrsquos network Routers (OSI Layer 3 ndash network) and Bridges (OSI Layer 2 ndash Data Link) operate at different levels of the OSI reference model (Open Systems Interconnect ndash the model for network architecture and protocols used to implement it) We will not be going into the OSI model here but suffice it to say that Routers and Bridges accomplish a similar task in different ways and you as ACCs can treat them the same way for the purpose of an ACT For Web implementation
Command Description
Ping Ping is the simplest command to tell if a remote system is running and available It verifies the IP connectivity by sending an ICMP (Internet Control Message Protocol) Echo request Pinging a domain name returns the IP address from the DNS server and the time to reach it and return
Tracert If you canrsquot ping a system (and you think it should be running) you might try TRACERT ndash this will ping each machine between you and the remote system usually allowing you to determine where the failure or bottleneck is
IPCONFIG IPCONFIG is a command that displays the TCPIP network configuration values and can be used to refresh the DHCP and DNS settings Becoming familiar with IPCONFIG and itrsquos parameters will be of long-term benefit to you ndash for older operating systems (Win 9XME) use WINIPCFG
NSLOOKUP NSLOOKUP is a command used to query and diagnose issues with the DNS server This is useful if you are checking for problems reaching a clientrsquos server
GL Computing Page 11 682004
IIS ndash What is it
IS is the Microsoft Internet Information Server It is Microsoftrsquos set of services that support web site configuration management and publishing as well as various other Internet services It includes various development tools and software development kits
IIS like all web applications is a clientserver application ndash in that it does nothing without a client such as a web browser or FTP client software
The information below is in two areas The Servers and the Application Development platforms In both areas only one is really relevant to ACT for Web (the WWW Server and ASP) The other information is provided so that you understand the differences The lists are also not exhaustive and there are other servers and application development tools for IIS
The Servers are the programs that the client software directly connects with on the IIS server They answer the requests from the lsquonet to read files and send information
The Application Development platforms allow the WWW Server to run programs and scripts A plain HTML document that the Web daemon retrieves is static which means it exists in a constant state a text file that doesnt change A CGI or ASP program on the other hand is executed in real-time so that it can output dynamic information For example lets say that you wanted to hook up your database to the World Wide Web to allow people from all over the world to query it Basically you need to create a program that the WWW Server will execute to transmit information to the database engine and receive the results back again and display them to the client
Chapter
2
I
GL Computing Page 12 682004
For full information on IIS we recommend looking at httpwwwMicrosoftcomIIS
httpwwwmicrosoftcomtechnettreeviewdefaultaspurl=technetprodtechnolwindowsserver2003proddocsdatacentergs_whatschangedasp
Other useful sites include
wwwiisfaqcom
wwwiisanswerscom
wwwiis-resourcescom
wwwzensecuritycouk
wwwnsagovsnacindexhtml
Letrsquos have a look at the functions of IIS that we need to know about in a little more detail
Server Description
WWW Server The WWW server uses the HyperText Transmission Protocol (HTTP) to communicate with its client application (a web browser) Typically on Port 80 the WWW is a content-rich environment It encompasses the majority of network traffic on the Internet You can use it to display (on your web browser) text static graphics images animated graphics images 3-D worlds and audiovideo files It can also be used to access databases such as ACT for Web via various development tools
FTP FTP Publishing Service is a File Transfer Protocol (FTP) server The FTP Publishing Service is much less complex than the WWW Publishing Service The FTP Publishing Service is used primarily as a data repository It is usually on Port 21
SMTP The SMTP service uses the Simple Mail Transfer Protocol to send email across the lsquonet POP3 (the Post Office Protocol - the ability to retrieve email) is not part of the IIS suite The default port for SMTP is Port 25
NNTP The NNTP service uses the Network News Transport Protocol to provide discussion servers and groups similar to the ACC news server NNTP servers should default to Port 119
GL Computing Page 13 682004
Dev Tool Description
CGI The Common Gateway Interface (CGI) is a legacy application development platform supported under IIS Itrsquos a standard for many different web server platforms CGI scripts can be written in a variety of languages including Perl C and C++
ISAPI ISAPI ndash The Internet Server Application Programming Interface was Microsoftrsquos proprietary programming interface developed for IIS as a replacement for CGI It brings the power of OLE (Object Linking and Embedding) to the WWW The main advantage it offers over CGI is that it is much faster when performing the same tasks and consumes less resources Instead of running each application as a separate process (as in CGI) the ISAPIdll (Dynamic Link Library) is already loaded into the IIS address space and handles any commands for it
There is a downside to ISAPI DLLs Because they share the same address space as the HTTP server it is possible that an errant ISAPI application could crash the WWW Publishing Server as well
ASP Because of the risks writing ISAPI applications Microsoft developed ASP (Active Server Pages) The functionality for ASP is handled by the ASPdll file It is similar in its advantages over CGI without the problems of ISAPI Additionally because Microsoft made ASP development considerably easier with the tools provided there are many more ASP developers and support for applications written to use ASP
ACT for Web is written using ASP so add-on development for ACT for Web would require a good knowledge of ASP To gain some knowledge of ASP development you might try looking at wwwasp101com
Additional information on the latest incarnation of ASP ASPNET is available from wwwaspnet
ActiveX ActiveX controls are components that use the Microsoft COM technologies (Component Object Model ndash an open software architecture developed by DEC and Microsoft allowing interoperation between OLE and the ObjectBroker)
They are Windows programs that can be executed by a browser ActiveX controls have full access to the Windows operating system
XML Extensible Markup Language is a newer method designed for the interchange of documents and data It is a format for transferring data across the Internet It not only includes the data but self-describing information about the data Office 2003 can also use XML
SOAP The Simple Object Access Protocol makes use of HTTP to exchange structured data over the Web using an XML format
GL Computing Page 14 682004
Installing IIS
t is important to note at this time that these procedures are targeted at installing a server dedicated to serving an ACT database to the lsquonet via ACT for Web The server could also serve the database locally as a LAN server to ACT clients in a ldquohybridrdquo implementation
This document will assume that you have performed a ldquocleanrdquo install of Windows 2000 Server to your machine but NOT installed any IIS components In the Lockdown area we will discuss the differences if you are locking down a server that already has IIS installed by someone else with more components than we will be installing in this section
It is advisable not to perform these functions while connected to the internet and only to connect after we have completed the securing part We also recommend applying the latest service packs and critical updates to the Windows 2000 operating system
Installing IIS is quite simple
Open the Control Panel (Start | Settings | Control Panel) and go to AddRemove
Programs
Chapter
3
I
GL Computing Page 15 682004
Then click AddRemove Windows Components
GL Computing Page 16 682004
The only option that you need to have ticked in this dialog box is Internet Information Services (IIS) We should take this further by clicking on the ldquoDetailsrdquo button
In this area the only necessary options are the Common Files (these are necessary for IIS) and World Wide Web Server (this service will be hosting ACT for Web)
We will also install the Internet Information services Snap-In as this make administering IIS considerably easier and the Documentation as having the Help system handy can be a good option If you donrsquot want the documentation you can always access the Microsoft web site and search their knowledge base TechNet or MSDN
None of the other subcomponents belonging to IIS are necessary and as such should NOT be installed unless you know you will require them for some other task Other options increase the ldquosurface areardquo available for attack on the server and will need to be configured to make them less vulnerable We will look at some of these options in the next section
Click ldquoOKrdquo and IIS will be installed
Although it is not always required we strongly recommend a re-boot of the server after installing or removing Windows components
GL Computing Page 17 682004
Protect against what
N this Chapter we will attempt to describe what types of attackers are out there and give you some ideas of the methods they may use to compromise your systems
Types of Attackers
Letrsquos start by categorising the types of attackers you may need to protect your systems from
Attacker Description
Script Kiddie This is the most common form of attack and the one which we will most need to protect our servers from These are usually kids looking for easy to hack servers so that they can take control of them and use them to attack others
Typically they will use Trojans (which your anti-virus should have detected and removed) or exploit known weaknesses in the server operating system which a combination of the Microsoft critical updates and our own lock-down procedures should keep you relatively secure from
Valuable Data This is typically done by someone who knows that specific data on your site is of significant value to the attacker It may be done by a nasty competitor who wants your data or someone who thinks you may have Credit Card numbers (or similar data) on your system If you are planning to keep Credit Cards etc in your database you will need to be very careful about your security and liability
We do not recommend keeping this type of data in an ACT database
Prestige Site This is where your site is well enough known that the hacker can get credibility from being able to by-pass your security This is unlikely to be an issue for any ACT for Web installation
Chapter
4
I
GL Computing Page 18 682004
Enemy Attack This is where someone feels so annoyed by you or your organisation that they feel like teaching you a lesson The toughest of these to protect against is an ex-employee that feels they have been wronged and knows the security of your system
Internal
Attack
This type typically does the most damage as they may know your security and usually have a legitimate reason for accessing your system Sometimes the Valuable Data Prestige Site or Enemy Attack types will also use an internal person to make their task easier The defences we are putting up will not assist in stopping this type of attack The only solutions are to ensure you have good backup procedures regularly read and inspect log files and make sure users only have access to the parts of the system that they need access to
Typically the ldquoScript Kiddierdquo will use known security flaws in the operating system and or known Trojans The other attackers will use a combination of these and ldquoun-knownrdquo attacks and are typically more skilled
We will attempt to keep your server secure from both known and un-known attacks
Known Attacks
The first defence is to make sure you are protected against the ldquoknownrdquo attacks The most common form of these is via Trojans
A Trojan (based on the story of the Trojan horse) is a piece of software that can get loaded on your server and makes it available for an attacker to access The functions it can provide to an attacker can vary ndash including damaging your data providing access for others to see your data or using itself to launch attacks on other systems
There are two main ways to prevent these
One is to ensure you have a good anti-virus running and that you keep it up-to-date GL Computing currently recommends Symantec (used to be Norton) Anti-Virus Corporate Edition for servers This should find and prevent Trojans from being installed andor remove them if already installed
The other is to make sure your firewall prevents the attacker from accessing the
Trojan if itrsquos on your system As they are usually called from specific ports this provides pretty good security against most known attacks
Many attacks like Nimda SQL-Slammer and others used operating system exploits that Microsoft had patched months earlier ndash and yet many administrators (including Microsoftrsquos own) had not patched their all their servers that were available from the Internet from these Consequently many millions of dollars in damaged data and system down-time were caused
You should make sure that all the Service Packs and Critical Updates are applied to your server Most hackercracker attempts (especially those by Script Kiddies) are done using security holes in Windows that Microsoft has already issued patches for knowing that many administrators do not apply these fixes It is a good practise to regularly check for updates
GL Computing Page 19 682004
from the Microsoft site httpwindowsupdatemicrosoftcom
Unknown Attacks
It may seem unusual to talk about preventing an ldquoUnknown Attackrdquo but that is exactly what is necessary to provide adequate defence ndash preventing as much as possible attacks that use previously undiscovered exploits
Essentially this means reducing the ldquoSurface Areardquo of attack ndash that is reducing the available entry points and services that are available for an external source to connect to your server and run tasks that you do not want them to run
Configuring the IIS server to remove the services that can be used to hook into your server will be covered in the next chapter For now wersquoll discuss reducing the entry points that are available Wersquoll look at the services in the next chapter
Port Blocking
By entry points we usually mean the ports that are open to your server and the IPs that can connect to it
There are two main transport layer protocols used on the lsquonet ndash TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) Both of these can use 64k (65536) channels of communications or ldquoportsrdquo to connect to specific applications on the server machine
So the simple rule to start with is only to permit those ports that you know you need to be allowed through your server
The default port for web servers is port 80 but it can be set to any port the administrator chooses Using a non-standard port is a simple way to help keep the server hidden means the user will need to put the port number in their URL
The most complete list of registered port numbers can be obtained from httpwwwianaorgassignmentsport-numbers
The following ports should nearly always be blocked from OUTBOUND transmissions 135 137 138 139 443 (unless using SSL) 593
IP Blocking
If you know the IP ranges used by the users who will be accessing your server you can set either the firewall or the IIS server to only permit those IPs that belong to your users to access the server Wersquoll show how to do this on the IIS server in the next chapter
GL Computing Page 20 682004
Configuring and Securing IIS
nce again it is necessary to state that these procedures if followed exactly are designed for a server that will be dedicated to serving an ACT database ndash either solely for ACT for Web or in a hybrid with local LAN users
We will also attempt to address those issues and components in IIS that you may find installed on servers that are already in operation or that will also be used for other tasks However we suggest that you work with the Administrator of the network to determine that your lock-down procedures do not also disable applications or functions that your clients may wish to run on the server
It is also important to note that security can never be guaranteed on the internet and so you must be careful as Consultants what contractual agreements you make when doing this type of work for clients
Chapter
5
O
GL Computing Page 21 682004
To modify the IIS settings in Windows 2000 we can use the Computer Management snapin at either
Start | Programs | Administrative Tools | Computer Management
Or selecting Manage from the Right-click menu on My Computer
This will bring up the Computer Management Console
It is important that you become familiar with this interface and itrsquos operation
Another method to access this is by Start | Programs | Administrative Tools | Internet Services Manager
GL Computing Page 22 682004
If you are setting up on a server that is already installed you might find services or virtual folders already there that are already being used
Removing them would not be a good idea if your client is using them for another purpose If you do not have access to the system administrator or they are not sure select ldquoStoprdquo to simply stop the service from accepting requests and check with the administrator
This should be done on the Administration sites FTP and SMTP services unless you are sure they are being used on the server
In the Default Web Site (could be re-named) you should delete the virtual folders IIS Help IIS Admin samples MSADC (MS Active Directory Connector) vti (FrontPage) They all include ASP and Java scripts that may have vulnerabilities found in them and are most likely not used or needed on the server If no other application is being run on the IIS server at the time you can remove any of the virtual folders in the web site The idea being that we remove anything not specifically required for our implementation this helps reduce the available ldquosurface areardquo for an attacker It is advisable to check with the system administrator Once you know you can remove them Right-click on the item and select delete
Next open the Default Web Site properties (by Right-Click then properties) which should look something like
GL Computing Page 23 682004
On the Documents Tab remove all the items there and add webgif or some other small gif that you have loaded in the default folder defined in the Home Directory tab (usually CInetpubwwwroot folder)
This means that any potential hacker just looking for a site will see something small but giving nothing away as to the content of the site
If the site is being used for another site you may need to leave another default document that is used by they site
You may want to point the Printers virtual folder at this gif file also because it sometimes re-appears and the idea is to leave nothing pointing at an application where vulnerabilities may be discovered in the future
Note You will need to re-add Defaulthtm to the actweb virtual folder after you have installed ACT For Web
To do this right-click on the Actweb virtual folder select the Documents tab and Add ldquoDefaulthtmrdquo
GL Computing Page 24 682004
Next on the Home Directory tab click on the Configuration button Remove all the Mappings except for ASA and ASP (which are required for ACT for Web to operate) It will then look something like
This is to prevent any holes in other applications being used to infiltrate your site
Next remove (or rename if you are not sure if they may be needed later) the folders that you have removed the virtual folders for earlier
GL Computing Page 25 682004
Remove Internet Guest Account (IUSR_machine_name) access from cmdexe commandcom tftpexe httpodbcdll and defaultida ndash by adding in Security properties and selecting Deny (only for IUSR) You may need to do a search of the hard disk to get all the versions of these files
This is to prevent a user being able to point to those files and execute them which has been a common hacking exploit
GL Computing Page 26 682004
If you want increased security you can remove Anonymous access and use Windows Integrated Authentication This enables you to use the additional Windows and domain logins prior to the ACT Login
Note different versions of Windows may differ slightly
1 Right-click the My Computer icon and then click Manage from the shortcut menu The Computer Management window appears
2 Expand the Services and Applications option then expand the Internet Information Services option and then select the Default Web Site option so that you can see your ActWeb virtual directory in the right pane (this is the standard installation location your ActWeb virtual directory location may differ)
3 Right-click the ActWeb virtual directory and then click Properties from the shortcut menu The ActWeb Properties dialog appears
4 Under the Directory Security tab in the Anonymous access and authentication control section click Edit The Authentication Methods dialog appears
GL Computing Page 27 682004
5 Clear the Anonymous access check box and verify that the Integrated Windows authentication check box is enabled The other check boxes are dependent on your specific security requirements and are not related to ACT for Webs configuration Note Digest authentication for Windows domain servers is an option on IIS 51 or later
6 Click OK on these two windows Your ACT for Web site is now protected by the Integrated Windows authentication You may need to close your browser and re-open it in order to receive the proper login prompt
IMPORTANT NOTE The IUSR_[machine name] account will no longer be used by IIS with this configuration You will need to make sure the user account you attempt to log in has proper permissions set for it in DCOMCNFG and in the security properties of the folder containing your ACT Database as well as the installation folder for ACT for Web (default Cwebsites)
For more information on how to do this please read httpitdominoactcomactnsfdocid200391584653
GL Computing Page 28 682004
Additional security can be achieved by making your web site more difficult to find by potential hackers Two simple ways to do this are
1 Change the default web site to another TCP port in the Web Site properties Try not to use any of the other common ports that you may wish to use later Yoursquoll need to state the port when logging in eg httpdomaincomportactweb Using SSL (Secure Sockets Layer ) on port 443 will also add to the security of your data by adding encryption to the flow across the internet This will use an https protocol instead of http when entering the URL into your browser
2 Search engines send out ldquospidersrdquo to obtain information on sites available on the web This means that searching googlecom or other search engines for the phrase ACT for Web Login (in quotes) may point to your site (good for public web sites less good for your corporate database) If you would like to prevent a site from being catalogued in a search engines database you can take steps to address this Keep in mind that if you have existing websites they may have already begun to take the steps to interact with the spiders that may crawl their site
Visit the following links for more information about meta-tags and the robotstxt file Keep in mind that it is impossible to prevent any directly accessible resource on a site from being linked to by external sites be it by their partner sites competitive sites or search engines However these methods are generally accepted by the popular search engines
httpwwwrobotstxtorgwcrobotshtml
httpwwwsearchengineworldcomrobotsrobots_tutorialhtm
httpwwwrobotstxtorgwcmeta-userhtml
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 6 682004
Term Definition
Multithreading A thread is the minimum executable resource The difference between a thread and a process is that a process is the container for an address space whereas a thread executes within that address space A process by itself is not executable it is the thread that is scheduled and executed What is unique about threads is that a single process can have more than one thread of execution These threads providing that they are not dependant on each other can be executed concurrently in Windows operating systems However it is important to understand that while IIS is inherently multithreaded ACT itself (and most importantly itrsquos SDK) is not ldquothread awarerdquo This means that it can only handle one call at a time and needs to complete processing it before the next call is made
What this means to you is that multiple-processors in a server cannot be properly utilised A single fast processor is the best way to operate for a stand-alone ACT For Web environment
Workgroups Vs
Domains
A workgroup is a casual affiliation of computers that are grouped logically into a single access point This cuts down on the clutter when your users browse for resources on the network Instead of seeing all the resources that are shared on the network they first see the shared resources of the workgroup to which they belong
All security in a workgroup is based on the local (the one sharing the resource) computer This is a serious administrative chore because it requires that all workgroup computers have the same user accounts defined if you want to allow other computer users to access your shared resources transparently (without supplying a different user account and password) in a user access environment
A domain is similar to a workgroup because it provides the same grouping capability as a workgroup but with one major difference A domain has a centralized user database that resides on the domain controller All user logon authentication is based on this central user database This makes Administration much easier as nearly all the users are the same from any machine on the Domain
It is very important to note that the IUSR guest account even on a domain is still a local only account and is also not part of any group including EVERYONE This means it can be better controlled than creating a specific account
GL Computing Page 7 682004
Term Definition
Domain
Controllers
The Domain controller is the server that authorises the user logons to the network The DC contains the master copy of the user database which includes all your global groups user accounts and computer accounts In addition to this your DC is used to authenticate your users when they log onto the network or access a shared resource Your DC also includes the tools you will use for centralized administration such as User Manager for Domains Server Manager for Domains DHCP server WINS server and a host of additional tools Other DCs replicate the information for load balancing and backup purposes
In NT there is a concept of PDCs (Primary Domain Controllers) and BDCs (Backup Domain Controllers) This meant that when the PDC went down a BDP would need to be promoted to the PDC by an Administrator In Windows 2000 this is no-longer an issue as DCs in Windows 2000 and 2003 are peers
Do not use a DC as a web server if possible The Domain Controller is constantly processing authentication requests Running IIS on the PDC will decrease performance It could also expose the DC to attacks that render the entire network as non-secure
ClientServer Client server technology is where the server (IIS SQL Server etc) houses the data and most of the intensive data processing sections of the application while the client (Internet Explorer or a specific client application) handles the user interface This means that there is much less bandwidth on the network much less requirements for client hardware and usually much less administration - as most of these functions are controlled on the server only The client sends a request for information to the server and the server application does the database intensive processing and just sends back the results
TCPIP Transmission Control Protocol Internet Protocol These are the core protocols that the entire Internet is based on Created by US Universities in the 60s and later expanded by the US Department of Defence it is the most popular protocol for connecting non-heterogeneous systems (ie computers that are not of the same type) They provide communications across interconnected networks of computers with diverse hardware architectures and various operating systems TCPIP includes standards for how computers communicate and conventions for connecting networks and routing traffic
URL Universal Resource Locator A URL is the full internet address including the access protocol (http ftp nntp https etc) the domain internet address (IP or name) and optionally a path and or file user and password The IP can be in decimal or standard-dot form A full URL can be of the form protocoluserpassdomainportpathfilenameext
This has since been changed for HTTPHTTPS by Microsoft Internet Explorer as per httpsupportmicrosoftcomdefaultaspxkbid=834489 ndash this can affect sites if using Windows login as opposed to Anonymous
GL Computing Page 8 682004
Term Definition
DHCP Dynamic Host Configuration Protocol DHCP provides a means to dynamically allocate IP addresses to computers on a network The administrator assigns a range of IP addresses to the DHCP server and each client computer on the LAN has its TCPIP software configured to request an IP address from the DHCP server The request and grant process uses a lease concept with a controllable time period The advantage of this is that the administrator doesnrsquot have to manually assign the IP address of each machine
A server should be assigned a permanent static IP rather than a dynamic one if possible
DNS Domain Name System The DNS is a general-purpose hierarchical distributed replicated data query service (database) used mainly for translating hostnames (domain names) into IP addresses ndash eg when a user looks for wwwGLComputingcomau it should return itrsquos correct IP address DNS can be configured to use a sequence of name servers based on the domains in the name being looked for until a match is found An organisation may have several DNS servers to spread the load All of which replicate with each other and the global DNS via their ISP A full global replication of a change to an IP can take 24-48 hours The name resolution client can be configured to search for host information in the following order first in the local etchosts file second in NIS (Network Information Service) and third in DNS This sequencing of Naming Services is sometimes called name service switching
WINS Windows Internet Naming Service The WINS service resolves Netbios names to their IP address in a similar fashion to the way DNS resolves Host names to IP addresses
NAT Network Address Translation The ability of a router to use one external routable IP address and provide connectivity for a number of network clients by translating their private (non-routable) IPs to the public one and then relaying the incoming data to the client that requested it It allows a secure machine or firewall to handle the incoming data and direct specific ports to specific machines without those machines IPs being accessible from the lsquonet
Private IP addresses are of the form 192168xx or 10xxx (where x is 0-255)
GL Computing Page 9 682004
Term Definition
MDAC The Microsoft data Access Components provide a suite of tools for accessing different database objects and provides a common user interface to access all of them ndash often called Universal Data Access (UDA) MDAC include ActiveX Data Objects (ADO and ADONET) OLE DB ODBC and others Problems referencing ODBC drivers in ACT for Web are often due to incorrect versions of MDAC V25 is usually recommended
It is important to note that unlike other software products a later version is not necessarily better as Microsoft withdrew some functionality in 26 and later versions If you need to install 26 or 27 you will need to also install the FoxPro and Jet drivers separately for ACT for Web ACT for Web 12 and later now also supports MDAC 28 for Windows Server 2003 support
If you arent sure which version of MDAC is installed on your system you can find out by following these steps (Note This involves using RegEdit and should only be done by an experienced computer user)
Press ltStartgt and select Run
Type REGEDIT into the command line (omit the quotes)
Navigate to the following key
HKEY_LOCAL_MACHINESoftwareMicrosoftDataAccess
Look for a value named Version This value contains the current version of MDAC
installed on your computer
Microsoft also has a utility called the Component Checker which can be used to diagnose your current MDAC version as well as find problems in your MDAC installation The Component Checker can be downloaded from httpmsdn2microsoftcomen-usdataaa937730aspx
DCOM Distributed Component Object Model The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network in a reliable secure and efficient manner Previously called Network OLE DCOM is designed for use across multiple network transports including Internet protocols such as HTTP DCOM is based on the Open Software Foundations DCE-RPC specification and will work with both Java applets and ActiveXreg components through its use of the Component Object Model (COM)
DCOM program permissions are set using dcomcnfgexe For information on how this relates to ACT For Web httpitdominoactcomactnsfdocid13988
GL Computing Page 10 682004
Device Definition
Firewalls A firewall is essentially any number of security schemes designed to prevent unauthorised access to a computer system or network The schemes can range from simple NAT security as above through port filtering IP filtering and other data determining methods They can include threat monitoring call-back and activity pattern testing
A server can be positioned ldquobehindrdquo the firewall thereby reducing the ldquosurface areardquo available to a hacker or it can be located in a DMZ (demilitarized zone) to be a more public server As the IIS server will be hosting our client data it is better to locate it behind the firewall and only permit that data that it needs to handle
We will discuss more about Firewalls later in the security section
Hubs Vs
Switches
These connect devices on the same LAN When data is sent to one port on the hub it is copied to all ports on the hub so all segments of the LAN will see the data A switch (or switching hub) only forwards packets to specific ports rather than broadcasting them to every port In this way the connection between the ports and devices can deliver the full bandwidth available without risk of collisions
A hub will also be restricted to the speed of the slowest device on the LAN segment
Routers Vs
Bridges
Routers and Bridges allow you to connect different networks ndash eg your LAN to your ISPrsquos network Routers (OSI Layer 3 ndash network) and Bridges (OSI Layer 2 ndash Data Link) operate at different levels of the OSI reference model (Open Systems Interconnect ndash the model for network architecture and protocols used to implement it) We will not be going into the OSI model here but suffice it to say that Routers and Bridges accomplish a similar task in different ways and you as ACCs can treat them the same way for the purpose of an ACT For Web implementation
Command Description
Ping Ping is the simplest command to tell if a remote system is running and available It verifies the IP connectivity by sending an ICMP (Internet Control Message Protocol) Echo request Pinging a domain name returns the IP address from the DNS server and the time to reach it and return
Tracert If you canrsquot ping a system (and you think it should be running) you might try TRACERT ndash this will ping each machine between you and the remote system usually allowing you to determine where the failure or bottleneck is
IPCONFIG IPCONFIG is a command that displays the TCPIP network configuration values and can be used to refresh the DHCP and DNS settings Becoming familiar with IPCONFIG and itrsquos parameters will be of long-term benefit to you ndash for older operating systems (Win 9XME) use WINIPCFG
NSLOOKUP NSLOOKUP is a command used to query and diagnose issues with the DNS server This is useful if you are checking for problems reaching a clientrsquos server
GL Computing Page 11 682004
IIS ndash What is it
IS is the Microsoft Internet Information Server It is Microsoftrsquos set of services that support web site configuration management and publishing as well as various other Internet services It includes various development tools and software development kits
IIS like all web applications is a clientserver application ndash in that it does nothing without a client such as a web browser or FTP client software
The information below is in two areas The Servers and the Application Development platforms In both areas only one is really relevant to ACT for Web (the WWW Server and ASP) The other information is provided so that you understand the differences The lists are also not exhaustive and there are other servers and application development tools for IIS
The Servers are the programs that the client software directly connects with on the IIS server They answer the requests from the lsquonet to read files and send information
The Application Development platforms allow the WWW Server to run programs and scripts A plain HTML document that the Web daemon retrieves is static which means it exists in a constant state a text file that doesnt change A CGI or ASP program on the other hand is executed in real-time so that it can output dynamic information For example lets say that you wanted to hook up your database to the World Wide Web to allow people from all over the world to query it Basically you need to create a program that the WWW Server will execute to transmit information to the database engine and receive the results back again and display them to the client
Chapter
2
I
GL Computing Page 12 682004
For full information on IIS we recommend looking at httpwwwMicrosoftcomIIS
httpwwwmicrosoftcomtechnettreeviewdefaultaspurl=technetprodtechnolwindowsserver2003proddocsdatacentergs_whatschangedasp
Other useful sites include
wwwiisfaqcom
wwwiisanswerscom
wwwiis-resourcescom
wwwzensecuritycouk
wwwnsagovsnacindexhtml
Letrsquos have a look at the functions of IIS that we need to know about in a little more detail
Server Description
WWW Server The WWW server uses the HyperText Transmission Protocol (HTTP) to communicate with its client application (a web browser) Typically on Port 80 the WWW is a content-rich environment It encompasses the majority of network traffic on the Internet You can use it to display (on your web browser) text static graphics images animated graphics images 3-D worlds and audiovideo files It can also be used to access databases such as ACT for Web via various development tools
FTP FTP Publishing Service is a File Transfer Protocol (FTP) server The FTP Publishing Service is much less complex than the WWW Publishing Service The FTP Publishing Service is used primarily as a data repository It is usually on Port 21
SMTP The SMTP service uses the Simple Mail Transfer Protocol to send email across the lsquonet POP3 (the Post Office Protocol - the ability to retrieve email) is not part of the IIS suite The default port for SMTP is Port 25
NNTP The NNTP service uses the Network News Transport Protocol to provide discussion servers and groups similar to the ACC news server NNTP servers should default to Port 119
GL Computing Page 13 682004
Dev Tool Description
CGI The Common Gateway Interface (CGI) is a legacy application development platform supported under IIS Itrsquos a standard for many different web server platforms CGI scripts can be written in a variety of languages including Perl C and C++
ISAPI ISAPI ndash The Internet Server Application Programming Interface was Microsoftrsquos proprietary programming interface developed for IIS as a replacement for CGI It brings the power of OLE (Object Linking and Embedding) to the WWW The main advantage it offers over CGI is that it is much faster when performing the same tasks and consumes less resources Instead of running each application as a separate process (as in CGI) the ISAPIdll (Dynamic Link Library) is already loaded into the IIS address space and handles any commands for it
There is a downside to ISAPI DLLs Because they share the same address space as the HTTP server it is possible that an errant ISAPI application could crash the WWW Publishing Server as well
ASP Because of the risks writing ISAPI applications Microsoft developed ASP (Active Server Pages) The functionality for ASP is handled by the ASPdll file It is similar in its advantages over CGI without the problems of ISAPI Additionally because Microsoft made ASP development considerably easier with the tools provided there are many more ASP developers and support for applications written to use ASP
ACT for Web is written using ASP so add-on development for ACT for Web would require a good knowledge of ASP To gain some knowledge of ASP development you might try looking at wwwasp101com
Additional information on the latest incarnation of ASP ASPNET is available from wwwaspnet
ActiveX ActiveX controls are components that use the Microsoft COM technologies (Component Object Model ndash an open software architecture developed by DEC and Microsoft allowing interoperation between OLE and the ObjectBroker)
They are Windows programs that can be executed by a browser ActiveX controls have full access to the Windows operating system
XML Extensible Markup Language is a newer method designed for the interchange of documents and data It is a format for transferring data across the Internet It not only includes the data but self-describing information about the data Office 2003 can also use XML
SOAP The Simple Object Access Protocol makes use of HTTP to exchange structured data over the Web using an XML format
GL Computing Page 14 682004
Installing IIS
t is important to note at this time that these procedures are targeted at installing a server dedicated to serving an ACT database to the lsquonet via ACT for Web The server could also serve the database locally as a LAN server to ACT clients in a ldquohybridrdquo implementation
This document will assume that you have performed a ldquocleanrdquo install of Windows 2000 Server to your machine but NOT installed any IIS components In the Lockdown area we will discuss the differences if you are locking down a server that already has IIS installed by someone else with more components than we will be installing in this section
It is advisable not to perform these functions while connected to the internet and only to connect after we have completed the securing part We also recommend applying the latest service packs and critical updates to the Windows 2000 operating system
Installing IIS is quite simple
Open the Control Panel (Start | Settings | Control Panel) and go to AddRemove
Programs
Chapter
3
I
GL Computing Page 15 682004
Then click AddRemove Windows Components
GL Computing Page 16 682004
The only option that you need to have ticked in this dialog box is Internet Information Services (IIS) We should take this further by clicking on the ldquoDetailsrdquo button
In this area the only necessary options are the Common Files (these are necessary for IIS) and World Wide Web Server (this service will be hosting ACT for Web)
We will also install the Internet Information services Snap-In as this make administering IIS considerably easier and the Documentation as having the Help system handy can be a good option If you donrsquot want the documentation you can always access the Microsoft web site and search their knowledge base TechNet or MSDN
None of the other subcomponents belonging to IIS are necessary and as such should NOT be installed unless you know you will require them for some other task Other options increase the ldquosurface areardquo available for attack on the server and will need to be configured to make them less vulnerable We will look at some of these options in the next section
Click ldquoOKrdquo and IIS will be installed
Although it is not always required we strongly recommend a re-boot of the server after installing or removing Windows components
GL Computing Page 17 682004
Protect against what
N this Chapter we will attempt to describe what types of attackers are out there and give you some ideas of the methods they may use to compromise your systems
Types of Attackers
Letrsquos start by categorising the types of attackers you may need to protect your systems from
Attacker Description
Script Kiddie This is the most common form of attack and the one which we will most need to protect our servers from These are usually kids looking for easy to hack servers so that they can take control of them and use them to attack others
Typically they will use Trojans (which your anti-virus should have detected and removed) or exploit known weaknesses in the server operating system which a combination of the Microsoft critical updates and our own lock-down procedures should keep you relatively secure from
Valuable Data This is typically done by someone who knows that specific data on your site is of significant value to the attacker It may be done by a nasty competitor who wants your data or someone who thinks you may have Credit Card numbers (or similar data) on your system If you are planning to keep Credit Cards etc in your database you will need to be very careful about your security and liability
We do not recommend keeping this type of data in an ACT database
Prestige Site This is where your site is well enough known that the hacker can get credibility from being able to by-pass your security This is unlikely to be an issue for any ACT for Web installation
Chapter
4
I
GL Computing Page 18 682004
Enemy Attack This is where someone feels so annoyed by you or your organisation that they feel like teaching you a lesson The toughest of these to protect against is an ex-employee that feels they have been wronged and knows the security of your system
Internal
Attack
This type typically does the most damage as they may know your security and usually have a legitimate reason for accessing your system Sometimes the Valuable Data Prestige Site or Enemy Attack types will also use an internal person to make their task easier The defences we are putting up will not assist in stopping this type of attack The only solutions are to ensure you have good backup procedures regularly read and inspect log files and make sure users only have access to the parts of the system that they need access to
Typically the ldquoScript Kiddierdquo will use known security flaws in the operating system and or known Trojans The other attackers will use a combination of these and ldquoun-knownrdquo attacks and are typically more skilled
We will attempt to keep your server secure from both known and un-known attacks
Known Attacks
The first defence is to make sure you are protected against the ldquoknownrdquo attacks The most common form of these is via Trojans
A Trojan (based on the story of the Trojan horse) is a piece of software that can get loaded on your server and makes it available for an attacker to access The functions it can provide to an attacker can vary ndash including damaging your data providing access for others to see your data or using itself to launch attacks on other systems
There are two main ways to prevent these
One is to ensure you have a good anti-virus running and that you keep it up-to-date GL Computing currently recommends Symantec (used to be Norton) Anti-Virus Corporate Edition for servers This should find and prevent Trojans from being installed andor remove them if already installed
The other is to make sure your firewall prevents the attacker from accessing the
Trojan if itrsquos on your system As they are usually called from specific ports this provides pretty good security against most known attacks
Many attacks like Nimda SQL-Slammer and others used operating system exploits that Microsoft had patched months earlier ndash and yet many administrators (including Microsoftrsquos own) had not patched their all their servers that were available from the Internet from these Consequently many millions of dollars in damaged data and system down-time were caused
You should make sure that all the Service Packs and Critical Updates are applied to your server Most hackercracker attempts (especially those by Script Kiddies) are done using security holes in Windows that Microsoft has already issued patches for knowing that many administrators do not apply these fixes It is a good practise to regularly check for updates
GL Computing Page 19 682004
from the Microsoft site httpwindowsupdatemicrosoftcom
Unknown Attacks
It may seem unusual to talk about preventing an ldquoUnknown Attackrdquo but that is exactly what is necessary to provide adequate defence ndash preventing as much as possible attacks that use previously undiscovered exploits
Essentially this means reducing the ldquoSurface Areardquo of attack ndash that is reducing the available entry points and services that are available for an external source to connect to your server and run tasks that you do not want them to run
Configuring the IIS server to remove the services that can be used to hook into your server will be covered in the next chapter For now wersquoll discuss reducing the entry points that are available Wersquoll look at the services in the next chapter
Port Blocking
By entry points we usually mean the ports that are open to your server and the IPs that can connect to it
There are two main transport layer protocols used on the lsquonet ndash TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) Both of these can use 64k (65536) channels of communications or ldquoportsrdquo to connect to specific applications on the server machine
So the simple rule to start with is only to permit those ports that you know you need to be allowed through your server
The default port for web servers is port 80 but it can be set to any port the administrator chooses Using a non-standard port is a simple way to help keep the server hidden means the user will need to put the port number in their URL
The most complete list of registered port numbers can be obtained from httpwwwianaorgassignmentsport-numbers
The following ports should nearly always be blocked from OUTBOUND transmissions 135 137 138 139 443 (unless using SSL) 593
IP Blocking
If you know the IP ranges used by the users who will be accessing your server you can set either the firewall or the IIS server to only permit those IPs that belong to your users to access the server Wersquoll show how to do this on the IIS server in the next chapter
GL Computing Page 20 682004
Configuring and Securing IIS
nce again it is necessary to state that these procedures if followed exactly are designed for a server that will be dedicated to serving an ACT database ndash either solely for ACT for Web or in a hybrid with local LAN users
We will also attempt to address those issues and components in IIS that you may find installed on servers that are already in operation or that will also be used for other tasks However we suggest that you work with the Administrator of the network to determine that your lock-down procedures do not also disable applications or functions that your clients may wish to run on the server
It is also important to note that security can never be guaranteed on the internet and so you must be careful as Consultants what contractual agreements you make when doing this type of work for clients
Chapter
5
O
GL Computing Page 21 682004
To modify the IIS settings in Windows 2000 we can use the Computer Management snapin at either
Start | Programs | Administrative Tools | Computer Management
Or selecting Manage from the Right-click menu on My Computer
This will bring up the Computer Management Console
It is important that you become familiar with this interface and itrsquos operation
Another method to access this is by Start | Programs | Administrative Tools | Internet Services Manager
GL Computing Page 22 682004
If you are setting up on a server that is already installed you might find services or virtual folders already there that are already being used
Removing them would not be a good idea if your client is using them for another purpose If you do not have access to the system administrator or they are not sure select ldquoStoprdquo to simply stop the service from accepting requests and check with the administrator
This should be done on the Administration sites FTP and SMTP services unless you are sure they are being used on the server
In the Default Web Site (could be re-named) you should delete the virtual folders IIS Help IIS Admin samples MSADC (MS Active Directory Connector) vti (FrontPage) They all include ASP and Java scripts that may have vulnerabilities found in them and are most likely not used or needed on the server If no other application is being run on the IIS server at the time you can remove any of the virtual folders in the web site The idea being that we remove anything not specifically required for our implementation this helps reduce the available ldquosurface areardquo for an attacker It is advisable to check with the system administrator Once you know you can remove them Right-click on the item and select delete
Next open the Default Web Site properties (by Right-Click then properties) which should look something like
GL Computing Page 23 682004
On the Documents Tab remove all the items there and add webgif or some other small gif that you have loaded in the default folder defined in the Home Directory tab (usually CInetpubwwwroot folder)
This means that any potential hacker just looking for a site will see something small but giving nothing away as to the content of the site
If the site is being used for another site you may need to leave another default document that is used by they site
You may want to point the Printers virtual folder at this gif file also because it sometimes re-appears and the idea is to leave nothing pointing at an application where vulnerabilities may be discovered in the future
Note You will need to re-add Defaulthtm to the actweb virtual folder after you have installed ACT For Web
To do this right-click on the Actweb virtual folder select the Documents tab and Add ldquoDefaulthtmrdquo
GL Computing Page 24 682004
Next on the Home Directory tab click on the Configuration button Remove all the Mappings except for ASA and ASP (which are required for ACT for Web to operate) It will then look something like
This is to prevent any holes in other applications being used to infiltrate your site
Next remove (or rename if you are not sure if they may be needed later) the folders that you have removed the virtual folders for earlier
GL Computing Page 25 682004
Remove Internet Guest Account (IUSR_machine_name) access from cmdexe commandcom tftpexe httpodbcdll and defaultida ndash by adding in Security properties and selecting Deny (only for IUSR) You may need to do a search of the hard disk to get all the versions of these files
This is to prevent a user being able to point to those files and execute them which has been a common hacking exploit
GL Computing Page 26 682004
If you want increased security you can remove Anonymous access and use Windows Integrated Authentication This enables you to use the additional Windows and domain logins prior to the ACT Login
Note different versions of Windows may differ slightly
1 Right-click the My Computer icon and then click Manage from the shortcut menu The Computer Management window appears
2 Expand the Services and Applications option then expand the Internet Information Services option and then select the Default Web Site option so that you can see your ActWeb virtual directory in the right pane (this is the standard installation location your ActWeb virtual directory location may differ)
3 Right-click the ActWeb virtual directory and then click Properties from the shortcut menu The ActWeb Properties dialog appears
4 Under the Directory Security tab in the Anonymous access and authentication control section click Edit The Authentication Methods dialog appears
GL Computing Page 27 682004
5 Clear the Anonymous access check box and verify that the Integrated Windows authentication check box is enabled The other check boxes are dependent on your specific security requirements and are not related to ACT for Webs configuration Note Digest authentication for Windows domain servers is an option on IIS 51 or later
6 Click OK on these two windows Your ACT for Web site is now protected by the Integrated Windows authentication You may need to close your browser and re-open it in order to receive the proper login prompt
IMPORTANT NOTE The IUSR_[machine name] account will no longer be used by IIS with this configuration You will need to make sure the user account you attempt to log in has proper permissions set for it in DCOMCNFG and in the security properties of the folder containing your ACT Database as well as the installation folder for ACT for Web (default Cwebsites)
For more information on how to do this please read httpitdominoactcomactnsfdocid200391584653
GL Computing Page 28 682004
Additional security can be achieved by making your web site more difficult to find by potential hackers Two simple ways to do this are
1 Change the default web site to another TCP port in the Web Site properties Try not to use any of the other common ports that you may wish to use later Yoursquoll need to state the port when logging in eg httpdomaincomportactweb Using SSL (Secure Sockets Layer ) on port 443 will also add to the security of your data by adding encryption to the flow across the internet This will use an https protocol instead of http when entering the URL into your browser
2 Search engines send out ldquospidersrdquo to obtain information on sites available on the web This means that searching googlecom or other search engines for the phrase ACT for Web Login (in quotes) may point to your site (good for public web sites less good for your corporate database) If you would like to prevent a site from being catalogued in a search engines database you can take steps to address this Keep in mind that if you have existing websites they may have already begun to take the steps to interact with the spiders that may crawl their site
Visit the following links for more information about meta-tags and the robotstxt file Keep in mind that it is impossible to prevent any directly accessible resource on a site from being linked to by external sites be it by their partner sites competitive sites or search engines However these methods are generally accepted by the popular search engines
httpwwwrobotstxtorgwcrobotshtml
httpwwwsearchengineworldcomrobotsrobots_tutorialhtm
httpwwwrobotstxtorgwcmeta-userhtml
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 7 682004
Term Definition
Domain
Controllers
The Domain controller is the server that authorises the user logons to the network The DC contains the master copy of the user database which includes all your global groups user accounts and computer accounts In addition to this your DC is used to authenticate your users when they log onto the network or access a shared resource Your DC also includes the tools you will use for centralized administration such as User Manager for Domains Server Manager for Domains DHCP server WINS server and a host of additional tools Other DCs replicate the information for load balancing and backup purposes
In NT there is a concept of PDCs (Primary Domain Controllers) and BDCs (Backup Domain Controllers) This meant that when the PDC went down a BDP would need to be promoted to the PDC by an Administrator In Windows 2000 this is no-longer an issue as DCs in Windows 2000 and 2003 are peers
Do not use a DC as a web server if possible The Domain Controller is constantly processing authentication requests Running IIS on the PDC will decrease performance It could also expose the DC to attacks that render the entire network as non-secure
ClientServer Client server technology is where the server (IIS SQL Server etc) houses the data and most of the intensive data processing sections of the application while the client (Internet Explorer or a specific client application) handles the user interface This means that there is much less bandwidth on the network much less requirements for client hardware and usually much less administration - as most of these functions are controlled on the server only The client sends a request for information to the server and the server application does the database intensive processing and just sends back the results
TCPIP Transmission Control Protocol Internet Protocol These are the core protocols that the entire Internet is based on Created by US Universities in the 60s and later expanded by the US Department of Defence it is the most popular protocol for connecting non-heterogeneous systems (ie computers that are not of the same type) They provide communications across interconnected networks of computers with diverse hardware architectures and various operating systems TCPIP includes standards for how computers communicate and conventions for connecting networks and routing traffic
URL Universal Resource Locator A URL is the full internet address including the access protocol (http ftp nntp https etc) the domain internet address (IP or name) and optionally a path and or file user and password The IP can be in decimal or standard-dot form A full URL can be of the form protocoluserpassdomainportpathfilenameext
This has since been changed for HTTPHTTPS by Microsoft Internet Explorer as per httpsupportmicrosoftcomdefaultaspxkbid=834489 ndash this can affect sites if using Windows login as opposed to Anonymous
GL Computing Page 8 682004
Term Definition
DHCP Dynamic Host Configuration Protocol DHCP provides a means to dynamically allocate IP addresses to computers on a network The administrator assigns a range of IP addresses to the DHCP server and each client computer on the LAN has its TCPIP software configured to request an IP address from the DHCP server The request and grant process uses a lease concept with a controllable time period The advantage of this is that the administrator doesnrsquot have to manually assign the IP address of each machine
A server should be assigned a permanent static IP rather than a dynamic one if possible
DNS Domain Name System The DNS is a general-purpose hierarchical distributed replicated data query service (database) used mainly for translating hostnames (domain names) into IP addresses ndash eg when a user looks for wwwGLComputingcomau it should return itrsquos correct IP address DNS can be configured to use a sequence of name servers based on the domains in the name being looked for until a match is found An organisation may have several DNS servers to spread the load All of which replicate with each other and the global DNS via their ISP A full global replication of a change to an IP can take 24-48 hours The name resolution client can be configured to search for host information in the following order first in the local etchosts file second in NIS (Network Information Service) and third in DNS This sequencing of Naming Services is sometimes called name service switching
WINS Windows Internet Naming Service The WINS service resolves Netbios names to their IP address in a similar fashion to the way DNS resolves Host names to IP addresses
NAT Network Address Translation The ability of a router to use one external routable IP address and provide connectivity for a number of network clients by translating their private (non-routable) IPs to the public one and then relaying the incoming data to the client that requested it It allows a secure machine or firewall to handle the incoming data and direct specific ports to specific machines without those machines IPs being accessible from the lsquonet
Private IP addresses are of the form 192168xx or 10xxx (where x is 0-255)
GL Computing Page 9 682004
Term Definition
MDAC The Microsoft data Access Components provide a suite of tools for accessing different database objects and provides a common user interface to access all of them ndash often called Universal Data Access (UDA) MDAC include ActiveX Data Objects (ADO and ADONET) OLE DB ODBC and others Problems referencing ODBC drivers in ACT for Web are often due to incorrect versions of MDAC V25 is usually recommended
It is important to note that unlike other software products a later version is not necessarily better as Microsoft withdrew some functionality in 26 and later versions If you need to install 26 or 27 you will need to also install the FoxPro and Jet drivers separately for ACT for Web ACT for Web 12 and later now also supports MDAC 28 for Windows Server 2003 support
If you arent sure which version of MDAC is installed on your system you can find out by following these steps (Note This involves using RegEdit and should only be done by an experienced computer user)
Press ltStartgt and select Run
Type REGEDIT into the command line (omit the quotes)
Navigate to the following key
HKEY_LOCAL_MACHINESoftwareMicrosoftDataAccess
Look for a value named Version This value contains the current version of MDAC
installed on your computer
Microsoft also has a utility called the Component Checker which can be used to diagnose your current MDAC version as well as find problems in your MDAC installation The Component Checker can be downloaded from httpmsdn2microsoftcomen-usdataaa937730aspx
DCOM Distributed Component Object Model The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network in a reliable secure and efficient manner Previously called Network OLE DCOM is designed for use across multiple network transports including Internet protocols such as HTTP DCOM is based on the Open Software Foundations DCE-RPC specification and will work with both Java applets and ActiveXreg components through its use of the Component Object Model (COM)
DCOM program permissions are set using dcomcnfgexe For information on how this relates to ACT For Web httpitdominoactcomactnsfdocid13988
GL Computing Page 10 682004
Device Definition
Firewalls A firewall is essentially any number of security schemes designed to prevent unauthorised access to a computer system or network The schemes can range from simple NAT security as above through port filtering IP filtering and other data determining methods They can include threat monitoring call-back and activity pattern testing
A server can be positioned ldquobehindrdquo the firewall thereby reducing the ldquosurface areardquo available to a hacker or it can be located in a DMZ (demilitarized zone) to be a more public server As the IIS server will be hosting our client data it is better to locate it behind the firewall and only permit that data that it needs to handle
We will discuss more about Firewalls later in the security section
Hubs Vs
Switches
These connect devices on the same LAN When data is sent to one port on the hub it is copied to all ports on the hub so all segments of the LAN will see the data A switch (or switching hub) only forwards packets to specific ports rather than broadcasting them to every port In this way the connection between the ports and devices can deliver the full bandwidth available without risk of collisions
A hub will also be restricted to the speed of the slowest device on the LAN segment
Routers Vs
Bridges
Routers and Bridges allow you to connect different networks ndash eg your LAN to your ISPrsquos network Routers (OSI Layer 3 ndash network) and Bridges (OSI Layer 2 ndash Data Link) operate at different levels of the OSI reference model (Open Systems Interconnect ndash the model for network architecture and protocols used to implement it) We will not be going into the OSI model here but suffice it to say that Routers and Bridges accomplish a similar task in different ways and you as ACCs can treat them the same way for the purpose of an ACT For Web implementation
Command Description
Ping Ping is the simplest command to tell if a remote system is running and available It verifies the IP connectivity by sending an ICMP (Internet Control Message Protocol) Echo request Pinging a domain name returns the IP address from the DNS server and the time to reach it and return
Tracert If you canrsquot ping a system (and you think it should be running) you might try TRACERT ndash this will ping each machine between you and the remote system usually allowing you to determine where the failure or bottleneck is
IPCONFIG IPCONFIG is a command that displays the TCPIP network configuration values and can be used to refresh the DHCP and DNS settings Becoming familiar with IPCONFIG and itrsquos parameters will be of long-term benefit to you ndash for older operating systems (Win 9XME) use WINIPCFG
NSLOOKUP NSLOOKUP is a command used to query and diagnose issues with the DNS server This is useful if you are checking for problems reaching a clientrsquos server
GL Computing Page 11 682004
IIS ndash What is it
IS is the Microsoft Internet Information Server It is Microsoftrsquos set of services that support web site configuration management and publishing as well as various other Internet services It includes various development tools and software development kits
IIS like all web applications is a clientserver application ndash in that it does nothing without a client such as a web browser or FTP client software
The information below is in two areas The Servers and the Application Development platforms In both areas only one is really relevant to ACT for Web (the WWW Server and ASP) The other information is provided so that you understand the differences The lists are also not exhaustive and there are other servers and application development tools for IIS
The Servers are the programs that the client software directly connects with on the IIS server They answer the requests from the lsquonet to read files and send information
The Application Development platforms allow the WWW Server to run programs and scripts A plain HTML document that the Web daemon retrieves is static which means it exists in a constant state a text file that doesnt change A CGI or ASP program on the other hand is executed in real-time so that it can output dynamic information For example lets say that you wanted to hook up your database to the World Wide Web to allow people from all over the world to query it Basically you need to create a program that the WWW Server will execute to transmit information to the database engine and receive the results back again and display them to the client
Chapter
2
I
GL Computing Page 12 682004
For full information on IIS we recommend looking at httpwwwMicrosoftcomIIS
httpwwwmicrosoftcomtechnettreeviewdefaultaspurl=technetprodtechnolwindowsserver2003proddocsdatacentergs_whatschangedasp
Other useful sites include
wwwiisfaqcom
wwwiisanswerscom
wwwiis-resourcescom
wwwzensecuritycouk
wwwnsagovsnacindexhtml
Letrsquos have a look at the functions of IIS that we need to know about in a little more detail
Server Description
WWW Server The WWW server uses the HyperText Transmission Protocol (HTTP) to communicate with its client application (a web browser) Typically on Port 80 the WWW is a content-rich environment It encompasses the majority of network traffic on the Internet You can use it to display (on your web browser) text static graphics images animated graphics images 3-D worlds and audiovideo files It can also be used to access databases such as ACT for Web via various development tools
FTP FTP Publishing Service is a File Transfer Protocol (FTP) server The FTP Publishing Service is much less complex than the WWW Publishing Service The FTP Publishing Service is used primarily as a data repository It is usually on Port 21
SMTP The SMTP service uses the Simple Mail Transfer Protocol to send email across the lsquonet POP3 (the Post Office Protocol - the ability to retrieve email) is not part of the IIS suite The default port for SMTP is Port 25
NNTP The NNTP service uses the Network News Transport Protocol to provide discussion servers and groups similar to the ACC news server NNTP servers should default to Port 119
GL Computing Page 13 682004
Dev Tool Description
CGI The Common Gateway Interface (CGI) is a legacy application development platform supported under IIS Itrsquos a standard for many different web server platforms CGI scripts can be written in a variety of languages including Perl C and C++
ISAPI ISAPI ndash The Internet Server Application Programming Interface was Microsoftrsquos proprietary programming interface developed for IIS as a replacement for CGI It brings the power of OLE (Object Linking and Embedding) to the WWW The main advantage it offers over CGI is that it is much faster when performing the same tasks and consumes less resources Instead of running each application as a separate process (as in CGI) the ISAPIdll (Dynamic Link Library) is already loaded into the IIS address space and handles any commands for it
There is a downside to ISAPI DLLs Because they share the same address space as the HTTP server it is possible that an errant ISAPI application could crash the WWW Publishing Server as well
ASP Because of the risks writing ISAPI applications Microsoft developed ASP (Active Server Pages) The functionality for ASP is handled by the ASPdll file It is similar in its advantages over CGI without the problems of ISAPI Additionally because Microsoft made ASP development considerably easier with the tools provided there are many more ASP developers and support for applications written to use ASP
ACT for Web is written using ASP so add-on development for ACT for Web would require a good knowledge of ASP To gain some knowledge of ASP development you might try looking at wwwasp101com
Additional information on the latest incarnation of ASP ASPNET is available from wwwaspnet
ActiveX ActiveX controls are components that use the Microsoft COM technologies (Component Object Model ndash an open software architecture developed by DEC and Microsoft allowing interoperation between OLE and the ObjectBroker)
They are Windows programs that can be executed by a browser ActiveX controls have full access to the Windows operating system
XML Extensible Markup Language is a newer method designed for the interchange of documents and data It is a format for transferring data across the Internet It not only includes the data but self-describing information about the data Office 2003 can also use XML
SOAP The Simple Object Access Protocol makes use of HTTP to exchange structured data over the Web using an XML format
GL Computing Page 14 682004
Installing IIS
t is important to note at this time that these procedures are targeted at installing a server dedicated to serving an ACT database to the lsquonet via ACT for Web The server could also serve the database locally as a LAN server to ACT clients in a ldquohybridrdquo implementation
This document will assume that you have performed a ldquocleanrdquo install of Windows 2000 Server to your machine but NOT installed any IIS components In the Lockdown area we will discuss the differences if you are locking down a server that already has IIS installed by someone else with more components than we will be installing in this section
It is advisable not to perform these functions while connected to the internet and only to connect after we have completed the securing part We also recommend applying the latest service packs and critical updates to the Windows 2000 operating system
Installing IIS is quite simple
Open the Control Panel (Start | Settings | Control Panel) and go to AddRemove
Programs
Chapter
3
I
GL Computing Page 15 682004
Then click AddRemove Windows Components
GL Computing Page 16 682004
The only option that you need to have ticked in this dialog box is Internet Information Services (IIS) We should take this further by clicking on the ldquoDetailsrdquo button
In this area the only necessary options are the Common Files (these are necessary for IIS) and World Wide Web Server (this service will be hosting ACT for Web)
We will also install the Internet Information services Snap-In as this make administering IIS considerably easier and the Documentation as having the Help system handy can be a good option If you donrsquot want the documentation you can always access the Microsoft web site and search their knowledge base TechNet or MSDN
None of the other subcomponents belonging to IIS are necessary and as such should NOT be installed unless you know you will require them for some other task Other options increase the ldquosurface areardquo available for attack on the server and will need to be configured to make them less vulnerable We will look at some of these options in the next section
Click ldquoOKrdquo and IIS will be installed
Although it is not always required we strongly recommend a re-boot of the server after installing or removing Windows components
GL Computing Page 17 682004
Protect against what
N this Chapter we will attempt to describe what types of attackers are out there and give you some ideas of the methods they may use to compromise your systems
Types of Attackers
Letrsquos start by categorising the types of attackers you may need to protect your systems from
Attacker Description
Script Kiddie This is the most common form of attack and the one which we will most need to protect our servers from These are usually kids looking for easy to hack servers so that they can take control of them and use them to attack others
Typically they will use Trojans (which your anti-virus should have detected and removed) or exploit known weaknesses in the server operating system which a combination of the Microsoft critical updates and our own lock-down procedures should keep you relatively secure from
Valuable Data This is typically done by someone who knows that specific data on your site is of significant value to the attacker It may be done by a nasty competitor who wants your data or someone who thinks you may have Credit Card numbers (or similar data) on your system If you are planning to keep Credit Cards etc in your database you will need to be very careful about your security and liability
We do not recommend keeping this type of data in an ACT database
Prestige Site This is where your site is well enough known that the hacker can get credibility from being able to by-pass your security This is unlikely to be an issue for any ACT for Web installation
Chapter
4
I
GL Computing Page 18 682004
Enemy Attack This is where someone feels so annoyed by you or your organisation that they feel like teaching you a lesson The toughest of these to protect against is an ex-employee that feels they have been wronged and knows the security of your system
Internal
Attack
This type typically does the most damage as they may know your security and usually have a legitimate reason for accessing your system Sometimes the Valuable Data Prestige Site or Enemy Attack types will also use an internal person to make their task easier The defences we are putting up will not assist in stopping this type of attack The only solutions are to ensure you have good backup procedures regularly read and inspect log files and make sure users only have access to the parts of the system that they need access to
Typically the ldquoScript Kiddierdquo will use known security flaws in the operating system and or known Trojans The other attackers will use a combination of these and ldquoun-knownrdquo attacks and are typically more skilled
We will attempt to keep your server secure from both known and un-known attacks
Known Attacks
The first defence is to make sure you are protected against the ldquoknownrdquo attacks The most common form of these is via Trojans
A Trojan (based on the story of the Trojan horse) is a piece of software that can get loaded on your server and makes it available for an attacker to access The functions it can provide to an attacker can vary ndash including damaging your data providing access for others to see your data or using itself to launch attacks on other systems
There are two main ways to prevent these
One is to ensure you have a good anti-virus running and that you keep it up-to-date GL Computing currently recommends Symantec (used to be Norton) Anti-Virus Corporate Edition for servers This should find and prevent Trojans from being installed andor remove them if already installed
The other is to make sure your firewall prevents the attacker from accessing the
Trojan if itrsquos on your system As they are usually called from specific ports this provides pretty good security against most known attacks
Many attacks like Nimda SQL-Slammer and others used operating system exploits that Microsoft had patched months earlier ndash and yet many administrators (including Microsoftrsquos own) had not patched their all their servers that were available from the Internet from these Consequently many millions of dollars in damaged data and system down-time were caused
You should make sure that all the Service Packs and Critical Updates are applied to your server Most hackercracker attempts (especially those by Script Kiddies) are done using security holes in Windows that Microsoft has already issued patches for knowing that many administrators do not apply these fixes It is a good practise to regularly check for updates
GL Computing Page 19 682004
from the Microsoft site httpwindowsupdatemicrosoftcom
Unknown Attacks
It may seem unusual to talk about preventing an ldquoUnknown Attackrdquo but that is exactly what is necessary to provide adequate defence ndash preventing as much as possible attacks that use previously undiscovered exploits
Essentially this means reducing the ldquoSurface Areardquo of attack ndash that is reducing the available entry points and services that are available for an external source to connect to your server and run tasks that you do not want them to run
Configuring the IIS server to remove the services that can be used to hook into your server will be covered in the next chapter For now wersquoll discuss reducing the entry points that are available Wersquoll look at the services in the next chapter
Port Blocking
By entry points we usually mean the ports that are open to your server and the IPs that can connect to it
There are two main transport layer protocols used on the lsquonet ndash TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) Both of these can use 64k (65536) channels of communications or ldquoportsrdquo to connect to specific applications on the server machine
So the simple rule to start with is only to permit those ports that you know you need to be allowed through your server
The default port for web servers is port 80 but it can be set to any port the administrator chooses Using a non-standard port is a simple way to help keep the server hidden means the user will need to put the port number in their URL
The most complete list of registered port numbers can be obtained from httpwwwianaorgassignmentsport-numbers
The following ports should nearly always be blocked from OUTBOUND transmissions 135 137 138 139 443 (unless using SSL) 593
IP Blocking
If you know the IP ranges used by the users who will be accessing your server you can set either the firewall or the IIS server to only permit those IPs that belong to your users to access the server Wersquoll show how to do this on the IIS server in the next chapter
GL Computing Page 20 682004
Configuring and Securing IIS
nce again it is necessary to state that these procedures if followed exactly are designed for a server that will be dedicated to serving an ACT database ndash either solely for ACT for Web or in a hybrid with local LAN users
We will also attempt to address those issues and components in IIS that you may find installed on servers that are already in operation or that will also be used for other tasks However we suggest that you work with the Administrator of the network to determine that your lock-down procedures do not also disable applications or functions that your clients may wish to run on the server
It is also important to note that security can never be guaranteed on the internet and so you must be careful as Consultants what contractual agreements you make when doing this type of work for clients
Chapter
5
O
GL Computing Page 21 682004
To modify the IIS settings in Windows 2000 we can use the Computer Management snapin at either
Start | Programs | Administrative Tools | Computer Management
Or selecting Manage from the Right-click menu on My Computer
This will bring up the Computer Management Console
It is important that you become familiar with this interface and itrsquos operation
Another method to access this is by Start | Programs | Administrative Tools | Internet Services Manager
GL Computing Page 22 682004
If you are setting up on a server that is already installed you might find services or virtual folders already there that are already being used
Removing them would not be a good idea if your client is using them for another purpose If you do not have access to the system administrator or they are not sure select ldquoStoprdquo to simply stop the service from accepting requests and check with the administrator
This should be done on the Administration sites FTP and SMTP services unless you are sure they are being used on the server
In the Default Web Site (could be re-named) you should delete the virtual folders IIS Help IIS Admin samples MSADC (MS Active Directory Connector) vti (FrontPage) They all include ASP and Java scripts that may have vulnerabilities found in them and are most likely not used or needed on the server If no other application is being run on the IIS server at the time you can remove any of the virtual folders in the web site The idea being that we remove anything not specifically required for our implementation this helps reduce the available ldquosurface areardquo for an attacker It is advisable to check with the system administrator Once you know you can remove them Right-click on the item and select delete
Next open the Default Web Site properties (by Right-Click then properties) which should look something like
GL Computing Page 23 682004
On the Documents Tab remove all the items there and add webgif or some other small gif that you have loaded in the default folder defined in the Home Directory tab (usually CInetpubwwwroot folder)
This means that any potential hacker just looking for a site will see something small but giving nothing away as to the content of the site
If the site is being used for another site you may need to leave another default document that is used by they site
You may want to point the Printers virtual folder at this gif file also because it sometimes re-appears and the idea is to leave nothing pointing at an application where vulnerabilities may be discovered in the future
Note You will need to re-add Defaulthtm to the actweb virtual folder after you have installed ACT For Web
To do this right-click on the Actweb virtual folder select the Documents tab and Add ldquoDefaulthtmrdquo
GL Computing Page 24 682004
Next on the Home Directory tab click on the Configuration button Remove all the Mappings except for ASA and ASP (which are required for ACT for Web to operate) It will then look something like
This is to prevent any holes in other applications being used to infiltrate your site
Next remove (or rename if you are not sure if they may be needed later) the folders that you have removed the virtual folders for earlier
GL Computing Page 25 682004
Remove Internet Guest Account (IUSR_machine_name) access from cmdexe commandcom tftpexe httpodbcdll and defaultida ndash by adding in Security properties and selecting Deny (only for IUSR) You may need to do a search of the hard disk to get all the versions of these files
This is to prevent a user being able to point to those files and execute them which has been a common hacking exploit
GL Computing Page 26 682004
If you want increased security you can remove Anonymous access and use Windows Integrated Authentication This enables you to use the additional Windows and domain logins prior to the ACT Login
Note different versions of Windows may differ slightly
1 Right-click the My Computer icon and then click Manage from the shortcut menu The Computer Management window appears
2 Expand the Services and Applications option then expand the Internet Information Services option and then select the Default Web Site option so that you can see your ActWeb virtual directory in the right pane (this is the standard installation location your ActWeb virtual directory location may differ)
3 Right-click the ActWeb virtual directory and then click Properties from the shortcut menu The ActWeb Properties dialog appears
4 Under the Directory Security tab in the Anonymous access and authentication control section click Edit The Authentication Methods dialog appears
GL Computing Page 27 682004
5 Clear the Anonymous access check box and verify that the Integrated Windows authentication check box is enabled The other check boxes are dependent on your specific security requirements and are not related to ACT for Webs configuration Note Digest authentication for Windows domain servers is an option on IIS 51 or later
6 Click OK on these two windows Your ACT for Web site is now protected by the Integrated Windows authentication You may need to close your browser and re-open it in order to receive the proper login prompt
IMPORTANT NOTE The IUSR_[machine name] account will no longer be used by IIS with this configuration You will need to make sure the user account you attempt to log in has proper permissions set for it in DCOMCNFG and in the security properties of the folder containing your ACT Database as well as the installation folder for ACT for Web (default Cwebsites)
For more information on how to do this please read httpitdominoactcomactnsfdocid200391584653
GL Computing Page 28 682004
Additional security can be achieved by making your web site more difficult to find by potential hackers Two simple ways to do this are
1 Change the default web site to another TCP port in the Web Site properties Try not to use any of the other common ports that you may wish to use later Yoursquoll need to state the port when logging in eg httpdomaincomportactweb Using SSL (Secure Sockets Layer ) on port 443 will also add to the security of your data by adding encryption to the flow across the internet This will use an https protocol instead of http when entering the URL into your browser
2 Search engines send out ldquospidersrdquo to obtain information on sites available on the web This means that searching googlecom or other search engines for the phrase ACT for Web Login (in quotes) may point to your site (good for public web sites less good for your corporate database) If you would like to prevent a site from being catalogued in a search engines database you can take steps to address this Keep in mind that if you have existing websites they may have already begun to take the steps to interact with the spiders that may crawl their site
Visit the following links for more information about meta-tags and the robotstxt file Keep in mind that it is impossible to prevent any directly accessible resource on a site from being linked to by external sites be it by their partner sites competitive sites or search engines However these methods are generally accepted by the popular search engines
httpwwwrobotstxtorgwcrobotshtml
httpwwwsearchengineworldcomrobotsrobots_tutorialhtm
httpwwwrobotstxtorgwcmeta-userhtml
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 8 682004
Term Definition
DHCP Dynamic Host Configuration Protocol DHCP provides a means to dynamically allocate IP addresses to computers on a network The administrator assigns a range of IP addresses to the DHCP server and each client computer on the LAN has its TCPIP software configured to request an IP address from the DHCP server The request and grant process uses a lease concept with a controllable time period The advantage of this is that the administrator doesnrsquot have to manually assign the IP address of each machine
A server should be assigned a permanent static IP rather than a dynamic one if possible
DNS Domain Name System The DNS is a general-purpose hierarchical distributed replicated data query service (database) used mainly for translating hostnames (domain names) into IP addresses ndash eg when a user looks for wwwGLComputingcomau it should return itrsquos correct IP address DNS can be configured to use a sequence of name servers based on the domains in the name being looked for until a match is found An organisation may have several DNS servers to spread the load All of which replicate with each other and the global DNS via their ISP A full global replication of a change to an IP can take 24-48 hours The name resolution client can be configured to search for host information in the following order first in the local etchosts file second in NIS (Network Information Service) and third in DNS This sequencing of Naming Services is sometimes called name service switching
WINS Windows Internet Naming Service The WINS service resolves Netbios names to their IP address in a similar fashion to the way DNS resolves Host names to IP addresses
NAT Network Address Translation The ability of a router to use one external routable IP address and provide connectivity for a number of network clients by translating their private (non-routable) IPs to the public one and then relaying the incoming data to the client that requested it It allows a secure machine or firewall to handle the incoming data and direct specific ports to specific machines without those machines IPs being accessible from the lsquonet
Private IP addresses are of the form 192168xx or 10xxx (where x is 0-255)
GL Computing Page 9 682004
Term Definition
MDAC The Microsoft data Access Components provide a suite of tools for accessing different database objects and provides a common user interface to access all of them ndash often called Universal Data Access (UDA) MDAC include ActiveX Data Objects (ADO and ADONET) OLE DB ODBC and others Problems referencing ODBC drivers in ACT for Web are often due to incorrect versions of MDAC V25 is usually recommended
It is important to note that unlike other software products a later version is not necessarily better as Microsoft withdrew some functionality in 26 and later versions If you need to install 26 or 27 you will need to also install the FoxPro and Jet drivers separately for ACT for Web ACT for Web 12 and later now also supports MDAC 28 for Windows Server 2003 support
If you arent sure which version of MDAC is installed on your system you can find out by following these steps (Note This involves using RegEdit and should only be done by an experienced computer user)
Press ltStartgt and select Run
Type REGEDIT into the command line (omit the quotes)
Navigate to the following key
HKEY_LOCAL_MACHINESoftwareMicrosoftDataAccess
Look for a value named Version This value contains the current version of MDAC
installed on your computer
Microsoft also has a utility called the Component Checker which can be used to diagnose your current MDAC version as well as find problems in your MDAC installation The Component Checker can be downloaded from httpmsdn2microsoftcomen-usdataaa937730aspx
DCOM Distributed Component Object Model The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network in a reliable secure and efficient manner Previously called Network OLE DCOM is designed for use across multiple network transports including Internet protocols such as HTTP DCOM is based on the Open Software Foundations DCE-RPC specification and will work with both Java applets and ActiveXreg components through its use of the Component Object Model (COM)
DCOM program permissions are set using dcomcnfgexe For information on how this relates to ACT For Web httpitdominoactcomactnsfdocid13988
GL Computing Page 10 682004
Device Definition
Firewalls A firewall is essentially any number of security schemes designed to prevent unauthorised access to a computer system or network The schemes can range from simple NAT security as above through port filtering IP filtering and other data determining methods They can include threat monitoring call-back and activity pattern testing
A server can be positioned ldquobehindrdquo the firewall thereby reducing the ldquosurface areardquo available to a hacker or it can be located in a DMZ (demilitarized zone) to be a more public server As the IIS server will be hosting our client data it is better to locate it behind the firewall and only permit that data that it needs to handle
We will discuss more about Firewalls later in the security section
Hubs Vs
Switches
These connect devices on the same LAN When data is sent to one port on the hub it is copied to all ports on the hub so all segments of the LAN will see the data A switch (or switching hub) only forwards packets to specific ports rather than broadcasting them to every port In this way the connection between the ports and devices can deliver the full bandwidth available without risk of collisions
A hub will also be restricted to the speed of the slowest device on the LAN segment
Routers Vs
Bridges
Routers and Bridges allow you to connect different networks ndash eg your LAN to your ISPrsquos network Routers (OSI Layer 3 ndash network) and Bridges (OSI Layer 2 ndash Data Link) operate at different levels of the OSI reference model (Open Systems Interconnect ndash the model for network architecture and protocols used to implement it) We will not be going into the OSI model here but suffice it to say that Routers and Bridges accomplish a similar task in different ways and you as ACCs can treat them the same way for the purpose of an ACT For Web implementation
Command Description
Ping Ping is the simplest command to tell if a remote system is running and available It verifies the IP connectivity by sending an ICMP (Internet Control Message Protocol) Echo request Pinging a domain name returns the IP address from the DNS server and the time to reach it and return
Tracert If you canrsquot ping a system (and you think it should be running) you might try TRACERT ndash this will ping each machine between you and the remote system usually allowing you to determine where the failure or bottleneck is
IPCONFIG IPCONFIG is a command that displays the TCPIP network configuration values and can be used to refresh the DHCP and DNS settings Becoming familiar with IPCONFIG and itrsquos parameters will be of long-term benefit to you ndash for older operating systems (Win 9XME) use WINIPCFG
NSLOOKUP NSLOOKUP is a command used to query and diagnose issues with the DNS server This is useful if you are checking for problems reaching a clientrsquos server
GL Computing Page 11 682004
IIS ndash What is it
IS is the Microsoft Internet Information Server It is Microsoftrsquos set of services that support web site configuration management and publishing as well as various other Internet services It includes various development tools and software development kits
IIS like all web applications is a clientserver application ndash in that it does nothing without a client such as a web browser or FTP client software
The information below is in two areas The Servers and the Application Development platforms In both areas only one is really relevant to ACT for Web (the WWW Server and ASP) The other information is provided so that you understand the differences The lists are also not exhaustive and there are other servers and application development tools for IIS
The Servers are the programs that the client software directly connects with on the IIS server They answer the requests from the lsquonet to read files and send information
The Application Development platforms allow the WWW Server to run programs and scripts A plain HTML document that the Web daemon retrieves is static which means it exists in a constant state a text file that doesnt change A CGI or ASP program on the other hand is executed in real-time so that it can output dynamic information For example lets say that you wanted to hook up your database to the World Wide Web to allow people from all over the world to query it Basically you need to create a program that the WWW Server will execute to transmit information to the database engine and receive the results back again and display them to the client
Chapter
2
I
GL Computing Page 12 682004
For full information on IIS we recommend looking at httpwwwMicrosoftcomIIS
httpwwwmicrosoftcomtechnettreeviewdefaultaspurl=technetprodtechnolwindowsserver2003proddocsdatacentergs_whatschangedasp
Other useful sites include
wwwiisfaqcom
wwwiisanswerscom
wwwiis-resourcescom
wwwzensecuritycouk
wwwnsagovsnacindexhtml
Letrsquos have a look at the functions of IIS that we need to know about in a little more detail
Server Description
WWW Server The WWW server uses the HyperText Transmission Protocol (HTTP) to communicate with its client application (a web browser) Typically on Port 80 the WWW is a content-rich environment It encompasses the majority of network traffic on the Internet You can use it to display (on your web browser) text static graphics images animated graphics images 3-D worlds and audiovideo files It can also be used to access databases such as ACT for Web via various development tools
FTP FTP Publishing Service is a File Transfer Protocol (FTP) server The FTP Publishing Service is much less complex than the WWW Publishing Service The FTP Publishing Service is used primarily as a data repository It is usually on Port 21
SMTP The SMTP service uses the Simple Mail Transfer Protocol to send email across the lsquonet POP3 (the Post Office Protocol - the ability to retrieve email) is not part of the IIS suite The default port for SMTP is Port 25
NNTP The NNTP service uses the Network News Transport Protocol to provide discussion servers and groups similar to the ACC news server NNTP servers should default to Port 119
GL Computing Page 13 682004
Dev Tool Description
CGI The Common Gateway Interface (CGI) is a legacy application development platform supported under IIS Itrsquos a standard for many different web server platforms CGI scripts can be written in a variety of languages including Perl C and C++
ISAPI ISAPI ndash The Internet Server Application Programming Interface was Microsoftrsquos proprietary programming interface developed for IIS as a replacement for CGI It brings the power of OLE (Object Linking and Embedding) to the WWW The main advantage it offers over CGI is that it is much faster when performing the same tasks and consumes less resources Instead of running each application as a separate process (as in CGI) the ISAPIdll (Dynamic Link Library) is already loaded into the IIS address space and handles any commands for it
There is a downside to ISAPI DLLs Because they share the same address space as the HTTP server it is possible that an errant ISAPI application could crash the WWW Publishing Server as well
ASP Because of the risks writing ISAPI applications Microsoft developed ASP (Active Server Pages) The functionality for ASP is handled by the ASPdll file It is similar in its advantages over CGI without the problems of ISAPI Additionally because Microsoft made ASP development considerably easier with the tools provided there are many more ASP developers and support for applications written to use ASP
ACT for Web is written using ASP so add-on development for ACT for Web would require a good knowledge of ASP To gain some knowledge of ASP development you might try looking at wwwasp101com
Additional information on the latest incarnation of ASP ASPNET is available from wwwaspnet
ActiveX ActiveX controls are components that use the Microsoft COM technologies (Component Object Model ndash an open software architecture developed by DEC and Microsoft allowing interoperation between OLE and the ObjectBroker)
They are Windows programs that can be executed by a browser ActiveX controls have full access to the Windows operating system
XML Extensible Markup Language is a newer method designed for the interchange of documents and data It is a format for transferring data across the Internet It not only includes the data but self-describing information about the data Office 2003 can also use XML
SOAP The Simple Object Access Protocol makes use of HTTP to exchange structured data over the Web using an XML format
GL Computing Page 14 682004
Installing IIS
t is important to note at this time that these procedures are targeted at installing a server dedicated to serving an ACT database to the lsquonet via ACT for Web The server could also serve the database locally as a LAN server to ACT clients in a ldquohybridrdquo implementation
This document will assume that you have performed a ldquocleanrdquo install of Windows 2000 Server to your machine but NOT installed any IIS components In the Lockdown area we will discuss the differences if you are locking down a server that already has IIS installed by someone else with more components than we will be installing in this section
It is advisable not to perform these functions while connected to the internet and only to connect after we have completed the securing part We also recommend applying the latest service packs and critical updates to the Windows 2000 operating system
Installing IIS is quite simple
Open the Control Panel (Start | Settings | Control Panel) and go to AddRemove
Programs
Chapter
3
I
GL Computing Page 15 682004
Then click AddRemove Windows Components
GL Computing Page 16 682004
The only option that you need to have ticked in this dialog box is Internet Information Services (IIS) We should take this further by clicking on the ldquoDetailsrdquo button
In this area the only necessary options are the Common Files (these are necessary for IIS) and World Wide Web Server (this service will be hosting ACT for Web)
We will also install the Internet Information services Snap-In as this make administering IIS considerably easier and the Documentation as having the Help system handy can be a good option If you donrsquot want the documentation you can always access the Microsoft web site and search their knowledge base TechNet or MSDN
None of the other subcomponents belonging to IIS are necessary and as such should NOT be installed unless you know you will require them for some other task Other options increase the ldquosurface areardquo available for attack on the server and will need to be configured to make them less vulnerable We will look at some of these options in the next section
Click ldquoOKrdquo and IIS will be installed
Although it is not always required we strongly recommend a re-boot of the server after installing or removing Windows components
GL Computing Page 17 682004
Protect against what
N this Chapter we will attempt to describe what types of attackers are out there and give you some ideas of the methods they may use to compromise your systems
Types of Attackers
Letrsquos start by categorising the types of attackers you may need to protect your systems from
Attacker Description
Script Kiddie This is the most common form of attack and the one which we will most need to protect our servers from These are usually kids looking for easy to hack servers so that they can take control of them and use them to attack others
Typically they will use Trojans (which your anti-virus should have detected and removed) or exploit known weaknesses in the server operating system which a combination of the Microsoft critical updates and our own lock-down procedures should keep you relatively secure from
Valuable Data This is typically done by someone who knows that specific data on your site is of significant value to the attacker It may be done by a nasty competitor who wants your data or someone who thinks you may have Credit Card numbers (or similar data) on your system If you are planning to keep Credit Cards etc in your database you will need to be very careful about your security and liability
We do not recommend keeping this type of data in an ACT database
Prestige Site This is where your site is well enough known that the hacker can get credibility from being able to by-pass your security This is unlikely to be an issue for any ACT for Web installation
Chapter
4
I
GL Computing Page 18 682004
Enemy Attack This is where someone feels so annoyed by you or your organisation that they feel like teaching you a lesson The toughest of these to protect against is an ex-employee that feels they have been wronged and knows the security of your system
Internal
Attack
This type typically does the most damage as they may know your security and usually have a legitimate reason for accessing your system Sometimes the Valuable Data Prestige Site or Enemy Attack types will also use an internal person to make their task easier The defences we are putting up will not assist in stopping this type of attack The only solutions are to ensure you have good backup procedures regularly read and inspect log files and make sure users only have access to the parts of the system that they need access to
Typically the ldquoScript Kiddierdquo will use known security flaws in the operating system and or known Trojans The other attackers will use a combination of these and ldquoun-knownrdquo attacks and are typically more skilled
We will attempt to keep your server secure from both known and un-known attacks
Known Attacks
The first defence is to make sure you are protected against the ldquoknownrdquo attacks The most common form of these is via Trojans
A Trojan (based on the story of the Trojan horse) is a piece of software that can get loaded on your server and makes it available for an attacker to access The functions it can provide to an attacker can vary ndash including damaging your data providing access for others to see your data or using itself to launch attacks on other systems
There are two main ways to prevent these
One is to ensure you have a good anti-virus running and that you keep it up-to-date GL Computing currently recommends Symantec (used to be Norton) Anti-Virus Corporate Edition for servers This should find and prevent Trojans from being installed andor remove them if already installed
The other is to make sure your firewall prevents the attacker from accessing the
Trojan if itrsquos on your system As they are usually called from specific ports this provides pretty good security against most known attacks
Many attacks like Nimda SQL-Slammer and others used operating system exploits that Microsoft had patched months earlier ndash and yet many administrators (including Microsoftrsquos own) had not patched their all their servers that were available from the Internet from these Consequently many millions of dollars in damaged data and system down-time were caused
You should make sure that all the Service Packs and Critical Updates are applied to your server Most hackercracker attempts (especially those by Script Kiddies) are done using security holes in Windows that Microsoft has already issued patches for knowing that many administrators do not apply these fixes It is a good practise to regularly check for updates
GL Computing Page 19 682004
from the Microsoft site httpwindowsupdatemicrosoftcom
Unknown Attacks
It may seem unusual to talk about preventing an ldquoUnknown Attackrdquo but that is exactly what is necessary to provide adequate defence ndash preventing as much as possible attacks that use previously undiscovered exploits
Essentially this means reducing the ldquoSurface Areardquo of attack ndash that is reducing the available entry points and services that are available for an external source to connect to your server and run tasks that you do not want them to run
Configuring the IIS server to remove the services that can be used to hook into your server will be covered in the next chapter For now wersquoll discuss reducing the entry points that are available Wersquoll look at the services in the next chapter
Port Blocking
By entry points we usually mean the ports that are open to your server and the IPs that can connect to it
There are two main transport layer protocols used on the lsquonet ndash TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) Both of these can use 64k (65536) channels of communications or ldquoportsrdquo to connect to specific applications on the server machine
So the simple rule to start with is only to permit those ports that you know you need to be allowed through your server
The default port for web servers is port 80 but it can be set to any port the administrator chooses Using a non-standard port is a simple way to help keep the server hidden means the user will need to put the port number in their URL
The most complete list of registered port numbers can be obtained from httpwwwianaorgassignmentsport-numbers
The following ports should nearly always be blocked from OUTBOUND transmissions 135 137 138 139 443 (unless using SSL) 593
IP Blocking
If you know the IP ranges used by the users who will be accessing your server you can set either the firewall or the IIS server to only permit those IPs that belong to your users to access the server Wersquoll show how to do this on the IIS server in the next chapter
GL Computing Page 20 682004
Configuring and Securing IIS
nce again it is necessary to state that these procedures if followed exactly are designed for a server that will be dedicated to serving an ACT database ndash either solely for ACT for Web or in a hybrid with local LAN users
We will also attempt to address those issues and components in IIS that you may find installed on servers that are already in operation or that will also be used for other tasks However we suggest that you work with the Administrator of the network to determine that your lock-down procedures do not also disable applications or functions that your clients may wish to run on the server
It is also important to note that security can never be guaranteed on the internet and so you must be careful as Consultants what contractual agreements you make when doing this type of work for clients
Chapter
5
O
GL Computing Page 21 682004
To modify the IIS settings in Windows 2000 we can use the Computer Management snapin at either
Start | Programs | Administrative Tools | Computer Management
Or selecting Manage from the Right-click menu on My Computer
This will bring up the Computer Management Console
It is important that you become familiar with this interface and itrsquos operation
Another method to access this is by Start | Programs | Administrative Tools | Internet Services Manager
GL Computing Page 22 682004
If you are setting up on a server that is already installed you might find services or virtual folders already there that are already being used
Removing them would not be a good idea if your client is using them for another purpose If you do not have access to the system administrator or they are not sure select ldquoStoprdquo to simply stop the service from accepting requests and check with the administrator
This should be done on the Administration sites FTP and SMTP services unless you are sure they are being used on the server
In the Default Web Site (could be re-named) you should delete the virtual folders IIS Help IIS Admin samples MSADC (MS Active Directory Connector) vti (FrontPage) They all include ASP and Java scripts that may have vulnerabilities found in them and are most likely not used or needed on the server If no other application is being run on the IIS server at the time you can remove any of the virtual folders in the web site The idea being that we remove anything not specifically required for our implementation this helps reduce the available ldquosurface areardquo for an attacker It is advisable to check with the system administrator Once you know you can remove them Right-click on the item and select delete
Next open the Default Web Site properties (by Right-Click then properties) which should look something like
GL Computing Page 23 682004
On the Documents Tab remove all the items there and add webgif or some other small gif that you have loaded in the default folder defined in the Home Directory tab (usually CInetpubwwwroot folder)
This means that any potential hacker just looking for a site will see something small but giving nothing away as to the content of the site
If the site is being used for another site you may need to leave another default document that is used by they site
You may want to point the Printers virtual folder at this gif file also because it sometimes re-appears and the idea is to leave nothing pointing at an application where vulnerabilities may be discovered in the future
Note You will need to re-add Defaulthtm to the actweb virtual folder after you have installed ACT For Web
To do this right-click on the Actweb virtual folder select the Documents tab and Add ldquoDefaulthtmrdquo
GL Computing Page 24 682004
Next on the Home Directory tab click on the Configuration button Remove all the Mappings except for ASA and ASP (which are required for ACT for Web to operate) It will then look something like
This is to prevent any holes in other applications being used to infiltrate your site
Next remove (or rename if you are not sure if they may be needed later) the folders that you have removed the virtual folders for earlier
GL Computing Page 25 682004
Remove Internet Guest Account (IUSR_machine_name) access from cmdexe commandcom tftpexe httpodbcdll and defaultida ndash by adding in Security properties and selecting Deny (only for IUSR) You may need to do a search of the hard disk to get all the versions of these files
This is to prevent a user being able to point to those files and execute them which has been a common hacking exploit
GL Computing Page 26 682004
If you want increased security you can remove Anonymous access and use Windows Integrated Authentication This enables you to use the additional Windows and domain logins prior to the ACT Login
Note different versions of Windows may differ slightly
1 Right-click the My Computer icon and then click Manage from the shortcut menu The Computer Management window appears
2 Expand the Services and Applications option then expand the Internet Information Services option and then select the Default Web Site option so that you can see your ActWeb virtual directory in the right pane (this is the standard installation location your ActWeb virtual directory location may differ)
3 Right-click the ActWeb virtual directory and then click Properties from the shortcut menu The ActWeb Properties dialog appears
4 Under the Directory Security tab in the Anonymous access and authentication control section click Edit The Authentication Methods dialog appears
GL Computing Page 27 682004
5 Clear the Anonymous access check box and verify that the Integrated Windows authentication check box is enabled The other check boxes are dependent on your specific security requirements and are not related to ACT for Webs configuration Note Digest authentication for Windows domain servers is an option on IIS 51 or later
6 Click OK on these two windows Your ACT for Web site is now protected by the Integrated Windows authentication You may need to close your browser and re-open it in order to receive the proper login prompt
IMPORTANT NOTE The IUSR_[machine name] account will no longer be used by IIS with this configuration You will need to make sure the user account you attempt to log in has proper permissions set for it in DCOMCNFG and in the security properties of the folder containing your ACT Database as well as the installation folder for ACT for Web (default Cwebsites)
For more information on how to do this please read httpitdominoactcomactnsfdocid200391584653
GL Computing Page 28 682004
Additional security can be achieved by making your web site more difficult to find by potential hackers Two simple ways to do this are
1 Change the default web site to another TCP port in the Web Site properties Try not to use any of the other common ports that you may wish to use later Yoursquoll need to state the port when logging in eg httpdomaincomportactweb Using SSL (Secure Sockets Layer ) on port 443 will also add to the security of your data by adding encryption to the flow across the internet This will use an https protocol instead of http when entering the URL into your browser
2 Search engines send out ldquospidersrdquo to obtain information on sites available on the web This means that searching googlecom or other search engines for the phrase ACT for Web Login (in quotes) may point to your site (good for public web sites less good for your corporate database) If you would like to prevent a site from being catalogued in a search engines database you can take steps to address this Keep in mind that if you have existing websites they may have already begun to take the steps to interact with the spiders that may crawl their site
Visit the following links for more information about meta-tags and the robotstxt file Keep in mind that it is impossible to prevent any directly accessible resource on a site from being linked to by external sites be it by their partner sites competitive sites or search engines However these methods are generally accepted by the popular search engines
httpwwwrobotstxtorgwcrobotshtml
httpwwwsearchengineworldcomrobotsrobots_tutorialhtm
httpwwwrobotstxtorgwcmeta-userhtml
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 9 682004
Term Definition
MDAC The Microsoft data Access Components provide a suite of tools for accessing different database objects and provides a common user interface to access all of them ndash often called Universal Data Access (UDA) MDAC include ActiveX Data Objects (ADO and ADONET) OLE DB ODBC and others Problems referencing ODBC drivers in ACT for Web are often due to incorrect versions of MDAC V25 is usually recommended
It is important to note that unlike other software products a later version is not necessarily better as Microsoft withdrew some functionality in 26 and later versions If you need to install 26 or 27 you will need to also install the FoxPro and Jet drivers separately for ACT for Web ACT for Web 12 and later now also supports MDAC 28 for Windows Server 2003 support
If you arent sure which version of MDAC is installed on your system you can find out by following these steps (Note This involves using RegEdit and should only be done by an experienced computer user)
Press ltStartgt and select Run
Type REGEDIT into the command line (omit the quotes)
Navigate to the following key
HKEY_LOCAL_MACHINESoftwareMicrosoftDataAccess
Look for a value named Version This value contains the current version of MDAC
installed on your computer
Microsoft also has a utility called the Component Checker which can be used to diagnose your current MDAC version as well as find problems in your MDAC installation The Component Checker can be downloaded from httpmsdn2microsoftcomen-usdataaa937730aspx
DCOM Distributed Component Object Model The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network in a reliable secure and efficient manner Previously called Network OLE DCOM is designed for use across multiple network transports including Internet protocols such as HTTP DCOM is based on the Open Software Foundations DCE-RPC specification and will work with both Java applets and ActiveXreg components through its use of the Component Object Model (COM)
DCOM program permissions are set using dcomcnfgexe For information on how this relates to ACT For Web httpitdominoactcomactnsfdocid13988
GL Computing Page 10 682004
Device Definition
Firewalls A firewall is essentially any number of security schemes designed to prevent unauthorised access to a computer system or network The schemes can range from simple NAT security as above through port filtering IP filtering and other data determining methods They can include threat monitoring call-back and activity pattern testing
A server can be positioned ldquobehindrdquo the firewall thereby reducing the ldquosurface areardquo available to a hacker or it can be located in a DMZ (demilitarized zone) to be a more public server As the IIS server will be hosting our client data it is better to locate it behind the firewall and only permit that data that it needs to handle
We will discuss more about Firewalls later in the security section
Hubs Vs
Switches
These connect devices on the same LAN When data is sent to one port on the hub it is copied to all ports on the hub so all segments of the LAN will see the data A switch (or switching hub) only forwards packets to specific ports rather than broadcasting them to every port In this way the connection between the ports and devices can deliver the full bandwidth available without risk of collisions
A hub will also be restricted to the speed of the slowest device on the LAN segment
Routers Vs
Bridges
Routers and Bridges allow you to connect different networks ndash eg your LAN to your ISPrsquos network Routers (OSI Layer 3 ndash network) and Bridges (OSI Layer 2 ndash Data Link) operate at different levels of the OSI reference model (Open Systems Interconnect ndash the model for network architecture and protocols used to implement it) We will not be going into the OSI model here but suffice it to say that Routers and Bridges accomplish a similar task in different ways and you as ACCs can treat them the same way for the purpose of an ACT For Web implementation
Command Description
Ping Ping is the simplest command to tell if a remote system is running and available It verifies the IP connectivity by sending an ICMP (Internet Control Message Protocol) Echo request Pinging a domain name returns the IP address from the DNS server and the time to reach it and return
Tracert If you canrsquot ping a system (and you think it should be running) you might try TRACERT ndash this will ping each machine between you and the remote system usually allowing you to determine where the failure or bottleneck is
IPCONFIG IPCONFIG is a command that displays the TCPIP network configuration values and can be used to refresh the DHCP and DNS settings Becoming familiar with IPCONFIG and itrsquos parameters will be of long-term benefit to you ndash for older operating systems (Win 9XME) use WINIPCFG
NSLOOKUP NSLOOKUP is a command used to query and diagnose issues with the DNS server This is useful if you are checking for problems reaching a clientrsquos server
GL Computing Page 11 682004
IIS ndash What is it
IS is the Microsoft Internet Information Server It is Microsoftrsquos set of services that support web site configuration management and publishing as well as various other Internet services It includes various development tools and software development kits
IIS like all web applications is a clientserver application ndash in that it does nothing without a client such as a web browser or FTP client software
The information below is in two areas The Servers and the Application Development platforms In both areas only one is really relevant to ACT for Web (the WWW Server and ASP) The other information is provided so that you understand the differences The lists are also not exhaustive and there are other servers and application development tools for IIS
The Servers are the programs that the client software directly connects with on the IIS server They answer the requests from the lsquonet to read files and send information
The Application Development platforms allow the WWW Server to run programs and scripts A plain HTML document that the Web daemon retrieves is static which means it exists in a constant state a text file that doesnt change A CGI or ASP program on the other hand is executed in real-time so that it can output dynamic information For example lets say that you wanted to hook up your database to the World Wide Web to allow people from all over the world to query it Basically you need to create a program that the WWW Server will execute to transmit information to the database engine and receive the results back again and display them to the client
Chapter
2
I
GL Computing Page 12 682004
For full information on IIS we recommend looking at httpwwwMicrosoftcomIIS
httpwwwmicrosoftcomtechnettreeviewdefaultaspurl=technetprodtechnolwindowsserver2003proddocsdatacentergs_whatschangedasp
Other useful sites include
wwwiisfaqcom
wwwiisanswerscom
wwwiis-resourcescom
wwwzensecuritycouk
wwwnsagovsnacindexhtml
Letrsquos have a look at the functions of IIS that we need to know about in a little more detail
Server Description
WWW Server The WWW server uses the HyperText Transmission Protocol (HTTP) to communicate with its client application (a web browser) Typically on Port 80 the WWW is a content-rich environment It encompasses the majority of network traffic on the Internet You can use it to display (on your web browser) text static graphics images animated graphics images 3-D worlds and audiovideo files It can also be used to access databases such as ACT for Web via various development tools
FTP FTP Publishing Service is a File Transfer Protocol (FTP) server The FTP Publishing Service is much less complex than the WWW Publishing Service The FTP Publishing Service is used primarily as a data repository It is usually on Port 21
SMTP The SMTP service uses the Simple Mail Transfer Protocol to send email across the lsquonet POP3 (the Post Office Protocol - the ability to retrieve email) is not part of the IIS suite The default port for SMTP is Port 25
NNTP The NNTP service uses the Network News Transport Protocol to provide discussion servers and groups similar to the ACC news server NNTP servers should default to Port 119
GL Computing Page 13 682004
Dev Tool Description
CGI The Common Gateway Interface (CGI) is a legacy application development platform supported under IIS Itrsquos a standard for many different web server platforms CGI scripts can be written in a variety of languages including Perl C and C++
ISAPI ISAPI ndash The Internet Server Application Programming Interface was Microsoftrsquos proprietary programming interface developed for IIS as a replacement for CGI It brings the power of OLE (Object Linking and Embedding) to the WWW The main advantage it offers over CGI is that it is much faster when performing the same tasks and consumes less resources Instead of running each application as a separate process (as in CGI) the ISAPIdll (Dynamic Link Library) is already loaded into the IIS address space and handles any commands for it
There is a downside to ISAPI DLLs Because they share the same address space as the HTTP server it is possible that an errant ISAPI application could crash the WWW Publishing Server as well
ASP Because of the risks writing ISAPI applications Microsoft developed ASP (Active Server Pages) The functionality for ASP is handled by the ASPdll file It is similar in its advantages over CGI without the problems of ISAPI Additionally because Microsoft made ASP development considerably easier with the tools provided there are many more ASP developers and support for applications written to use ASP
ACT for Web is written using ASP so add-on development for ACT for Web would require a good knowledge of ASP To gain some knowledge of ASP development you might try looking at wwwasp101com
Additional information on the latest incarnation of ASP ASPNET is available from wwwaspnet
ActiveX ActiveX controls are components that use the Microsoft COM technologies (Component Object Model ndash an open software architecture developed by DEC and Microsoft allowing interoperation between OLE and the ObjectBroker)
They are Windows programs that can be executed by a browser ActiveX controls have full access to the Windows operating system
XML Extensible Markup Language is a newer method designed for the interchange of documents and data It is a format for transferring data across the Internet It not only includes the data but self-describing information about the data Office 2003 can also use XML
SOAP The Simple Object Access Protocol makes use of HTTP to exchange structured data over the Web using an XML format
GL Computing Page 14 682004
Installing IIS
t is important to note at this time that these procedures are targeted at installing a server dedicated to serving an ACT database to the lsquonet via ACT for Web The server could also serve the database locally as a LAN server to ACT clients in a ldquohybridrdquo implementation
This document will assume that you have performed a ldquocleanrdquo install of Windows 2000 Server to your machine but NOT installed any IIS components In the Lockdown area we will discuss the differences if you are locking down a server that already has IIS installed by someone else with more components than we will be installing in this section
It is advisable not to perform these functions while connected to the internet and only to connect after we have completed the securing part We also recommend applying the latest service packs and critical updates to the Windows 2000 operating system
Installing IIS is quite simple
Open the Control Panel (Start | Settings | Control Panel) and go to AddRemove
Programs
Chapter
3
I
GL Computing Page 15 682004
Then click AddRemove Windows Components
GL Computing Page 16 682004
The only option that you need to have ticked in this dialog box is Internet Information Services (IIS) We should take this further by clicking on the ldquoDetailsrdquo button
In this area the only necessary options are the Common Files (these are necessary for IIS) and World Wide Web Server (this service will be hosting ACT for Web)
We will also install the Internet Information services Snap-In as this make administering IIS considerably easier and the Documentation as having the Help system handy can be a good option If you donrsquot want the documentation you can always access the Microsoft web site and search their knowledge base TechNet or MSDN
None of the other subcomponents belonging to IIS are necessary and as such should NOT be installed unless you know you will require them for some other task Other options increase the ldquosurface areardquo available for attack on the server and will need to be configured to make them less vulnerable We will look at some of these options in the next section
Click ldquoOKrdquo and IIS will be installed
Although it is not always required we strongly recommend a re-boot of the server after installing or removing Windows components
GL Computing Page 17 682004
Protect against what
N this Chapter we will attempt to describe what types of attackers are out there and give you some ideas of the methods they may use to compromise your systems
Types of Attackers
Letrsquos start by categorising the types of attackers you may need to protect your systems from
Attacker Description
Script Kiddie This is the most common form of attack and the one which we will most need to protect our servers from These are usually kids looking for easy to hack servers so that they can take control of them and use them to attack others
Typically they will use Trojans (which your anti-virus should have detected and removed) or exploit known weaknesses in the server operating system which a combination of the Microsoft critical updates and our own lock-down procedures should keep you relatively secure from
Valuable Data This is typically done by someone who knows that specific data on your site is of significant value to the attacker It may be done by a nasty competitor who wants your data or someone who thinks you may have Credit Card numbers (or similar data) on your system If you are planning to keep Credit Cards etc in your database you will need to be very careful about your security and liability
We do not recommend keeping this type of data in an ACT database
Prestige Site This is where your site is well enough known that the hacker can get credibility from being able to by-pass your security This is unlikely to be an issue for any ACT for Web installation
Chapter
4
I
GL Computing Page 18 682004
Enemy Attack This is where someone feels so annoyed by you or your organisation that they feel like teaching you a lesson The toughest of these to protect against is an ex-employee that feels they have been wronged and knows the security of your system
Internal
Attack
This type typically does the most damage as they may know your security and usually have a legitimate reason for accessing your system Sometimes the Valuable Data Prestige Site or Enemy Attack types will also use an internal person to make their task easier The defences we are putting up will not assist in stopping this type of attack The only solutions are to ensure you have good backup procedures regularly read and inspect log files and make sure users only have access to the parts of the system that they need access to
Typically the ldquoScript Kiddierdquo will use known security flaws in the operating system and or known Trojans The other attackers will use a combination of these and ldquoun-knownrdquo attacks and are typically more skilled
We will attempt to keep your server secure from both known and un-known attacks
Known Attacks
The first defence is to make sure you are protected against the ldquoknownrdquo attacks The most common form of these is via Trojans
A Trojan (based on the story of the Trojan horse) is a piece of software that can get loaded on your server and makes it available for an attacker to access The functions it can provide to an attacker can vary ndash including damaging your data providing access for others to see your data or using itself to launch attacks on other systems
There are two main ways to prevent these
One is to ensure you have a good anti-virus running and that you keep it up-to-date GL Computing currently recommends Symantec (used to be Norton) Anti-Virus Corporate Edition for servers This should find and prevent Trojans from being installed andor remove them if already installed
The other is to make sure your firewall prevents the attacker from accessing the
Trojan if itrsquos on your system As they are usually called from specific ports this provides pretty good security against most known attacks
Many attacks like Nimda SQL-Slammer and others used operating system exploits that Microsoft had patched months earlier ndash and yet many administrators (including Microsoftrsquos own) had not patched their all their servers that were available from the Internet from these Consequently many millions of dollars in damaged data and system down-time were caused
You should make sure that all the Service Packs and Critical Updates are applied to your server Most hackercracker attempts (especially those by Script Kiddies) are done using security holes in Windows that Microsoft has already issued patches for knowing that many administrators do not apply these fixes It is a good practise to regularly check for updates
GL Computing Page 19 682004
from the Microsoft site httpwindowsupdatemicrosoftcom
Unknown Attacks
It may seem unusual to talk about preventing an ldquoUnknown Attackrdquo but that is exactly what is necessary to provide adequate defence ndash preventing as much as possible attacks that use previously undiscovered exploits
Essentially this means reducing the ldquoSurface Areardquo of attack ndash that is reducing the available entry points and services that are available for an external source to connect to your server and run tasks that you do not want them to run
Configuring the IIS server to remove the services that can be used to hook into your server will be covered in the next chapter For now wersquoll discuss reducing the entry points that are available Wersquoll look at the services in the next chapter
Port Blocking
By entry points we usually mean the ports that are open to your server and the IPs that can connect to it
There are two main transport layer protocols used on the lsquonet ndash TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) Both of these can use 64k (65536) channels of communications or ldquoportsrdquo to connect to specific applications on the server machine
So the simple rule to start with is only to permit those ports that you know you need to be allowed through your server
The default port for web servers is port 80 but it can be set to any port the administrator chooses Using a non-standard port is a simple way to help keep the server hidden means the user will need to put the port number in their URL
The most complete list of registered port numbers can be obtained from httpwwwianaorgassignmentsport-numbers
The following ports should nearly always be blocked from OUTBOUND transmissions 135 137 138 139 443 (unless using SSL) 593
IP Blocking
If you know the IP ranges used by the users who will be accessing your server you can set either the firewall or the IIS server to only permit those IPs that belong to your users to access the server Wersquoll show how to do this on the IIS server in the next chapter
GL Computing Page 20 682004
Configuring and Securing IIS
nce again it is necessary to state that these procedures if followed exactly are designed for a server that will be dedicated to serving an ACT database ndash either solely for ACT for Web or in a hybrid with local LAN users
We will also attempt to address those issues and components in IIS that you may find installed on servers that are already in operation or that will also be used for other tasks However we suggest that you work with the Administrator of the network to determine that your lock-down procedures do not also disable applications or functions that your clients may wish to run on the server
It is also important to note that security can never be guaranteed on the internet and so you must be careful as Consultants what contractual agreements you make when doing this type of work for clients
Chapter
5
O
GL Computing Page 21 682004
To modify the IIS settings in Windows 2000 we can use the Computer Management snapin at either
Start | Programs | Administrative Tools | Computer Management
Or selecting Manage from the Right-click menu on My Computer
This will bring up the Computer Management Console
It is important that you become familiar with this interface and itrsquos operation
Another method to access this is by Start | Programs | Administrative Tools | Internet Services Manager
GL Computing Page 22 682004
If you are setting up on a server that is already installed you might find services or virtual folders already there that are already being used
Removing them would not be a good idea if your client is using them for another purpose If you do not have access to the system administrator or they are not sure select ldquoStoprdquo to simply stop the service from accepting requests and check with the administrator
This should be done on the Administration sites FTP and SMTP services unless you are sure they are being used on the server
In the Default Web Site (could be re-named) you should delete the virtual folders IIS Help IIS Admin samples MSADC (MS Active Directory Connector) vti (FrontPage) They all include ASP and Java scripts that may have vulnerabilities found in them and are most likely not used or needed on the server If no other application is being run on the IIS server at the time you can remove any of the virtual folders in the web site The idea being that we remove anything not specifically required for our implementation this helps reduce the available ldquosurface areardquo for an attacker It is advisable to check with the system administrator Once you know you can remove them Right-click on the item and select delete
Next open the Default Web Site properties (by Right-Click then properties) which should look something like
GL Computing Page 23 682004
On the Documents Tab remove all the items there and add webgif or some other small gif that you have loaded in the default folder defined in the Home Directory tab (usually CInetpubwwwroot folder)
This means that any potential hacker just looking for a site will see something small but giving nothing away as to the content of the site
If the site is being used for another site you may need to leave another default document that is used by they site
You may want to point the Printers virtual folder at this gif file also because it sometimes re-appears and the idea is to leave nothing pointing at an application where vulnerabilities may be discovered in the future
Note You will need to re-add Defaulthtm to the actweb virtual folder after you have installed ACT For Web
To do this right-click on the Actweb virtual folder select the Documents tab and Add ldquoDefaulthtmrdquo
GL Computing Page 24 682004
Next on the Home Directory tab click on the Configuration button Remove all the Mappings except for ASA and ASP (which are required for ACT for Web to operate) It will then look something like
This is to prevent any holes in other applications being used to infiltrate your site
Next remove (or rename if you are not sure if they may be needed later) the folders that you have removed the virtual folders for earlier
GL Computing Page 25 682004
Remove Internet Guest Account (IUSR_machine_name) access from cmdexe commandcom tftpexe httpodbcdll and defaultida ndash by adding in Security properties and selecting Deny (only for IUSR) You may need to do a search of the hard disk to get all the versions of these files
This is to prevent a user being able to point to those files and execute them which has been a common hacking exploit
GL Computing Page 26 682004
If you want increased security you can remove Anonymous access and use Windows Integrated Authentication This enables you to use the additional Windows and domain logins prior to the ACT Login
Note different versions of Windows may differ slightly
1 Right-click the My Computer icon and then click Manage from the shortcut menu The Computer Management window appears
2 Expand the Services and Applications option then expand the Internet Information Services option and then select the Default Web Site option so that you can see your ActWeb virtual directory in the right pane (this is the standard installation location your ActWeb virtual directory location may differ)
3 Right-click the ActWeb virtual directory and then click Properties from the shortcut menu The ActWeb Properties dialog appears
4 Under the Directory Security tab in the Anonymous access and authentication control section click Edit The Authentication Methods dialog appears
GL Computing Page 27 682004
5 Clear the Anonymous access check box and verify that the Integrated Windows authentication check box is enabled The other check boxes are dependent on your specific security requirements and are not related to ACT for Webs configuration Note Digest authentication for Windows domain servers is an option on IIS 51 or later
6 Click OK on these two windows Your ACT for Web site is now protected by the Integrated Windows authentication You may need to close your browser and re-open it in order to receive the proper login prompt
IMPORTANT NOTE The IUSR_[machine name] account will no longer be used by IIS with this configuration You will need to make sure the user account you attempt to log in has proper permissions set for it in DCOMCNFG and in the security properties of the folder containing your ACT Database as well as the installation folder for ACT for Web (default Cwebsites)
For more information on how to do this please read httpitdominoactcomactnsfdocid200391584653
GL Computing Page 28 682004
Additional security can be achieved by making your web site more difficult to find by potential hackers Two simple ways to do this are
1 Change the default web site to another TCP port in the Web Site properties Try not to use any of the other common ports that you may wish to use later Yoursquoll need to state the port when logging in eg httpdomaincomportactweb Using SSL (Secure Sockets Layer ) on port 443 will also add to the security of your data by adding encryption to the flow across the internet This will use an https protocol instead of http when entering the URL into your browser
2 Search engines send out ldquospidersrdquo to obtain information on sites available on the web This means that searching googlecom or other search engines for the phrase ACT for Web Login (in quotes) may point to your site (good for public web sites less good for your corporate database) If you would like to prevent a site from being catalogued in a search engines database you can take steps to address this Keep in mind that if you have existing websites they may have already begun to take the steps to interact with the spiders that may crawl their site
Visit the following links for more information about meta-tags and the robotstxt file Keep in mind that it is impossible to prevent any directly accessible resource on a site from being linked to by external sites be it by their partner sites competitive sites or search engines However these methods are generally accepted by the popular search engines
httpwwwrobotstxtorgwcrobotshtml
httpwwwsearchengineworldcomrobotsrobots_tutorialhtm
httpwwwrobotstxtorgwcmeta-userhtml
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 10 682004
Device Definition
Firewalls A firewall is essentially any number of security schemes designed to prevent unauthorised access to a computer system or network The schemes can range from simple NAT security as above through port filtering IP filtering and other data determining methods They can include threat monitoring call-back and activity pattern testing
A server can be positioned ldquobehindrdquo the firewall thereby reducing the ldquosurface areardquo available to a hacker or it can be located in a DMZ (demilitarized zone) to be a more public server As the IIS server will be hosting our client data it is better to locate it behind the firewall and only permit that data that it needs to handle
We will discuss more about Firewalls later in the security section
Hubs Vs
Switches
These connect devices on the same LAN When data is sent to one port on the hub it is copied to all ports on the hub so all segments of the LAN will see the data A switch (or switching hub) only forwards packets to specific ports rather than broadcasting them to every port In this way the connection between the ports and devices can deliver the full bandwidth available without risk of collisions
A hub will also be restricted to the speed of the slowest device on the LAN segment
Routers Vs
Bridges
Routers and Bridges allow you to connect different networks ndash eg your LAN to your ISPrsquos network Routers (OSI Layer 3 ndash network) and Bridges (OSI Layer 2 ndash Data Link) operate at different levels of the OSI reference model (Open Systems Interconnect ndash the model for network architecture and protocols used to implement it) We will not be going into the OSI model here but suffice it to say that Routers and Bridges accomplish a similar task in different ways and you as ACCs can treat them the same way for the purpose of an ACT For Web implementation
Command Description
Ping Ping is the simplest command to tell if a remote system is running and available It verifies the IP connectivity by sending an ICMP (Internet Control Message Protocol) Echo request Pinging a domain name returns the IP address from the DNS server and the time to reach it and return
Tracert If you canrsquot ping a system (and you think it should be running) you might try TRACERT ndash this will ping each machine between you and the remote system usually allowing you to determine where the failure or bottleneck is
IPCONFIG IPCONFIG is a command that displays the TCPIP network configuration values and can be used to refresh the DHCP and DNS settings Becoming familiar with IPCONFIG and itrsquos parameters will be of long-term benefit to you ndash for older operating systems (Win 9XME) use WINIPCFG
NSLOOKUP NSLOOKUP is a command used to query and diagnose issues with the DNS server This is useful if you are checking for problems reaching a clientrsquos server
GL Computing Page 11 682004
IIS ndash What is it
IS is the Microsoft Internet Information Server It is Microsoftrsquos set of services that support web site configuration management and publishing as well as various other Internet services It includes various development tools and software development kits
IIS like all web applications is a clientserver application ndash in that it does nothing without a client such as a web browser or FTP client software
The information below is in two areas The Servers and the Application Development platforms In both areas only one is really relevant to ACT for Web (the WWW Server and ASP) The other information is provided so that you understand the differences The lists are also not exhaustive and there are other servers and application development tools for IIS
The Servers are the programs that the client software directly connects with on the IIS server They answer the requests from the lsquonet to read files and send information
The Application Development platforms allow the WWW Server to run programs and scripts A plain HTML document that the Web daemon retrieves is static which means it exists in a constant state a text file that doesnt change A CGI or ASP program on the other hand is executed in real-time so that it can output dynamic information For example lets say that you wanted to hook up your database to the World Wide Web to allow people from all over the world to query it Basically you need to create a program that the WWW Server will execute to transmit information to the database engine and receive the results back again and display them to the client
Chapter
2
I
GL Computing Page 12 682004
For full information on IIS we recommend looking at httpwwwMicrosoftcomIIS
httpwwwmicrosoftcomtechnettreeviewdefaultaspurl=technetprodtechnolwindowsserver2003proddocsdatacentergs_whatschangedasp
Other useful sites include
wwwiisfaqcom
wwwiisanswerscom
wwwiis-resourcescom
wwwzensecuritycouk
wwwnsagovsnacindexhtml
Letrsquos have a look at the functions of IIS that we need to know about in a little more detail
Server Description
WWW Server The WWW server uses the HyperText Transmission Protocol (HTTP) to communicate with its client application (a web browser) Typically on Port 80 the WWW is a content-rich environment It encompasses the majority of network traffic on the Internet You can use it to display (on your web browser) text static graphics images animated graphics images 3-D worlds and audiovideo files It can also be used to access databases such as ACT for Web via various development tools
FTP FTP Publishing Service is a File Transfer Protocol (FTP) server The FTP Publishing Service is much less complex than the WWW Publishing Service The FTP Publishing Service is used primarily as a data repository It is usually on Port 21
SMTP The SMTP service uses the Simple Mail Transfer Protocol to send email across the lsquonet POP3 (the Post Office Protocol - the ability to retrieve email) is not part of the IIS suite The default port for SMTP is Port 25
NNTP The NNTP service uses the Network News Transport Protocol to provide discussion servers and groups similar to the ACC news server NNTP servers should default to Port 119
GL Computing Page 13 682004
Dev Tool Description
CGI The Common Gateway Interface (CGI) is a legacy application development platform supported under IIS Itrsquos a standard for many different web server platforms CGI scripts can be written in a variety of languages including Perl C and C++
ISAPI ISAPI ndash The Internet Server Application Programming Interface was Microsoftrsquos proprietary programming interface developed for IIS as a replacement for CGI It brings the power of OLE (Object Linking and Embedding) to the WWW The main advantage it offers over CGI is that it is much faster when performing the same tasks and consumes less resources Instead of running each application as a separate process (as in CGI) the ISAPIdll (Dynamic Link Library) is already loaded into the IIS address space and handles any commands for it
There is a downside to ISAPI DLLs Because they share the same address space as the HTTP server it is possible that an errant ISAPI application could crash the WWW Publishing Server as well
ASP Because of the risks writing ISAPI applications Microsoft developed ASP (Active Server Pages) The functionality for ASP is handled by the ASPdll file It is similar in its advantages over CGI without the problems of ISAPI Additionally because Microsoft made ASP development considerably easier with the tools provided there are many more ASP developers and support for applications written to use ASP
ACT for Web is written using ASP so add-on development for ACT for Web would require a good knowledge of ASP To gain some knowledge of ASP development you might try looking at wwwasp101com
Additional information on the latest incarnation of ASP ASPNET is available from wwwaspnet
ActiveX ActiveX controls are components that use the Microsoft COM technologies (Component Object Model ndash an open software architecture developed by DEC and Microsoft allowing interoperation between OLE and the ObjectBroker)
They are Windows programs that can be executed by a browser ActiveX controls have full access to the Windows operating system
XML Extensible Markup Language is a newer method designed for the interchange of documents and data It is a format for transferring data across the Internet It not only includes the data but self-describing information about the data Office 2003 can also use XML
SOAP The Simple Object Access Protocol makes use of HTTP to exchange structured data over the Web using an XML format
GL Computing Page 14 682004
Installing IIS
t is important to note at this time that these procedures are targeted at installing a server dedicated to serving an ACT database to the lsquonet via ACT for Web The server could also serve the database locally as a LAN server to ACT clients in a ldquohybridrdquo implementation
This document will assume that you have performed a ldquocleanrdquo install of Windows 2000 Server to your machine but NOT installed any IIS components In the Lockdown area we will discuss the differences if you are locking down a server that already has IIS installed by someone else with more components than we will be installing in this section
It is advisable not to perform these functions while connected to the internet and only to connect after we have completed the securing part We also recommend applying the latest service packs and critical updates to the Windows 2000 operating system
Installing IIS is quite simple
Open the Control Panel (Start | Settings | Control Panel) and go to AddRemove
Programs
Chapter
3
I
GL Computing Page 15 682004
Then click AddRemove Windows Components
GL Computing Page 16 682004
The only option that you need to have ticked in this dialog box is Internet Information Services (IIS) We should take this further by clicking on the ldquoDetailsrdquo button
In this area the only necessary options are the Common Files (these are necessary for IIS) and World Wide Web Server (this service will be hosting ACT for Web)
We will also install the Internet Information services Snap-In as this make administering IIS considerably easier and the Documentation as having the Help system handy can be a good option If you donrsquot want the documentation you can always access the Microsoft web site and search their knowledge base TechNet or MSDN
None of the other subcomponents belonging to IIS are necessary and as such should NOT be installed unless you know you will require them for some other task Other options increase the ldquosurface areardquo available for attack on the server and will need to be configured to make them less vulnerable We will look at some of these options in the next section
Click ldquoOKrdquo and IIS will be installed
Although it is not always required we strongly recommend a re-boot of the server after installing or removing Windows components
GL Computing Page 17 682004
Protect against what
N this Chapter we will attempt to describe what types of attackers are out there and give you some ideas of the methods they may use to compromise your systems
Types of Attackers
Letrsquos start by categorising the types of attackers you may need to protect your systems from
Attacker Description
Script Kiddie This is the most common form of attack and the one which we will most need to protect our servers from These are usually kids looking for easy to hack servers so that they can take control of them and use them to attack others
Typically they will use Trojans (which your anti-virus should have detected and removed) or exploit known weaknesses in the server operating system which a combination of the Microsoft critical updates and our own lock-down procedures should keep you relatively secure from
Valuable Data This is typically done by someone who knows that specific data on your site is of significant value to the attacker It may be done by a nasty competitor who wants your data or someone who thinks you may have Credit Card numbers (or similar data) on your system If you are planning to keep Credit Cards etc in your database you will need to be very careful about your security and liability
We do not recommend keeping this type of data in an ACT database
Prestige Site This is where your site is well enough known that the hacker can get credibility from being able to by-pass your security This is unlikely to be an issue for any ACT for Web installation
Chapter
4
I
GL Computing Page 18 682004
Enemy Attack This is where someone feels so annoyed by you or your organisation that they feel like teaching you a lesson The toughest of these to protect against is an ex-employee that feels they have been wronged and knows the security of your system
Internal
Attack
This type typically does the most damage as they may know your security and usually have a legitimate reason for accessing your system Sometimes the Valuable Data Prestige Site or Enemy Attack types will also use an internal person to make their task easier The defences we are putting up will not assist in stopping this type of attack The only solutions are to ensure you have good backup procedures regularly read and inspect log files and make sure users only have access to the parts of the system that they need access to
Typically the ldquoScript Kiddierdquo will use known security flaws in the operating system and or known Trojans The other attackers will use a combination of these and ldquoun-knownrdquo attacks and are typically more skilled
We will attempt to keep your server secure from both known and un-known attacks
Known Attacks
The first defence is to make sure you are protected against the ldquoknownrdquo attacks The most common form of these is via Trojans
A Trojan (based on the story of the Trojan horse) is a piece of software that can get loaded on your server and makes it available for an attacker to access The functions it can provide to an attacker can vary ndash including damaging your data providing access for others to see your data or using itself to launch attacks on other systems
There are two main ways to prevent these
One is to ensure you have a good anti-virus running and that you keep it up-to-date GL Computing currently recommends Symantec (used to be Norton) Anti-Virus Corporate Edition for servers This should find and prevent Trojans from being installed andor remove them if already installed
The other is to make sure your firewall prevents the attacker from accessing the
Trojan if itrsquos on your system As they are usually called from specific ports this provides pretty good security against most known attacks
Many attacks like Nimda SQL-Slammer and others used operating system exploits that Microsoft had patched months earlier ndash and yet many administrators (including Microsoftrsquos own) had not patched their all their servers that were available from the Internet from these Consequently many millions of dollars in damaged data and system down-time were caused
You should make sure that all the Service Packs and Critical Updates are applied to your server Most hackercracker attempts (especially those by Script Kiddies) are done using security holes in Windows that Microsoft has already issued patches for knowing that many administrators do not apply these fixes It is a good practise to regularly check for updates
GL Computing Page 19 682004
from the Microsoft site httpwindowsupdatemicrosoftcom
Unknown Attacks
It may seem unusual to talk about preventing an ldquoUnknown Attackrdquo but that is exactly what is necessary to provide adequate defence ndash preventing as much as possible attacks that use previously undiscovered exploits
Essentially this means reducing the ldquoSurface Areardquo of attack ndash that is reducing the available entry points and services that are available for an external source to connect to your server and run tasks that you do not want them to run
Configuring the IIS server to remove the services that can be used to hook into your server will be covered in the next chapter For now wersquoll discuss reducing the entry points that are available Wersquoll look at the services in the next chapter
Port Blocking
By entry points we usually mean the ports that are open to your server and the IPs that can connect to it
There are two main transport layer protocols used on the lsquonet ndash TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) Both of these can use 64k (65536) channels of communications or ldquoportsrdquo to connect to specific applications on the server machine
So the simple rule to start with is only to permit those ports that you know you need to be allowed through your server
The default port for web servers is port 80 but it can be set to any port the administrator chooses Using a non-standard port is a simple way to help keep the server hidden means the user will need to put the port number in their URL
The most complete list of registered port numbers can be obtained from httpwwwianaorgassignmentsport-numbers
The following ports should nearly always be blocked from OUTBOUND transmissions 135 137 138 139 443 (unless using SSL) 593
IP Blocking
If you know the IP ranges used by the users who will be accessing your server you can set either the firewall or the IIS server to only permit those IPs that belong to your users to access the server Wersquoll show how to do this on the IIS server in the next chapter
GL Computing Page 20 682004
Configuring and Securing IIS
nce again it is necessary to state that these procedures if followed exactly are designed for a server that will be dedicated to serving an ACT database ndash either solely for ACT for Web or in a hybrid with local LAN users
We will also attempt to address those issues and components in IIS that you may find installed on servers that are already in operation or that will also be used for other tasks However we suggest that you work with the Administrator of the network to determine that your lock-down procedures do not also disable applications or functions that your clients may wish to run on the server
It is also important to note that security can never be guaranteed on the internet and so you must be careful as Consultants what contractual agreements you make when doing this type of work for clients
Chapter
5
O
GL Computing Page 21 682004
To modify the IIS settings in Windows 2000 we can use the Computer Management snapin at either
Start | Programs | Administrative Tools | Computer Management
Or selecting Manage from the Right-click menu on My Computer
This will bring up the Computer Management Console
It is important that you become familiar with this interface and itrsquos operation
Another method to access this is by Start | Programs | Administrative Tools | Internet Services Manager
GL Computing Page 22 682004
If you are setting up on a server that is already installed you might find services or virtual folders already there that are already being used
Removing them would not be a good idea if your client is using them for another purpose If you do not have access to the system administrator or they are not sure select ldquoStoprdquo to simply stop the service from accepting requests and check with the administrator
This should be done on the Administration sites FTP and SMTP services unless you are sure they are being used on the server
In the Default Web Site (could be re-named) you should delete the virtual folders IIS Help IIS Admin samples MSADC (MS Active Directory Connector) vti (FrontPage) They all include ASP and Java scripts that may have vulnerabilities found in them and are most likely not used or needed on the server If no other application is being run on the IIS server at the time you can remove any of the virtual folders in the web site The idea being that we remove anything not specifically required for our implementation this helps reduce the available ldquosurface areardquo for an attacker It is advisable to check with the system administrator Once you know you can remove them Right-click on the item and select delete
Next open the Default Web Site properties (by Right-Click then properties) which should look something like
GL Computing Page 23 682004
On the Documents Tab remove all the items there and add webgif or some other small gif that you have loaded in the default folder defined in the Home Directory tab (usually CInetpubwwwroot folder)
This means that any potential hacker just looking for a site will see something small but giving nothing away as to the content of the site
If the site is being used for another site you may need to leave another default document that is used by they site
You may want to point the Printers virtual folder at this gif file also because it sometimes re-appears and the idea is to leave nothing pointing at an application where vulnerabilities may be discovered in the future
Note You will need to re-add Defaulthtm to the actweb virtual folder after you have installed ACT For Web
To do this right-click on the Actweb virtual folder select the Documents tab and Add ldquoDefaulthtmrdquo
GL Computing Page 24 682004
Next on the Home Directory tab click on the Configuration button Remove all the Mappings except for ASA and ASP (which are required for ACT for Web to operate) It will then look something like
This is to prevent any holes in other applications being used to infiltrate your site
Next remove (or rename if you are not sure if they may be needed later) the folders that you have removed the virtual folders for earlier
GL Computing Page 25 682004
Remove Internet Guest Account (IUSR_machine_name) access from cmdexe commandcom tftpexe httpodbcdll and defaultida ndash by adding in Security properties and selecting Deny (only for IUSR) You may need to do a search of the hard disk to get all the versions of these files
This is to prevent a user being able to point to those files and execute them which has been a common hacking exploit
GL Computing Page 26 682004
If you want increased security you can remove Anonymous access and use Windows Integrated Authentication This enables you to use the additional Windows and domain logins prior to the ACT Login
Note different versions of Windows may differ slightly
1 Right-click the My Computer icon and then click Manage from the shortcut menu The Computer Management window appears
2 Expand the Services and Applications option then expand the Internet Information Services option and then select the Default Web Site option so that you can see your ActWeb virtual directory in the right pane (this is the standard installation location your ActWeb virtual directory location may differ)
3 Right-click the ActWeb virtual directory and then click Properties from the shortcut menu The ActWeb Properties dialog appears
4 Under the Directory Security tab in the Anonymous access and authentication control section click Edit The Authentication Methods dialog appears
GL Computing Page 27 682004
5 Clear the Anonymous access check box and verify that the Integrated Windows authentication check box is enabled The other check boxes are dependent on your specific security requirements and are not related to ACT for Webs configuration Note Digest authentication for Windows domain servers is an option on IIS 51 or later
6 Click OK on these two windows Your ACT for Web site is now protected by the Integrated Windows authentication You may need to close your browser and re-open it in order to receive the proper login prompt
IMPORTANT NOTE The IUSR_[machine name] account will no longer be used by IIS with this configuration You will need to make sure the user account you attempt to log in has proper permissions set for it in DCOMCNFG and in the security properties of the folder containing your ACT Database as well as the installation folder for ACT for Web (default Cwebsites)
For more information on how to do this please read httpitdominoactcomactnsfdocid200391584653
GL Computing Page 28 682004
Additional security can be achieved by making your web site more difficult to find by potential hackers Two simple ways to do this are
1 Change the default web site to another TCP port in the Web Site properties Try not to use any of the other common ports that you may wish to use later Yoursquoll need to state the port when logging in eg httpdomaincomportactweb Using SSL (Secure Sockets Layer ) on port 443 will also add to the security of your data by adding encryption to the flow across the internet This will use an https protocol instead of http when entering the URL into your browser
2 Search engines send out ldquospidersrdquo to obtain information on sites available on the web This means that searching googlecom or other search engines for the phrase ACT for Web Login (in quotes) may point to your site (good for public web sites less good for your corporate database) If you would like to prevent a site from being catalogued in a search engines database you can take steps to address this Keep in mind that if you have existing websites they may have already begun to take the steps to interact with the spiders that may crawl their site
Visit the following links for more information about meta-tags and the robotstxt file Keep in mind that it is impossible to prevent any directly accessible resource on a site from being linked to by external sites be it by their partner sites competitive sites or search engines However these methods are generally accepted by the popular search engines
httpwwwrobotstxtorgwcrobotshtml
httpwwwsearchengineworldcomrobotsrobots_tutorialhtm
httpwwwrobotstxtorgwcmeta-userhtml
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 11 682004
IIS ndash What is it
IS is the Microsoft Internet Information Server It is Microsoftrsquos set of services that support web site configuration management and publishing as well as various other Internet services It includes various development tools and software development kits
IIS like all web applications is a clientserver application ndash in that it does nothing without a client such as a web browser or FTP client software
The information below is in two areas The Servers and the Application Development platforms In both areas only one is really relevant to ACT for Web (the WWW Server and ASP) The other information is provided so that you understand the differences The lists are also not exhaustive and there are other servers and application development tools for IIS
The Servers are the programs that the client software directly connects with on the IIS server They answer the requests from the lsquonet to read files and send information
The Application Development platforms allow the WWW Server to run programs and scripts A plain HTML document that the Web daemon retrieves is static which means it exists in a constant state a text file that doesnt change A CGI or ASP program on the other hand is executed in real-time so that it can output dynamic information For example lets say that you wanted to hook up your database to the World Wide Web to allow people from all over the world to query it Basically you need to create a program that the WWW Server will execute to transmit information to the database engine and receive the results back again and display them to the client
Chapter
2
I
GL Computing Page 12 682004
For full information on IIS we recommend looking at httpwwwMicrosoftcomIIS
httpwwwmicrosoftcomtechnettreeviewdefaultaspurl=technetprodtechnolwindowsserver2003proddocsdatacentergs_whatschangedasp
Other useful sites include
wwwiisfaqcom
wwwiisanswerscom
wwwiis-resourcescom
wwwzensecuritycouk
wwwnsagovsnacindexhtml
Letrsquos have a look at the functions of IIS that we need to know about in a little more detail
Server Description
WWW Server The WWW server uses the HyperText Transmission Protocol (HTTP) to communicate with its client application (a web browser) Typically on Port 80 the WWW is a content-rich environment It encompasses the majority of network traffic on the Internet You can use it to display (on your web browser) text static graphics images animated graphics images 3-D worlds and audiovideo files It can also be used to access databases such as ACT for Web via various development tools
FTP FTP Publishing Service is a File Transfer Protocol (FTP) server The FTP Publishing Service is much less complex than the WWW Publishing Service The FTP Publishing Service is used primarily as a data repository It is usually on Port 21
SMTP The SMTP service uses the Simple Mail Transfer Protocol to send email across the lsquonet POP3 (the Post Office Protocol - the ability to retrieve email) is not part of the IIS suite The default port for SMTP is Port 25
NNTP The NNTP service uses the Network News Transport Protocol to provide discussion servers and groups similar to the ACC news server NNTP servers should default to Port 119
GL Computing Page 13 682004
Dev Tool Description
CGI The Common Gateway Interface (CGI) is a legacy application development platform supported under IIS Itrsquos a standard for many different web server platforms CGI scripts can be written in a variety of languages including Perl C and C++
ISAPI ISAPI ndash The Internet Server Application Programming Interface was Microsoftrsquos proprietary programming interface developed for IIS as a replacement for CGI It brings the power of OLE (Object Linking and Embedding) to the WWW The main advantage it offers over CGI is that it is much faster when performing the same tasks and consumes less resources Instead of running each application as a separate process (as in CGI) the ISAPIdll (Dynamic Link Library) is already loaded into the IIS address space and handles any commands for it
There is a downside to ISAPI DLLs Because they share the same address space as the HTTP server it is possible that an errant ISAPI application could crash the WWW Publishing Server as well
ASP Because of the risks writing ISAPI applications Microsoft developed ASP (Active Server Pages) The functionality for ASP is handled by the ASPdll file It is similar in its advantages over CGI without the problems of ISAPI Additionally because Microsoft made ASP development considerably easier with the tools provided there are many more ASP developers and support for applications written to use ASP
ACT for Web is written using ASP so add-on development for ACT for Web would require a good knowledge of ASP To gain some knowledge of ASP development you might try looking at wwwasp101com
Additional information on the latest incarnation of ASP ASPNET is available from wwwaspnet
ActiveX ActiveX controls are components that use the Microsoft COM technologies (Component Object Model ndash an open software architecture developed by DEC and Microsoft allowing interoperation between OLE and the ObjectBroker)
They are Windows programs that can be executed by a browser ActiveX controls have full access to the Windows operating system
XML Extensible Markup Language is a newer method designed for the interchange of documents and data It is a format for transferring data across the Internet It not only includes the data but self-describing information about the data Office 2003 can also use XML
SOAP The Simple Object Access Protocol makes use of HTTP to exchange structured data over the Web using an XML format
GL Computing Page 14 682004
Installing IIS
t is important to note at this time that these procedures are targeted at installing a server dedicated to serving an ACT database to the lsquonet via ACT for Web The server could also serve the database locally as a LAN server to ACT clients in a ldquohybridrdquo implementation
This document will assume that you have performed a ldquocleanrdquo install of Windows 2000 Server to your machine but NOT installed any IIS components In the Lockdown area we will discuss the differences if you are locking down a server that already has IIS installed by someone else with more components than we will be installing in this section
It is advisable not to perform these functions while connected to the internet and only to connect after we have completed the securing part We also recommend applying the latest service packs and critical updates to the Windows 2000 operating system
Installing IIS is quite simple
Open the Control Panel (Start | Settings | Control Panel) and go to AddRemove
Programs
Chapter
3
I
GL Computing Page 15 682004
Then click AddRemove Windows Components
GL Computing Page 16 682004
The only option that you need to have ticked in this dialog box is Internet Information Services (IIS) We should take this further by clicking on the ldquoDetailsrdquo button
In this area the only necessary options are the Common Files (these are necessary for IIS) and World Wide Web Server (this service will be hosting ACT for Web)
We will also install the Internet Information services Snap-In as this make administering IIS considerably easier and the Documentation as having the Help system handy can be a good option If you donrsquot want the documentation you can always access the Microsoft web site and search their knowledge base TechNet or MSDN
None of the other subcomponents belonging to IIS are necessary and as such should NOT be installed unless you know you will require them for some other task Other options increase the ldquosurface areardquo available for attack on the server and will need to be configured to make them less vulnerable We will look at some of these options in the next section
Click ldquoOKrdquo and IIS will be installed
Although it is not always required we strongly recommend a re-boot of the server after installing or removing Windows components
GL Computing Page 17 682004
Protect against what
N this Chapter we will attempt to describe what types of attackers are out there and give you some ideas of the methods they may use to compromise your systems
Types of Attackers
Letrsquos start by categorising the types of attackers you may need to protect your systems from
Attacker Description
Script Kiddie This is the most common form of attack and the one which we will most need to protect our servers from These are usually kids looking for easy to hack servers so that they can take control of them and use them to attack others
Typically they will use Trojans (which your anti-virus should have detected and removed) or exploit known weaknesses in the server operating system which a combination of the Microsoft critical updates and our own lock-down procedures should keep you relatively secure from
Valuable Data This is typically done by someone who knows that specific data on your site is of significant value to the attacker It may be done by a nasty competitor who wants your data or someone who thinks you may have Credit Card numbers (or similar data) on your system If you are planning to keep Credit Cards etc in your database you will need to be very careful about your security and liability
We do not recommend keeping this type of data in an ACT database
Prestige Site This is where your site is well enough known that the hacker can get credibility from being able to by-pass your security This is unlikely to be an issue for any ACT for Web installation
Chapter
4
I
GL Computing Page 18 682004
Enemy Attack This is where someone feels so annoyed by you or your organisation that they feel like teaching you a lesson The toughest of these to protect against is an ex-employee that feels they have been wronged and knows the security of your system
Internal
Attack
This type typically does the most damage as they may know your security and usually have a legitimate reason for accessing your system Sometimes the Valuable Data Prestige Site or Enemy Attack types will also use an internal person to make their task easier The defences we are putting up will not assist in stopping this type of attack The only solutions are to ensure you have good backup procedures regularly read and inspect log files and make sure users only have access to the parts of the system that they need access to
Typically the ldquoScript Kiddierdquo will use known security flaws in the operating system and or known Trojans The other attackers will use a combination of these and ldquoun-knownrdquo attacks and are typically more skilled
We will attempt to keep your server secure from both known and un-known attacks
Known Attacks
The first defence is to make sure you are protected against the ldquoknownrdquo attacks The most common form of these is via Trojans
A Trojan (based on the story of the Trojan horse) is a piece of software that can get loaded on your server and makes it available for an attacker to access The functions it can provide to an attacker can vary ndash including damaging your data providing access for others to see your data or using itself to launch attacks on other systems
There are two main ways to prevent these
One is to ensure you have a good anti-virus running and that you keep it up-to-date GL Computing currently recommends Symantec (used to be Norton) Anti-Virus Corporate Edition for servers This should find and prevent Trojans from being installed andor remove them if already installed
The other is to make sure your firewall prevents the attacker from accessing the
Trojan if itrsquos on your system As they are usually called from specific ports this provides pretty good security against most known attacks
Many attacks like Nimda SQL-Slammer and others used operating system exploits that Microsoft had patched months earlier ndash and yet many administrators (including Microsoftrsquos own) had not patched their all their servers that were available from the Internet from these Consequently many millions of dollars in damaged data and system down-time were caused
You should make sure that all the Service Packs and Critical Updates are applied to your server Most hackercracker attempts (especially those by Script Kiddies) are done using security holes in Windows that Microsoft has already issued patches for knowing that many administrators do not apply these fixes It is a good practise to regularly check for updates
GL Computing Page 19 682004
from the Microsoft site httpwindowsupdatemicrosoftcom
Unknown Attacks
It may seem unusual to talk about preventing an ldquoUnknown Attackrdquo but that is exactly what is necessary to provide adequate defence ndash preventing as much as possible attacks that use previously undiscovered exploits
Essentially this means reducing the ldquoSurface Areardquo of attack ndash that is reducing the available entry points and services that are available for an external source to connect to your server and run tasks that you do not want them to run
Configuring the IIS server to remove the services that can be used to hook into your server will be covered in the next chapter For now wersquoll discuss reducing the entry points that are available Wersquoll look at the services in the next chapter
Port Blocking
By entry points we usually mean the ports that are open to your server and the IPs that can connect to it
There are two main transport layer protocols used on the lsquonet ndash TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) Both of these can use 64k (65536) channels of communications or ldquoportsrdquo to connect to specific applications on the server machine
So the simple rule to start with is only to permit those ports that you know you need to be allowed through your server
The default port for web servers is port 80 but it can be set to any port the administrator chooses Using a non-standard port is a simple way to help keep the server hidden means the user will need to put the port number in their URL
The most complete list of registered port numbers can be obtained from httpwwwianaorgassignmentsport-numbers
The following ports should nearly always be blocked from OUTBOUND transmissions 135 137 138 139 443 (unless using SSL) 593
IP Blocking
If you know the IP ranges used by the users who will be accessing your server you can set either the firewall or the IIS server to only permit those IPs that belong to your users to access the server Wersquoll show how to do this on the IIS server in the next chapter
GL Computing Page 20 682004
Configuring and Securing IIS
nce again it is necessary to state that these procedures if followed exactly are designed for a server that will be dedicated to serving an ACT database ndash either solely for ACT for Web or in a hybrid with local LAN users
We will also attempt to address those issues and components in IIS that you may find installed on servers that are already in operation or that will also be used for other tasks However we suggest that you work with the Administrator of the network to determine that your lock-down procedures do not also disable applications or functions that your clients may wish to run on the server
It is also important to note that security can never be guaranteed on the internet and so you must be careful as Consultants what contractual agreements you make when doing this type of work for clients
Chapter
5
O
GL Computing Page 21 682004
To modify the IIS settings in Windows 2000 we can use the Computer Management snapin at either
Start | Programs | Administrative Tools | Computer Management
Or selecting Manage from the Right-click menu on My Computer
This will bring up the Computer Management Console
It is important that you become familiar with this interface and itrsquos operation
Another method to access this is by Start | Programs | Administrative Tools | Internet Services Manager
GL Computing Page 22 682004
If you are setting up on a server that is already installed you might find services or virtual folders already there that are already being used
Removing them would not be a good idea if your client is using them for another purpose If you do not have access to the system administrator or they are not sure select ldquoStoprdquo to simply stop the service from accepting requests and check with the administrator
This should be done on the Administration sites FTP and SMTP services unless you are sure they are being used on the server
In the Default Web Site (could be re-named) you should delete the virtual folders IIS Help IIS Admin samples MSADC (MS Active Directory Connector) vti (FrontPage) They all include ASP and Java scripts that may have vulnerabilities found in them and are most likely not used or needed on the server If no other application is being run on the IIS server at the time you can remove any of the virtual folders in the web site The idea being that we remove anything not specifically required for our implementation this helps reduce the available ldquosurface areardquo for an attacker It is advisable to check with the system administrator Once you know you can remove them Right-click on the item and select delete
Next open the Default Web Site properties (by Right-Click then properties) which should look something like
GL Computing Page 23 682004
On the Documents Tab remove all the items there and add webgif or some other small gif that you have loaded in the default folder defined in the Home Directory tab (usually CInetpubwwwroot folder)
This means that any potential hacker just looking for a site will see something small but giving nothing away as to the content of the site
If the site is being used for another site you may need to leave another default document that is used by they site
You may want to point the Printers virtual folder at this gif file also because it sometimes re-appears and the idea is to leave nothing pointing at an application where vulnerabilities may be discovered in the future
Note You will need to re-add Defaulthtm to the actweb virtual folder after you have installed ACT For Web
To do this right-click on the Actweb virtual folder select the Documents tab and Add ldquoDefaulthtmrdquo
GL Computing Page 24 682004
Next on the Home Directory tab click on the Configuration button Remove all the Mappings except for ASA and ASP (which are required for ACT for Web to operate) It will then look something like
This is to prevent any holes in other applications being used to infiltrate your site
Next remove (or rename if you are not sure if they may be needed later) the folders that you have removed the virtual folders for earlier
GL Computing Page 25 682004
Remove Internet Guest Account (IUSR_machine_name) access from cmdexe commandcom tftpexe httpodbcdll and defaultida ndash by adding in Security properties and selecting Deny (only for IUSR) You may need to do a search of the hard disk to get all the versions of these files
This is to prevent a user being able to point to those files and execute them which has been a common hacking exploit
GL Computing Page 26 682004
If you want increased security you can remove Anonymous access and use Windows Integrated Authentication This enables you to use the additional Windows and domain logins prior to the ACT Login
Note different versions of Windows may differ slightly
1 Right-click the My Computer icon and then click Manage from the shortcut menu The Computer Management window appears
2 Expand the Services and Applications option then expand the Internet Information Services option and then select the Default Web Site option so that you can see your ActWeb virtual directory in the right pane (this is the standard installation location your ActWeb virtual directory location may differ)
3 Right-click the ActWeb virtual directory and then click Properties from the shortcut menu The ActWeb Properties dialog appears
4 Under the Directory Security tab in the Anonymous access and authentication control section click Edit The Authentication Methods dialog appears
GL Computing Page 27 682004
5 Clear the Anonymous access check box and verify that the Integrated Windows authentication check box is enabled The other check boxes are dependent on your specific security requirements and are not related to ACT for Webs configuration Note Digest authentication for Windows domain servers is an option on IIS 51 or later
6 Click OK on these two windows Your ACT for Web site is now protected by the Integrated Windows authentication You may need to close your browser and re-open it in order to receive the proper login prompt
IMPORTANT NOTE The IUSR_[machine name] account will no longer be used by IIS with this configuration You will need to make sure the user account you attempt to log in has proper permissions set for it in DCOMCNFG and in the security properties of the folder containing your ACT Database as well as the installation folder for ACT for Web (default Cwebsites)
For more information on how to do this please read httpitdominoactcomactnsfdocid200391584653
GL Computing Page 28 682004
Additional security can be achieved by making your web site more difficult to find by potential hackers Two simple ways to do this are
1 Change the default web site to another TCP port in the Web Site properties Try not to use any of the other common ports that you may wish to use later Yoursquoll need to state the port when logging in eg httpdomaincomportactweb Using SSL (Secure Sockets Layer ) on port 443 will also add to the security of your data by adding encryption to the flow across the internet This will use an https protocol instead of http when entering the URL into your browser
2 Search engines send out ldquospidersrdquo to obtain information on sites available on the web This means that searching googlecom or other search engines for the phrase ACT for Web Login (in quotes) may point to your site (good for public web sites less good for your corporate database) If you would like to prevent a site from being catalogued in a search engines database you can take steps to address this Keep in mind that if you have existing websites they may have already begun to take the steps to interact with the spiders that may crawl their site
Visit the following links for more information about meta-tags and the robotstxt file Keep in mind that it is impossible to prevent any directly accessible resource on a site from being linked to by external sites be it by their partner sites competitive sites or search engines However these methods are generally accepted by the popular search engines
httpwwwrobotstxtorgwcrobotshtml
httpwwwsearchengineworldcomrobotsrobots_tutorialhtm
httpwwwrobotstxtorgwcmeta-userhtml
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 12 682004
For full information on IIS we recommend looking at httpwwwMicrosoftcomIIS
httpwwwmicrosoftcomtechnettreeviewdefaultaspurl=technetprodtechnolwindowsserver2003proddocsdatacentergs_whatschangedasp
Other useful sites include
wwwiisfaqcom
wwwiisanswerscom
wwwiis-resourcescom
wwwzensecuritycouk
wwwnsagovsnacindexhtml
Letrsquos have a look at the functions of IIS that we need to know about in a little more detail
Server Description
WWW Server The WWW server uses the HyperText Transmission Protocol (HTTP) to communicate with its client application (a web browser) Typically on Port 80 the WWW is a content-rich environment It encompasses the majority of network traffic on the Internet You can use it to display (on your web browser) text static graphics images animated graphics images 3-D worlds and audiovideo files It can also be used to access databases such as ACT for Web via various development tools
FTP FTP Publishing Service is a File Transfer Protocol (FTP) server The FTP Publishing Service is much less complex than the WWW Publishing Service The FTP Publishing Service is used primarily as a data repository It is usually on Port 21
SMTP The SMTP service uses the Simple Mail Transfer Protocol to send email across the lsquonet POP3 (the Post Office Protocol - the ability to retrieve email) is not part of the IIS suite The default port for SMTP is Port 25
NNTP The NNTP service uses the Network News Transport Protocol to provide discussion servers and groups similar to the ACC news server NNTP servers should default to Port 119
GL Computing Page 13 682004
Dev Tool Description
CGI The Common Gateway Interface (CGI) is a legacy application development platform supported under IIS Itrsquos a standard for many different web server platforms CGI scripts can be written in a variety of languages including Perl C and C++
ISAPI ISAPI ndash The Internet Server Application Programming Interface was Microsoftrsquos proprietary programming interface developed for IIS as a replacement for CGI It brings the power of OLE (Object Linking and Embedding) to the WWW The main advantage it offers over CGI is that it is much faster when performing the same tasks and consumes less resources Instead of running each application as a separate process (as in CGI) the ISAPIdll (Dynamic Link Library) is already loaded into the IIS address space and handles any commands for it
There is a downside to ISAPI DLLs Because they share the same address space as the HTTP server it is possible that an errant ISAPI application could crash the WWW Publishing Server as well
ASP Because of the risks writing ISAPI applications Microsoft developed ASP (Active Server Pages) The functionality for ASP is handled by the ASPdll file It is similar in its advantages over CGI without the problems of ISAPI Additionally because Microsoft made ASP development considerably easier with the tools provided there are many more ASP developers and support for applications written to use ASP
ACT for Web is written using ASP so add-on development for ACT for Web would require a good knowledge of ASP To gain some knowledge of ASP development you might try looking at wwwasp101com
Additional information on the latest incarnation of ASP ASPNET is available from wwwaspnet
ActiveX ActiveX controls are components that use the Microsoft COM technologies (Component Object Model ndash an open software architecture developed by DEC and Microsoft allowing interoperation between OLE and the ObjectBroker)
They are Windows programs that can be executed by a browser ActiveX controls have full access to the Windows operating system
XML Extensible Markup Language is a newer method designed for the interchange of documents and data It is a format for transferring data across the Internet It not only includes the data but self-describing information about the data Office 2003 can also use XML
SOAP The Simple Object Access Protocol makes use of HTTP to exchange structured data over the Web using an XML format
GL Computing Page 14 682004
Installing IIS
t is important to note at this time that these procedures are targeted at installing a server dedicated to serving an ACT database to the lsquonet via ACT for Web The server could also serve the database locally as a LAN server to ACT clients in a ldquohybridrdquo implementation
This document will assume that you have performed a ldquocleanrdquo install of Windows 2000 Server to your machine but NOT installed any IIS components In the Lockdown area we will discuss the differences if you are locking down a server that already has IIS installed by someone else with more components than we will be installing in this section
It is advisable not to perform these functions while connected to the internet and only to connect after we have completed the securing part We also recommend applying the latest service packs and critical updates to the Windows 2000 operating system
Installing IIS is quite simple
Open the Control Panel (Start | Settings | Control Panel) and go to AddRemove
Programs
Chapter
3
I
GL Computing Page 15 682004
Then click AddRemove Windows Components
GL Computing Page 16 682004
The only option that you need to have ticked in this dialog box is Internet Information Services (IIS) We should take this further by clicking on the ldquoDetailsrdquo button
In this area the only necessary options are the Common Files (these are necessary for IIS) and World Wide Web Server (this service will be hosting ACT for Web)
We will also install the Internet Information services Snap-In as this make administering IIS considerably easier and the Documentation as having the Help system handy can be a good option If you donrsquot want the documentation you can always access the Microsoft web site and search their knowledge base TechNet or MSDN
None of the other subcomponents belonging to IIS are necessary and as such should NOT be installed unless you know you will require them for some other task Other options increase the ldquosurface areardquo available for attack on the server and will need to be configured to make them less vulnerable We will look at some of these options in the next section
Click ldquoOKrdquo and IIS will be installed
Although it is not always required we strongly recommend a re-boot of the server after installing or removing Windows components
GL Computing Page 17 682004
Protect against what
N this Chapter we will attempt to describe what types of attackers are out there and give you some ideas of the methods they may use to compromise your systems
Types of Attackers
Letrsquos start by categorising the types of attackers you may need to protect your systems from
Attacker Description
Script Kiddie This is the most common form of attack and the one which we will most need to protect our servers from These are usually kids looking for easy to hack servers so that they can take control of them and use them to attack others
Typically they will use Trojans (which your anti-virus should have detected and removed) or exploit known weaknesses in the server operating system which a combination of the Microsoft critical updates and our own lock-down procedures should keep you relatively secure from
Valuable Data This is typically done by someone who knows that specific data on your site is of significant value to the attacker It may be done by a nasty competitor who wants your data or someone who thinks you may have Credit Card numbers (or similar data) on your system If you are planning to keep Credit Cards etc in your database you will need to be very careful about your security and liability
We do not recommend keeping this type of data in an ACT database
Prestige Site This is where your site is well enough known that the hacker can get credibility from being able to by-pass your security This is unlikely to be an issue for any ACT for Web installation
Chapter
4
I
GL Computing Page 18 682004
Enemy Attack This is where someone feels so annoyed by you or your organisation that they feel like teaching you a lesson The toughest of these to protect against is an ex-employee that feels they have been wronged and knows the security of your system
Internal
Attack
This type typically does the most damage as they may know your security and usually have a legitimate reason for accessing your system Sometimes the Valuable Data Prestige Site or Enemy Attack types will also use an internal person to make their task easier The defences we are putting up will not assist in stopping this type of attack The only solutions are to ensure you have good backup procedures regularly read and inspect log files and make sure users only have access to the parts of the system that they need access to
Typically the ldquoScript Kiddierdquo will use known security flaws in the operating system and or known Trojans The other attackers will use a combination of these and ldquoun-knownrdquo attacks and are typically more skilled
We will attempt to keep your server secure from both known and un-known attacks
Known Attacks
The first defence is to make sure you are protected against the ldquoknownrdquo attacks The most common form of these is via Trojans
A Trojan (based on the story of the Trojan horse) is a piece of software that can get loaded on your server and makes it available for an attacker to access The functions it can provide to an attacker can vary ndash including damaging your data providing access for others to see your data or using itself to launch attacks on other systems
There are two main ways to prevent these
One is to ensure you have a good anti-virus running and that you keep it up-to-date GL Computing currently recommends Symantec (used to be Norton) Anti-Virus Corporate Edition for servers This should find and prevent Trojans from being installed andor remove them if already installed
The other is to make sure your firewall prevents the attacker from accessing the
Trojan if itrsquos on your system As they are usually called from specific ports this provides pretty good security against most known attacks
Many attacks like Nimda SQL-Slammer and others used operating system exploits that Microsoft had patched months earlier ndash and yet many administrators (including Microsoftrsquos own) had not patched their all their servers that were available from the Internet from these Consequently many millions of dollars in damaged data and system down-time were caused
You should make sure that all the Service Packs and Critical Updates are applied to your server Most hackercracker attempts (especially those by Script Kiddies) are done using security holes in Windows that Microsoft has already issued patches for knowing that many administrators do not apply these fixes It is a good practise to regularly check for updates
GL Computing Page 19 682004
from the Microsoft site httpwindowsupdatemicrosoftcom
Unknown Attacks
It may seem unusual to talk about preventing an ldquoUnknown Attackrdquo but that is exactly what is necessary to provide adequate defence ndash preventing as much as possible attacks that use previously undiscovered exploits
Essentially this means reducing the ldquoSurface Areardquo of attack ndash that is reducing the available entry points and services that are available for an external source to connect to your server and run tasks that you do not want them to run
Configuring the IIS server to remove the services that can be used to hook into your server will be covered in the next chapter For now wersquoll discuss reducing the entry points that are available Wersquoll look at the services in the next chapter
Port Blocking
By entry points we usually mean the ports that are open to your server and the IPs that can connect to it
There are two main transport layer protocols used on the lsquonet ndash TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) Both of these can use 64k (65536) channels of communications or ldquoportsrdquo to connect to specific applications on the server machine
So the simple rule to start with is only to permit those ports that you know you need to be allowed through your server
The default port for web servers is port 80 but it can be set to any port the administrator chooses Using a non-standard port is a simple way to help keep the server hidden means the user will need to put the port number in their URL
The most complete list of registered port numbers can be obtained from httpwwwianaorgassignmentsport-numbers
The following ports should nearly always be blocked from OUTBOUND transmissions 135 137 138 139 443 (unless using SSL) 593
IP Blocking
If you know the IP ranges used by the users who will be accessing your server you can set either the firewall or the IIS server to only permit those IPs that belong to your users to access the server Wersquoll show how to do this on the IIS server in the next chapter
GL Computing Page 20 682004
Configuring and Securing IIS
nce again it is necessary to state that these procedures if followed exactly are designed for a server that will be dedicated to serving an ACT database ndash either solely for ACT for Web or in a hybrid with local LAN users
We will also attempt to address those issues and components in IIS that you may find installed on servers that are already in operation or that will also be used for other tasks However we suggest that you work with the Administrator of the network to determine that your lock-down procedures do not also disable applications or functions that your clients may wish to run on the server
It is also important to note that security can never be guaranteed on the internet and so you must be careful as Consultants what contractual agreements you make when doing this type of work for clients
Chapter
5
O
GL Computing Page 21 682004
To modify the IIS settings in Windows 2000 we can use the Computer Management snapin at either
Start | Programs | Administrative Tools | Computer Management
Or selecting Manage from the Right-click menu on My Computer
This will bring up the Computer Management Console
It is important that you become familiar with this interface and itrsquos operation
Another method to access this is by Start | Programs | Administrative Tools | Internet Services Manager
GL Computing Page 22 682004
If you are setting up on a server that is already installed you might find services or virtual folders already there that are already being used
Removing them would not be a good idea if your client is using them for another purpose If you do not have access to the system administrator or they are not sure select ldquoStoprdquo to simply stop the service from accepting requests and check with the administrator
This should be done on the Administration sites FTP and SMTP services unless you are sure they are being used on the server
In the Default Web Site (could be re-named) you should delete the virtual folders IIS Help IIS Admin samples MSADC (MS Active Directory Connector) vti (FrontPage) They all include ASP and Java scripts that may have vulnerabilities found in them and are most likely not used or needed on the server If no other application is being run on the IIS server at the time you can remove any of the virtual folders in the web site The idea being that we remove anything not specifically required for our implementation this helps reduce the available ldquosurface areardquo for an attacker It is advisable to check with the system administrator Once you know you can remove them Right-click on the item and select delete
Next open the Default Web Site properties (by Right-Click then properties) which should look something like
GL Computing Page 23 682004
On the Documents Tab remove all the items there and add webgif or some other small gif that you have loaded in the default folder defined in the Home Directory tab (usually CInetpubwwwroot folder)
This means that any potential hacker just looking for a site will see something small but giving nothing away as to the content of the site
If the site is being used for another site you may need to leave another default document that is used by they site
You may want to point the Printers virtual folder at this gif file also because it sometimes re-appears and the idea is to leave nothing pointing at an application where vulnerabilities may be discovered in the future
Note You will need to re-add Defaulthtm to the actweb virtual folder after you have installed ACT For Web
To do this right-click on the Actweb virtual folder select the Documents tab and Add ldquoDefaulthtmrdquo
GL Computing Page 24 682004
Next on the Home Directory tab click on the Configuration button Remove all the Mappings except for ASA and ASP (which are required for ACT for Web to operate) It will then look something like
This is to prevent any holes in other applications being used to infiltrate your site
Next remove (or rename if you are not sure if they may be needed later) the folders that you have removed the virtual folders for earlier
GL Computing Page 25 682004
Remove Internet Guest Account (IUSR_machine_name) access from cmdexe commandcom tftpexe httpodbcdll and defaultida ndash by adding in Security properties and selecting Deny (only for IUSR) You may need to do a search of the hard disk to get all the versions of these files
This is to prevent a user being able to point to those files and execute them which has been a common hacking exploit
GL Computing Page 26 682004
If you want increased security you can remove Anonymous access and use Windows Integrated Authentication This enables you to use the additional Windows and domain logins prior to the ACT Login
Note different versions of Windows may differ slightly
1 Right-click the My Computer icon and then click Manage from the shortcut menu The Computer Management window appears
2 Expand the Services and Applications option then expand the Internet Information Services option and then select the Default Web Site option so that you can see your ActWeb virtual directory in the right pane (this is the standard installation location your ActWeb virtual directory location may differ)
3 Right-click the ActWeb virtual directory and then click Properties from the shortcut menu The ActWeb Properties dialog appears
4 Under the Directory Security tab in the Anonymous access and authentication control section click Edit The Authentication Methods dialog appears
GL Computing Page 27 682004
5 Clear the Anonymous access check box and verify that the Integrated Windows authentication check box is enabled The other check boxes are dependent on your specific security requirements and are not related to ACT for Webs configuration Note Digest authentication for Windows domain servers is an option on IIS 51 or later
6 Click OK on these two windows Your ACT for Web site is now protected by the Integrated Windows authentication You may need to close your browser and re-open it in order to receive the proper login prompt
IMPORTANT NOTE The IUSR_[machine name] account will no longer be used by IIS with this configuration You will need to make sure the user account you attempt to log in has proper permissions set for it in DCOMCNFG and in the security properties of the folder containing your ACT Database as well as the installation folder for ACT for Web (default Cwebsites)
For more information on how to do this please read httpitdominoactcomactnsfdocid200391584653
GL Computing Page 28 682004
Additional security can be achieved by making your web site more difficult to find by potential hackers Two simple ways to do this are
1 Change the default web site to another TCP port in the Web Site properties Try not to use any of the other common ports that you may wish to use later Yoursquoll need to state the port when logging in eg httpdomaincomportactweb Using SSL (Secure Sockets Layer ) on port 443 will also add to the security of your data by adding encryption to the flow across the internet This will use an https protocol instead of http when entering the URL into your browser
2 Search engines send out ldquospidersrdquo to obtain information on sites available on the web This means that searching googlecom or other search engines for the phrase ACT for Web Login (in quotes) may point to your site (good for public web sites less good for your corporate database) If you would like to prevent a site from being catalogued in a search engines database you can take steps to address this Keep in mind that if you have existing websites they may have already begun to take the steps to interact with the spiders that may crawl their site
Visit the following links for more information about meta-tags and the robotstxt file Keep in mind that it is impossible to prevent any directly accessible resource on a site from being linked to by external sites be it by their partner sites competitive sites or search engines However these methods are generally accepted by the popular search engines
httpwwwrobotstxtorgwcrobotshtml
httpwwwsearchengineworldcomrobotsrobots_tutorialhtm
httpwwwrobotstxtorgwcmeta-userhtml
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 13 682004
Dev Tool Description
CGI The Common Gateway Interface (CGI) is a legacy application development platform supported under IIS Itrsquos a standard for many different web server platforms CGI scripts can be written in a variety of languages including Perl C and C++
ISAPI ISAPI ndash The Internet Server Application Programming Interface was Microsoftrsquos proprietary programming interface developed for IIS as a replacement for CGI It brings the power of OLE (Object Linking and Embedding) to the WWW The main advantage it offers over CGI is that it is much faster when performing the same tasks and consumes less resources Instead of running each application as a separate process (as in CGI) the ISAPIdll (Dynamic Link Library) is already loaded into the IIS address space and handles any commands for it
There is a downside to ISAPI DLLs Because they share the same address space as the HTTP server it is possible that an errant ISAPI application could crash the WWW Publishing Server as well
ASP Because of the risks writing ISAPI applications Microsoft developed ASP (Active Server Pages) The functionality for ASP is handled by the ASPdll file It is similar in its advantages over CGI without the problems of ISAPI Additionally because Microsoft made ASP development considerably easier with the tools provided there are many more ASP developers and support for applications written to use ASP
ACT for Web is written using ASP so add-on development for ACT for Web would require a good knowledge of ASP To gain some knowledge of ASP development you might try looking at wwwasp101com
Additional information on the latest incarnation of ASP ASPNET is available from wwwaspnet
ActiveX ActiveX controls are components that use the Microsoft COM technologies (Component Object Model ndash an open software architecture developed by DEC and Microsoft allowing interoperation between OLE and the ObjectBroker)
They are Windows programs that can be executed by a browser ActiveX controls have full access to the Windows operating system
XML Extensible Markup Language is a newer method designed for the interchange of documents and data It is a format for transferring data across the Internet It not only includes the data but self-describing information about the data Office 2003 can also use XML
SOAP The Simple Object Access Protocol makes use of HTTP to exchange structured data over the Web using an XML format
GL Computing Page 14 682004
Installing IIS
t is important to note at this time that these procedures are targeted at installing a server dedicated to serving an ACT database to the lsquonet via ACT for Web The server could also serve the database locally as a LAN server to ACT clients in a ldquohybridrdquo implementation
This document will assume that you have performed a ldquocleanrdquo install of Windows 2000 Server to your machine but NOT installed any IIS components In the Lockdown area we will discuss the differences if you are locking down a server that already has IIS installed by someone else with more components than we will be installing in this section
It is advisable not to perform these functions while connected to the internet and only to connect after we have completed the securing part We also recommend applying the latest service packs and critical updates to the Windows 2000 operating system
Installing IIS is quite simple
Open the Control Panel (Start | Settings | Control Panel) and go to AddRemove
Programs
Chapter
3
I
GL Computing Page 15 682004
Then click AddRemove Windows Components
GL Computing Page 16 682004
The only option that you need to have ticked in this dialog box is Internet Information Services (IIS) We should take this further by clicking on the ldquoDetailsrdquo button
In this area the only necessary options are the Common Files (these are necessary for IIS) and World Wide Web Server (this service will be hosting ACT for Web)
We will also install the Internet Information services Snap-In as this make administering IIS considerably easier and the Documentation as having the Help system handy can be a good option If you donrsquot want the documentation you can always access the Microsoft web site and search their knowledge base TechNet or MSDN
None of the other subcomponents belonging to IIS are necessary and as such should NOT be installed unless you know you will require them for some other task Other options increase the ldquosurface areardquo available for attack on the server and will need to be configured to make them less vulnerable We will look at some of these options in the next section
Click ldquoOKrdquo and IIS will be installed
Although it is not always required we strongly recommend a re-boot of the server after installing or removing Windows components
GL Computing Page 17 682004
Protect against what
N this Chapter we will attempt to describe what types of attackers are out there and give you some ideas of the methods they may use to compromise your systems
Types of Attackers
Letrsquos start by categorising the types of attackers you may need to protect your systems from
Attacker Description
Script Kiddie This is the most common form of attack and the one which we will most need to protect our servers from These are usually kids looking for easy to hack servers so that they can take control of them and use them to attack others
Typically they will use Trojans (which your anti-virus should have detected and removed) or exploit known weaknesses in the server operating system which a combination of the Microsoft critical updates and our own lock-down procedures should keep you relatively secure from
Valuable Data This is typically done by someone who knows that specific data on your site is of significant value to the attacker It may be done by a nasty competitor who wants your data or someone who thinks you may have Credit Card numbers (or similar data) on your system If you are planning to keep Credit Cards etc in your database you will need to be very careful about your security and liability
We do not recommend keeping this type of data in an ACT database
Prestige Site This is where your site is well enough known that the hacker can get credibility from being able to by-pass your security This is unlikely to be an issue for any ACT for Web installation
Chapter
4
I
GL Computing Page 18 682004
Enemy Attack This is where someone feels so annoyed by you or your organisation that they feel like teaching you a lesson The toughest of these to protect against is an ex-employee that feels they have been wronged and knows the security of your system
Internal
Attack
This type typically does the most damage as they may know your security and usually have a legitimate reason for accessing your system Sometimes the Valuable Data Prestige Site or Enemy Attack types will also use an internal person to make their task easier The defences we are putting up will not assist in stopping this type of attack The only solutions are to ensure you have good backup procedures regularly read and inspect log files and make sure users only have access to the parts of the system that they need access to
Typically the ldquoScript Kiddierdquo will use known security flaws in the operating system and or known Trojans The other attackers will use a combination of these and ldquoun-knownrdquo attacks and are typically more skilled
We will attempt to keep your server secure from both known and un-known attacks
Known Attacks
The first defence is to make sure you are protected against the ldquoknownrdquo attacks The most common form of these is via Trojans
A Trojan (based on the story of the Trojan horse) is a piece of software that can get loaded on your server and makes it available for an attacker to access The functions it can provide to an attacker can vary ndash including damaging your data providing access for others to see your data or using itself to launch attacks on other systems
There are two main ways to prevent these
One is to ensure you have a good anti-virus running and that you keep it up-to-date GL Computing currently recommends Symantec (used to be Norton) Anti-Virus Corporate Edition for servers This should find and prevent Trojans from being installed andor remove them if already installed
The other is to make sure your firewall prevents the attacker from accessing the
Trojan if itrsquos on your system As they are usually called from specific ports this provides pretty good security against most known attacks
Many attacks like Nimda SQL-Slammer and others used operating system exploits that Microsoft had patched months earlier ndash and yet many administrators (including Microsoftrsquos own) had not patched their all their servers that were available from the Internet from these Consequently many millions of dollars in damaged data and system down-time were caused
You should make sure that all the Service Packs and Critical Updates are applied to your server Most hackercracker attempts (especially those by Script Kiddies) are done using security holes in Windows that Microsoft has already issued patches for knowing that many administrators do not apply these fixes It is a good practise to regularly check for updates
GL Computing Page 19 682004
from the Microsoft site httpwindowsupdatemicrosoftcom
Unknown Attacks
It may seem unusual to talk about preventing an ldquoUnknown Attackrdquo but that is exactly what is necessary to provide adequate defence ndash preventing as much as possible attacks that use previously undiscovered exploits
Essentially this means reducing the ldquoSurface Areardquo of attack ndash that is reducing the available entry points and services that are available for an external source to connect to your server and run tasks that you do not want them to run
Configuring the IIS server to remove the services that can be used to hook into your server will be covered in the next chapter For now wersquoll discuss reducing the entry points that are available Wersquoll look at the services in the next chapter
Port Blocking
By entry points we usually mean the ports that are open to your server and the IPs that can connect to it
There are two main transport layer protocols used on the lsquonet ndash TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) Both of these can use 64k (65536) channels of communications or ldquoportsrdquo to connect to specific applications on the server machine
So the simple rule to start with is only to permit those ports that you know you need to be allowed through your server
The default port for web servers is port 80 but it can be set to any port the administrator chooses Using a non-standard port is a simple way to help keep the server hidden means the user will need to put the port number in their URL
The most complete list of registered port numbers can be obtained from httpwwwianaorgassignmentsport-numbers
The following ports should nearly always be blocked from OUTBOUND transmissions 135 137 138 139 443 (unless using SSL) 593
IP Blocking
If you know the IP ranges used by the users who will be accessing your server you can set either the firewall or the IIS server to only permit those IPs that belong to your users to access the server Wersquoll show how to do this on the IIS server in the next chapter
GL Computing Page 20 682004
Configuring and Securing IIS
nce again it is necessary to state that these procedures if followed exactly are designed for a server that will be dedicated to serving an ACT database ndash either solely for ACT for Web or in a hybrid with local LAN users
We will also attempt to address those issues and components in IIS that you may find installed on servers that are already in operation or that will also be used for other tasks However we suggest that you work with the Administrator of the network to determine that your lock-down procedures do not also disable applications or functions that your clients may wish to run on the server
It is also important to note that security can never be guaranteed on the internet and so you must be careful as Consultants what contractual agreements you make when doing this type of work for clients
Chapter
5
O
GL Computing Page 21 682004
To modify the IIS settings in Windows 2000 we can use the Computer Management snapin at either
Start | Programs | Administrative Tools | Computer Management
Or selecting Manage from the Right-click menu on My Computer
This will bring up the Computer Management Console
It is important that you become familiar with this interface and itrsquos operation
Another method to access this is by Start | Programs | Administrative Tools | Internet Services Manager
GL Computing Page 22 682004
If you are setting up on a server that is already installed you might find services or virtual folders already there that are already being used
Removing them would not be a good idea if your client is using them for another purpose If you do not have access to the system administrator or they are not sure select ldquoStoprdquo to simply stop the service from accepting requests and check with the administrator
This should be done on the Administration sites FTP and SMTP services unless you are sure they are being used on the server
In the Default Web Site (could be re-named) you should delete the virtual folders IIS Help IIS Admin samples MSADC (MS Active Directory Connector) vti (FrontPage) They all include ASP and Java scripts that may have vulnerabilities found in them and are most likely not used or needed on the server If no other application is being run on the IIS server at the time you can remove any of the virtual folders in the web site The idea being that we remove anything not specifically required for our implementation this helps reduce the available ldquosurface areardquo for an attacker It is advisable to check with the system administrator Once you know you can remove them Right-click on the item and select delete
Next open the Default Web Site properties (by Right-Click then properties) which should look something like
GL Computing Page 23 682004
On the Documents Tab remove all the items there and add webgif or some other small gif that you have loaded in the default folder defined in the Home Directory tab (usually CInetpubwwwroot folder)
This means that any potential hacker just looking for a site will see something small but giving nothing away as to the content of the site
If the site is being used for another site you may need to leave another default document that is used by they site
You may want to point the Printers virtual folder at this gif file also because it sometimes re-appears and the idea is to leave nothing pointing at an application where vulnerabilities may be discovered in the future
Note You will need to re-add Defaulthtm to the actweb virtual folder after you have installed ACT For Web
To do this right-click on the Actweb virtual folder select the Documents tab and Add ldquoDefaulthtmrdquo
GL Computing Page 24 682004
Next on the Home Directory tab click on the Configuration button Remove all the Mappings except for ASA and ASP (which are required for ACT for Web to operate) It will then look something like
This is to prevent any holes in other applications being used to infiltrate your site
Next remove (or rename if you are not sure if they may be needed later) the folders that you have removed the virtual folders for earlier
GL Computing Page 25 682004
Remove Internet Guest Account (IUSR_machine_name) access from cmdexe commandcom tftpexe httpodbcdll and defaultida ndash by adding in Security properties and selecting Deny (only for IUSR) You may need to do a search of the hard disk to get all the versions of these files
This is to prevent a user being able to point to those files and execute them which has been a common hacking exploit
GL Computing Page 26 682004
If you want increased security you can remove Anonymous access and use Windows Integrated Authentication This enables you to use the additional Windows and domain logins prior to the ACT Login
Note different versions of Windows may differ slightly
1 Right-click the My Computer icon and then click Manage from the shortcut menu The Computer Management window appears
2 Expand the Services and Applications option then expand the Internet Information Services option and then select the Default Web Site option so that you can see your ActWeb virtual directory in the right pane (this is the standard installation location your ActWeb virtual directory location may differ)
3 Right-click the ActWeb virtual directory and then click Properties from the shortcut menu The ActWeb Properties dialog appears
4 Under the Directory Security tab in the Anonymous access and authentication control section click Edit The Authentication Methods dialog appears
GL Computing Page 27 682004
5 Clear the Anonymous access check box and verify that the Integrated Windows authentication check box is enabled The other check boxes are dependent on your specific security requirements and are not related to ACT for Webs configuration Note Digest authentication for Windows domain servers is an option on IIS 51 or later
6 Click OK on these two windows Your ACT for Web site is now protected by the Integrated Windows authentication You may need to close your browser and re-open it in order to receive the proper login prompt
IMPORTANT NOTE The IUSR_[machine name] account will no longer be used by IIS with this configuration You will need to make sure the user account you attempt to log in has proper permissions set for it in DCOMCNFG and in the security properties of the folder containing your ACT Database as well as the installation folder for ACT for Web (default Cwebsites)
For more information on how to do this please read httpitdominoactcomactnsfdocid200391584653
GL Computing Page 28 682004
Additional security can be achieved by making your web site more difficult to find by potential hackers Two simple ways to do this are
1 Change the default web site to another TCP port in the Web Site properties Try not to use any of the other common ports that you may wish to use later Yoursquoll need to state the port when logging in eg httpdomaincomportactweb Using SSL (Secure Sockets Layer ) on port 443 will also add to the security of your data by adding encryption to the flow across the internet This will use an https protocol instead of http when entering the URL into your browser
2 Search engines send out ldquospidersrdquo to obtain information on sites available on the web This means that searching googlecom or other search engines for the phrase ACT for Web Login (in quotes) may point to your site (good for public web sites less good for your corporate database) If you would like to prevent a site from being catalogued in a search engines database you can take steps to address this Keep in mind that if you have existing websites they may have already begun to take the steps to interact with the spiders that may crawl their site
Visit the following links for more information about meta-tags and the robotstxt file Keep in mind that it is impossible to prevent any directly accessible resource on a site from being linked to by external sites be it by their partner sites competitive sites or search engines However these methods are generally accepted by the popular search engines
httpwwwrobotstxtorgwcrobotshtml
httpwwwsearchengineworldcomrobotsrobots_tutorialhtm
httpwwwrobotstxtorgwcmeta-userhtml
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 14 682004
Installing IIS
t is important to note at this time that these procedures are targeted at installing a server dedicated to serving an ACT database to the lsquonet via ACT for Web The server could also serve the database locally as a LAN server to ACT clients in a ldquohybridrdquo implementation
This document will assume that you have performed a ldquocleanrdquo install of Windows 2000 Server to your machine but NOT installed any IIS components In the Lockdown area we will discuss the differences if you are locking down a server that already has IIS installed by someone else with more components than we will be installing in this section
It is advisable not to perform these functions while connected to the internet and only to connect after we have completed the securing part We also recommend applying the latest service packs and critical updates to the Windows 2000 operating system
Installing IIS is quite simple
Open the Control Panel (Start | Settings | Control Panel) and go to AddRemove
Programs
Chapter
3
I
GL Computing Page 15 682004
Then click AddRemove Windows Components
GL Computing Page 16 682004
The only option that you need to have ticked in this dialog box is Internet Information Services (IIS) We should take this further by clicking on the ldquoDetailsrdquo button
In this area the only necessary options are the Common Files (these are necessary for IIS) and World Wide Web Server (this service will be hosting ACT for Web)
We will also install the Internet Information services Snap-In as this make administering IIS considerably easier and the Documentation as having the Help system handy can be a good option If you donrsquot want the documentation you can always access the Microsoft web site and search their knowledge base TechNet or MSDN
None of the other subcomponents belonging to IIS are necessary and as such should NOT be installed unless you know you will require them for some other task Other options increase the ldquosurface areardquo available for attack on the server and will need to be configured to make them less vulnerable We will look at some of these options in the next section
Click ldquoOKrdquo and IIS will be installed
Although it is not always required we strongly recommend a re-boot of the server after installing or removing Windows components
GL Computing Page 17 682004
Protect against what
N this Chapter we will attempt to describe what types of attackers are out there and give you some ideas of the methods they may use to compromise your systems
Types of Attackers
Letrsquos start by categorising the types of attackers you may need to protect your systems from
Attacker Description
Script Kiddie This is the most common form of attack and the one which we will most need to protect our servers from These are usually kids looking for easy to hack servers so that they can take control of them and use them to attack others
Typically they will use Trojans (which your anti-virus should have detected and removed) or exploit known weaknesses in the server operating system which a combination of the Microsoft critical updates and our own lock-down procedures should keep you relatively secure from
Valuable Data This is typically done by someone who knows that specific data on your site is of significant value to the attacker It may be done by a nasty competitor who wants your data or someone who thinks you may have Credit Card numbers (or similar data) on your system If you are planning to keep Credit Cards etc in your database you will need to be very careful about your security and liability
We do not recommend keeping this type of data in an ACT database
Prestige Site This is where your site is well enough known that the hacker can get credibility from being able to by-pass your security This is unlikely to be an issue for any ACT for Web installation
Chapter
4
I
GL Computing Page 18 682004
Enemy Attack This is where someone feels so annoyed by you or your organisation that they feel like teaching you a lesson The toughest of these to protect against is an ex-employee that feels they have been wronged and knows the security of your system
Internal
Attack
This type typically does the most damage as they may know your security and usually have a legitimate reason for accessing your system Sometimes the Valuable Data Prestige Site or Enemy Attack types will also use an internal person to make their task easier The defences we are putting up will not assist in stopping this type of attack The only solutions are to ensure you have good backup procedures regularly read and inspect log files and make sure users only have access to the parts of the system that they need access to
Typically the ldquoScript Kiddierdquo will use known security flaws in the operating system and or known Trojans The other attackers will use a combination of these and ldquoun-knownrdquo attacks and are typically more skilled
We will attempt to keep your server secure from both known and un-known attacks
Known Attacks
The first defence is to make sure you are protected against the ldquoknownrdquo attacks The most common form of these is via Trojans
A Trojan (based on the story of the Trojan horse) is a piece of software that can get loaded on your server and makes it available for an attacker to access The functions it can provide to an attacker can vary ndash including damaging your data providing access for others to see your data or using itself to launch attacks on other systems
There are two main ways to prevent these
One is to ensure you have a good anti-virus running and that you keep it up-to-date GL Computing currently recommends Symantec (used to be Norton) Anti-Virus Corporate Edition for servers This should find and prevent Trojans from being installed andor remove them if already installed
The other is to make sure your firewall prevents the attacker from accessing the
Trojan if itrsquos on your system As they are usually called from specific ports this provides pretty good security against most known attacks
Many attacks like Nimda SQL-Slammer and others used operating system exploits that Microsoft had patched months earlier ndash and yet many administrators (including Microsoftrsquos own) had not patched their all their servers that were available from the Internet from these Consequently many millions of dollars in damaged data and system down-time were caused
You should make sure that all the Service Packs and Critical Updates are applied to your server Most hackercracker attempts (especially those by Script Kiddies) are done using security holes in Windows that Microsoft has already issued patches for knowing that many administrators do not apply these fixes It is a good practise to regularly check for updates
GL Computing Page 19 682004
from the Microsoft site httpwindowsupdatemicrosoftcom
Unknown Attacks
It may seem unusual to talk about preventing an ldquoUnknown Attackrdquo but that is exactly what is necessary to provide adequate defence ndash preventing as much as possible attacks that use previously undiscovered exploits
Essentially this means reducing the ldquoSurface Areardquo of attack ndash that is reducing the available entry points and services that are available for an external source to connect to your server and run tasks that you do not want them to run
Configuring the IIS server to remove the services that can be used to hook into your server will be covered in the next chapter For now wersquoll discuss reducing the entry points that are available Wersquoll look at the services in the next chapter
Port Blocking
By entry points we usually mean the ports that are open to your server and the IPs that can connect to it
There are two main transport layer protocols used on the lsquonet ndash TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) Both of these can use 64k (65536) channels of communications or ldquoportsrdquo to connect to specific applications on the server machine
So the simple rule to start with is only to permit those ports that you know you need to be allowed through your server
The default port for web servers is port 80 but it can be set to any port the administrator chooses Using a non-standard port is a simple way to help keep the server hidden means the user will need to put the port number in their URL
The most complete list of registered port numbers can be obtained from httpwwwianaorgassignmentsport-numbers
The following ports should nearly always be blocked from OUTBOUND transmissions 135 137 138 139 443 (unless using SSL) 593
IP Blocking
If you know the IP ranges used by the users who will be accessing your server you can set either the firewall or the IIS server to only permit those IPs that belong to your users to access the server Wersquoll show how to do this on the IIS server in the next chapter
GL Computing Page 20 682004
Configuring and Securing IIS
nce again it is necessary to state that these procedures if followed exactly are designed for a server that will be dedicated to serving an ACT database ndash either solely for ACT for Web or in a hybrid with local LAN users
We will also attempt to address those issues and components in IIS that you may find installed on servers that are already in operation or that will also be used for other tasks However we suggest that you work with the Administrator of the network to determine that your lock-down procedures do not also disable applications or functions that your clients may wish to run on the server
It is also important to note that security can never be guaranteed on the internet and so you must be careful as Consultants what contractual agreements you make when doing this type of work for clients
Chapter
5
O
GL Computing Page 21 682004
To modify the IIS settings in Windows 2000 we can use the Computer Management snapin at either
Start | Programs | Administrative Tools | Computer Management
Or selecting Manage from the Right-click menu on My Computer
This will bring up the Computer Management Console
It is important that you become familiar with this interface and itrsquos operation
Another method to access this is by Start | Programs | Administrative Tools | Internet Services Manager
GL Computing Page 22 682004
If you are setting up on a server that is already installed you might find services or virtual folders already there that are already being used
Removing them would not be a good idea if your client is using them for another purpose If you do not have access to the system administrator or they are not sure select ldquoStoprdquo to simply stop the service from accepting requests and check with the administrator
This should be done on the Administration sites FTP and SMTP services unless you are sure they are being used on the server
In the Default Web Site (could be re-named) you should delete the virtual folders IIS Help IIS Admin samples MSADC (MS Active Directory Connector) vti (FrontPage) They all include ASP and Java scripts that may have vulnerabilities found in them and are most likely not used or needed on the server If no other application is being run on the IIS server at the time you can remove any of the virtual folders in the web site The idea being that we remove anything not specifically required for our implementation this helps reduce the available ldquosurface areardquo for an attacker It is advisable to check with the system administrator Once you know you can remove them Right-click on the item and select delete
Next open the Default Web Site properties (by Right-Click then properties) which should look something like
GL Computing Page 23 682004
On the Documents Tab remove all the items there and add webgif or some other small gif that you have loaded in the default folder defined in the Home Directory tab (usually CInetpubwwwroot folder)
This means that any potential hacker just looking for a site will see something small but giving nothing away as to the content of the site
If the site is being used for another site you may need to leave another default document that is used by they site
You may want to point the Printers virtual folder at this gif file also because it sometimes re-appears and the idea is to leave nothing pointing at an application where vulnerabilities may be discovered in the future
Note You will need to re-add Defaulthtm to the actweb virtual folder after you have installed ACT For Web
To do this right-click on the Actweb virtual folder select the Documents tab and Add ldquoDefaulthtmrdquo
GL Computing Page 24 682004
Next on the Home Directory tab click on the Configuration button Remove all the Mappings except for ASA and ASP (which are required for ACT for Web to operate) It will then look something like
This is to prevent any holes in other applications being used to infiltrate your site
Next remove (or rename if you are not sure if they may be needed later) the folders that you have removed the virtual folders for earlier
GL Computing Page 25 682004
Remove Internet Guest Account (IUSR_machine_name) access from cmdexe commandcom tftpexe httpodbcdll and defaultida ndash by adding in Security properties and selecting Deny (only for IUSR) You may need to do a search of the hard disk to get all the versions of these files
This is to prevent a user being able to point to those files and execute them which has been a common hacking exploit
GL Computing Page 26 682004
If you want increased security you can remove Anonymous access and use Windows Integrated Authentication This enables you to use the additional Windows and domain logins prior to the ACT Login
Note different versions of Windows may differ slightly
1 Right-click the My Computer icon and then click Manage from the shortcut menu The Computer Management window appears
2 Expand the Services and Applications option then expand the Internet Information Services option and then select the Default Web Site option so that you can see your ActWeb virtual directory in the right pane (this is the standard installation location your ActWeb virtual directory location may differ)
3 Right-click the ActWeb virtual directory and then click Properties from the shortcut menu The ActWeb Properties dialog appears
4 Under the Directory Security tab in the Anonymous access and authentication control section click Edit The Authentication Methods dialog appears
GL Computing Page 27 682004
5 Clear the Anonymous access check box and verify that the Integrated Windows authentication check box is enabled The other check boxes are dependent on your specific security requirements and are not related to ACT for Webs configuration Note Digest authentication for Windows domain servers is an option on IIS 51 or later
6 Click OK on these two windows Your ACT for Web site is now protected by the Integrated Windows authentication You may need to close your browser and re-open it in order to receive the proper login prompt
IMPORTANT NOTE The IUSR_[machine name] account will no longer be used by IIS with this configuration You will need to make sure the user account you attempt to log in has proper permissions set for it in DCOMCNFG and in the security properties of the folder containing your ACT Database as well as the installation folder for ACT for Web (default Cwebsites)
For more information on how to do this please read httpitdominoactcomactnsfdocid200391584653
GL Computing Page 28 682004
Additional security can be achieved by making your web site more difficult to find by potential hackers Two simple ways to do this are
1 Change the default web site to another TCP port in the Web Site properties Try not to use any of the other common ports that you may wish to use later Yoursquoll need to state the port when logging in eg httpdomaincomportactweb Using SSL (Secure Sockets Layer ) on port 443 will also add to the security of your data by adding encryption to the flow across the internet This will use an https protocol instead of http when entering the URL into your browser
2 Search engines send out ldquospidersrdquo to obtain information on sites available on the web This means that searching googlecom or other search engines for the phrase ACT for Web Login (in quotes) may point to your site (good for public web sites less good for your corporate database) If you would like to prevent a site from being catalogued in a search engines database you can take steps to address this Keep in mind that if you have existing websites they may have already begun to take the steps to interact with the spiders that may crawl their site
Visit the following links for more information about meta-tags and the robotstxt file Keep in mind that it is impossible to prevent any directly accessible resource on a site from being linked to by external sites be it by their partner sites competitive sites or search engines However these methods are generally accepted by the popular search engines
httpwwwrobotstxtorgwcrobotshtml
httpwwwsearchengineworldcomrobotsrobots_tutorialhtm
httpwwwrobotstxtorgwcmeta-userhtml
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 15 682004
Then click AddRemove Windows Components
GL Computing Page 16 682004
The only option that you need to have ticked in this dialog box is Internet Information Services (IIS) We should take this further by clicking on the ldquoDetailsrdquo button
In this area the only necessary options are the Common Files (these are necessary for IIS) and World Wide Web Server (this service will be hosting ACT for Web)
We will also install the Internet Information services Snap-In as this make administering IIS considerably easier and the Documentation as having the Help system handy can be a good option If you donrsquot want the documentation you can always access the Microsoft web site and search their knowledge base TechNet or MSDN
None of the other subcomponents belonging to IIS are necessary and as such should NOT be installed unless you know you will require them for some other task Other options increase the ldquosurface areardquo available for attack on the server and will need to be configured to make them less vulnerable We will look at some of these options in the next section
Click ldquoOKrdquo and IIS will be installed
Although it is not always required we strongly recommend a re-boot of the server after installing or removing Windows components
GL Computing Page 17 682004
Protect against what
N this Chapter we will attempt to describe what types of attackers are out there and give you some ideas of the methods they may use to compromise your systems
Types of Attackers
Letrsquos start by categorising the types of attackers you may need to protect your systems from
Attacker Description
Script Kiddie This is the most common form of attack and the one which we will most need to protect our servers from These are usually kids looking for easy to hack servers so that they can take control of them and use them to attack others
Typically they will use Trojans (which your anti-virus should have detected and removed) or exploit known weaknesses in the server operating system which a combination of the Microsoft critical updates and our own lock-down procedures should keep you relatively secure from
Valuable Data This is typically done by someone who knows that specific data on your site is of significant value to the attacker It may be done by a nasty competitor who wants your data or someone who thinks you may have Credit Card numbers (or similar data) on your system If you are planning to keep Credit Cards etc in your database you will need to be very careful about your security and liability
We do not recommend keeping this type of data in an ACT database
Prestige Site This is where your site is well enough known that the hacker can get credibility from being able to by-pass your security This is unlikely to be an issue for any ACT for Web installation
Chapter
4
I
GL Computing Page 18 682004
Enemy Attack This is where someone feels so annoyed by you or your organisation that they feel like teaching you a lesson The toughest of these to protect against is an ex-employee that feels they have been wronged and knows the security of your system
Internal
Attack
This type typically does the most damage as they may know your security and usually have a legitimate reason for accessing your system Sometimes the Valuable Data Prestige Site or Enemy Attack types will also use an internal person to make their task easier The defences we are putting up will not assist in stopping this type of attack The only solutions are to ensure you have good backup procedures regularly read and inspect log files and make sure users only have access to the parts of the system that they need access to
Typically the ldquoScript Kiddierdquo will use known security flaws in the operating system and or known Trojans The other attackers will use a combination of these and ldquoun-knownrdquo attacks and are typically more skilled
We will attempt to keep your server secure from both known and un-known attacks
Known Attacks
The first defence is to make sure you are protected against the ldquoknownrdquo attacks The most common form of these is via Trojans
A Trojan (based on the story of the Trojan horse) is a piece of software that can get loaded on your server and makes it available for an attacker to access The functions it can provide to an attacker can vary ndash including damaging your data providing access for others to see your data or using itself to launch attacks on other systems
There are two main ways to prevent these
One is to ensure you have a good anti-virus running and that you keep it up-to-date GL Computing currently recommends Symantec (used to be Norton) Anti-Virus Corporate Edition for servers This should find and prevent Trojans from being installed andor remove them if already installed
The other is to make sure your firewall prevents the attacker from accessing the
Trojan if itrsquos on your system As they are usually called from specific ports this provides pretty good security against most known attacks
Many attacks like Nimda SQL-Slammer and others used operating system exploits that Microsoft had patched months earlier ndash and yet many administrators (including Microsoftrsquos own) had not patched their all their servers that were available from the Internet from these Consequently many millions of dollars in damaged data and system down-time were caused
You should make sure that all the Service Packs and Critical Updates are applied to your server Most hackercracker attempts (especially those by Script Kiddies) are done using security holes in Windows that Microsoft has already issued patches for knowing that many administrators do not apply these fixes It is a good practise to regularly check for updates
GL Computing Page 19 682004
from the Microsoft site httpwindowsupdatemicrosoftcom
Unknown Attacks
It may seem unusual to talk about preventing an ldquoUnknown Attackrdquo but that is exactly what is necessary to provide adequate defence ndash preventing as much as possible attacks that use previously undiscovered exploits
Essentially this means reducing the ldquoSurface Areardquo of attack ndash that is reducing the available entry points and services that are available for an external source to connect to your server and run tasks that you do not want them to run
Configuring the IIS server to remove the services that can be used to hook into your server will be covered in the next chapter For now wersquoll discuss reducing the entry points that are available Wersquoll look at the services in the next chapter
Port Blocking
By entry points we usually mean the ports that are open to your server and the IPs that can connect to it
There are two main transport layer protocols used on the lsquonet ndash TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) Both of these can use 64k (65536) channels of communications or ldquoportsrdquo to connect to specific applications on the server machine
So the simple rule to start with is only to permit those ports that you know you need to be allowed through your server
The default port for web servers is port 80 but it can be set to any port the administrator chooses Using a non-standard port is a simple way to help keep the server hidden means the user will need to put the port number in their URL
The most complete list of registered port numbers can be obtained from httpwwwianaorgassignmentsport-numbers
The following ports should nearly always be blocked from OUTBOUND transmissions 135 137 138 139 443 (unless using SSL) 593
IP Blocking
If you know the IP ranges used by the users who will be accessing your server you can set either the firewall or the IIS server to only permit those IPs that belong to your users to access the server Wersquoll show how to do this on the IIS server in the next chapter
GL Computing Page 20 682004
Configuring and Securing IIS
nce again it is necessary to state that these procedures if followed exactly are designed for a server that will be dedicated to serving an ACT database ndash either solely for ACT for Web or in a hybrid with local LAN users
We will also attempt to address those issues and components in IIS that you may find installed on servers that are already in operation or that will also be used for other tasks However we suggest that you work with the Administrator of the network to determine that your lock-down procedures do not also disable applications or functions that your clients may wish to run on the server
It is also important to note that security can never be guaranteed on the internet and so you must be careful as Consultants what contractual agreements you make when doing this type of work for clients
Chapter
5
O
GL Computing Page 21 682004
To modify the IIS settings in Windows 2000 we can use the Computer Management snapin at either
Start | Programs | Administrative Tools | Computer Management
Or selecting Manage from the Right-click menu on My Computer
This will bring up the Computer Management Console
It is important that you become familiar with this interface and itrsquos operation
Another method to access this is by Start | Programs | Administrative Tools | Internet Services Manager
GL Computing Page 22 682004
If you are setting up on a server that is already installed you might find services or virtual folders already there that are already being used
Removing them would not be a good idea if your client is using them for another purpose If you do not have access to the system administrator or they are not sure select ldquoStoprdquo to simply stop the service from accepting requests and check with the administrator
This should be done on the Administration sites FTP and SMTP services unless you are sure they are being used on the server
In the Default Web Site (could be re-named) you should delete the virtual folders IIS Help IIS Admin samples MSADC (MS Active Directory Connector) vti (FrontPage) They all include ASP and Java scripts that may have vulnerabilities found in them and are most likely not used or needed on the server If no other application is being run on the IIS server at the time you can remove any of the virtual folders in the web site The idea being that we remove anything not specifically required for our implementation this helps reduce the available ldquosurface areardquo for an attacker It is advisable to check with the system administrator Once you know you can remove them Right-click on the item and select delete
Next open the Default Web Site properties (by Right-Click then properties) which should look something like
GL Computing Page 23 682004
On the Documents Tab remove all the items there and add webgif or some other small gif that you have loaded in the default folder defined in the Home Directory tab (usually CInetpubwwwroot folder)
This means that any potential hacker just looking for a site will see something small but giving nothing away as to the content of the site
If the site is being used for another site you may need to leave another default document that is used by they site
You may want to point the Printers virtual folder at this gif file also because it sometimes re-appears and the idea is to leave nothing pointing at an application where vulnerabilities may be discovered in the future
Note You will need to re-add Defaulthtm to the actweb virtual folder after you have installed ACT For Web
To do this right-click on the Actweb virtual folder select the Documents tab and Add ldquoDefaulthtmrdquo
GL Computing Page 24 682004
Next on the Home Directory tab click on the Configuration button Remove all the Mappings except for ASA and ASP (which are required for ACT for Web to operate) It will then look something like
This is to prevent any holes in other applications being used to infiltrate your site
Next remove (or rename if you are not sure if they may be needed later) the folders that you have removed the virtual folders for earlier
GL Computing Page 25 682004
Remove Internet Guest Account (IUSR_machine_name) access from cmdexe commandcom tftpexe httpodbcdll and defaultida ndash by adding in Security properties and selecting Deny (only for IUSR) You may need to do a search of the hard disk to get all the versions of these files
This is to prevent a user being able to point to those files and execute them which has been a common hacking exploit
GL Computing Page 26 682004
If you want increased security you can remove Anonymous access and use Windows Integrated Authentication This enables you to use the additional Windows and domain logins prior to the ACT Login
Note different versions of Windows may differ slightly
1 Right-click the My Computer icon and then click Manage from the shortcut menu The Computer Management window appears
2 Expand the Services and Applications option then expand the Internet Information Services option and then select the Default Web Site option so that you can see your ActWeb virtual directory in the right pane (this is the standard installation location your ActWeb virtual directory location may differ)
3 Right-click the ActWeb virtual directory and then click Properties from the shortcut menu The ActWeb Properties dialog appears
4 Under the Directory Security tab in the Anonymous access and authentication control section click Edit The Authentication Methods dialog appears
GL Computing Page 27 682004
5 Clear the Anonymous access check box and verify that the Integrated Windows authentication check box is enabled The other check boxes are dependent on your specific security requirements and are not related to ACT for Webs configuration Note Digest authentication for Windows domain servers is an option on IIS 51 or later
6 Click OK on these two windows Your ACT for Web site is now protected by the Integrated Windows authentication You may need to close your browser and re-open it in order to receive the proper login prompt
IMPORTANT NOTE The IUSR_[machine name] account will no longer be used by IIS with this configuration You will need to make sure the user account you attempt to log in has proper permissions set for it in DCOMCNFG and in the security properties of the folder containing your ACT Database as well as the installation folder for ACT for Web (default Cwebsites)
For more information on how to do this please read httpitdominoactcomactnsfdocid200391584653
GL Computing Page 28 682004
Additional security can be achieved by making your web site more difficult to find by potential hackers Two simple ways to do this are
1 Change the default web site to another TCP port in the Web Site properties Try not to use any of the other common ports that you may wish to use later Yoursquoll need to state the port when logging in eg httpdomaincomportactweb Using SSL (Secure Sockets Layer ) on port 443 will also add to the security of your data by adding encryption to the flow across the internet This will use an https protocol instead of http when entering the URL into your browser
2 Search engines send out ldquospidersrdquo to obtain information on sites available on the web This means that searching googlecom or other search engines for the phrase ACT for Web Login (in quotes) may point to your site (good for public web sites less good for your corporate database) If you would like to prevent a site from being catalogued in a search engines database you can take steps to address this Keep in mind that if you have existing websites they may have already begun to take the steps to interact with the spiders that may crawl their site
Visit the following links for more information about meta-tags and the robotstxt file Keep in mind that it is impossible to prevent any directly accessible resource on a site from being linked to by external sites be it by their partner sites competitive sites or search engines However these methods are generally accepted by the popular search engines
httpwwwrobotstxtorgwcrobotshtml
httpwwwsearchengineworldcomrobotsrobots_tutorialhtm
httpwwwrobotstxtorgwcmeta-userhtml
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 16 682004
The only option that you need to have ticked in this dialog box is Internet Information Services (IIS) We should take this further by clicking on the ldquoDetailsrdquo button
In this area the only necessary options are the Common Files (these are necessary for IIS) and World Wide Web Server (this service will be hosting ACT for Web)
We will also install the Internet Information services Snap-In as this make administering IIS considerably easier and the Documentation as having the Help system handy can be a good option If you donrsquot want the documentation you can always access the Microsoft web site and search their knowledge base TechNet or MSDN
None of the other subcomponents belonging to IIS are necessary and as such should NOT be installed unless you know you will require them for some other task Other options increase the ldquosurface areardquo available for attack on the server and will need to be configured to make them less vulnerable We will look at some of these options in the next section
Click ldquoOKrdquo and IIS will be installed
Although it is not always required we strongly recommend a re-boot of the server after installing or removing Windows components
GL Computing Page 17 682004
Protect against what
N this Chapter we will attempt to describe what types of attackers are out there and give you some ideas of the methods they may use to compromise your systems
Types of Attackers
Letrsquos start by categorising the types of attackers you may need to protect your systems from
Attacker Description
Script Kiddie This is the most common form of attack and the one which we will most need to protect our servers from These are usually kids looking for easy to hack servers so that they can take control of them and use them to attack others
Typically they will use Trojans (which your anti-virus should have detected and removed) or exploit known weaknesses in the server operating system which a combination of the Microsoft critical updates and our own lock-down procedures should keep you relatively secure from
Valuable Data This is typically done by someone who knows that specific data on your site is of significant value to the attacker It may be done by a nasty competitor who wants your data or someone who thinks you may have Credit Card numbers (or similar data) on your system If you are planning to keep Credit Cards etc in your database you will need to be very careful about your security and liability
We do not recommend keeping this type of data in an ACT database
Prestige Site This is where your site is well enough known that the hacker can get credibility from being able to by-pass your security This is unlikely to be an issue for any ACT for Web installation
Chapter
4
I
GL Computing Page 18 682004
Enemy Attack This is where someone feels so annoyed by you or your organisation that they feel like teaching you a lesson The toughest of these to protect against is an ex-employee that feels they have been wronged and knows the security of your system
Internal
Attack
This type typically does the most damage as they may know your security and usually have a legitimate reason for accessing your system Sometimes the Valuable Data Prestige Site or Enemy Attack types will also use an internal person to make their task easier The defences we are putting up will not assist in stopping this type of attack The only solutions are to ensure you have good backup procedures regularly read and inspect log files and make sure users only have access to the parts of the system that they need access to
Typically the ldquoScript Kiddierdquo will use known security flaws in the operating system and or known Trojans The other attackers will use a combination of these and ldquoun-knownrdquo attacks and are typically more skilled
We will attempt to keep your server secure from both known and un-known attacks
Known Attacks
The first defence is to make sure you are protected against the ldquoknownrdquo attacks The most common form of these is via Trojans
A Trojan (based on the story of the Trojan horse) is a piece of software that can get loaded on your server and makes it available for an attacker to access The functions it can provide to an attacker can vary ndash including damaging your data providing access for others to see your data or using itself to launch attacks on other systems
There are two main ways to prevent these
One is to ensure you have a good anti-virus running and that you keep it up-to-date GL Computing currently recommends Symantec (used to be Norton) Anti-Virus Corporate Edition for servers This should find and prevent Trojans from being installed andor remove them if already installed
The other is to make sure your firewall prevents the attacker from accessing the
Trojan if itrsquos on your system As they are usually called from specific ports this provides pretty good security against most known attacks
Many attacks like Nimda SQL-Slammer and others used operating system exploits that Microsoft had patched months earlier ndash and yet many administrators (including Microsoftrsquos own) had not patched their all their servers that were available from the Internet from these Consequently many millions of dollars in damaged data and system down-time were caused
You should make sure that all the Service Packs and Critical Updates are applied to your server Most hackercracker attempts (especially those by Script Kiddies) are done using security holes in Windows that Microsoft has already issued patches for knowing that many administrators do not apply these fixes It is a good practise to regularly check for updates
GL Computing Page 19 682004
from the Microsoft site httpwindowsupdatemicrosoftcom
Unknown Attacks
It may seem unusual to talk about preventing an ldquoUnknown Attackrdquo but that is exactly what is necessary to provide adequate defence ndash preventing as much as possible attacks that use previously undiscovered exploits
Essentially this means reducing the ldquoSurface Areardquo of attack ndash that is reducing the available entry points and services that are available for an external source to connect to your server and run tasks that you do not want them to run
Configuring the IIS server to remove the services that can be used to hook into your server will be covered in the next chapter For now wersquoll discuss reducing the entry points that are available Wersquoll look at the services in the next chapter
Port Blocking
By entry points we usually mean the ports that are open to your server and the IPs that can connect to it
There are two main transport layer protocols used on the lsquonet ndash TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) Both of these can use 64k (65536) channels of communications or ldquoportsrdquo to connect to specific applications on the server machine
So the simple rule to start with is only to permit those ports that you know you need to be allowed through your server
The default port for web servers is port 80 but it can be set to any port the administrator chooses Using a non-standard port is a simple way to help keep the server hidden means the user will need to put the port number in their URL
The most complete list of registered port numbers can be obtained from httpwwwianaorgassignmentsport-numbers
The following ports should nearly always be blocked from OUTBOUND transmissions 135 137 138 139 443 (unless using SSL) 593
IP Blocking
If you know the IP ranges used by the users who will be accessing your server you can set either the firewall or the IIS server to only permit those IPs that belong to your users to access the server Wersquoll show how to do this on the IIS server in the next chapter
GL Computing Page 20 682004
Configuring and Securing IIS
nce again it is necessary to state that these procedures if followed exactly are designed for a server that will be dedicated to serving an ACT database ndash either solely for ACT for Web or in a hybrid with local LAN users
We will also attempt to address those issues and components in IIS that you may find installed on servers that are already in operation or that will also be used for other tasks However we suggest that you work with the Administrator of the network to determine that your lock-down procedures do not also disable applications or functions that your clients may wish to run on the server
It is also important to note that security can never be guaranteed on the internet and so you must be careful as Consultants what contractual agreements you make when doing this type of work for clients
Chapter
5
O
GL Computing Page 21 682004
To modify the IIS settings in Windows 2000 we can use the Computer Management snapin at either
Start | Programs | Administrative Tools | Computer Management
Or selecting Manage from the Right-click menu on My Computer
This will bring up the Computer Management Console
It is important that you become familiar with this interface and itrsquos operation
Another method to access this is by Start | Programs | Administrative Tools | Internet Services Manager
GL Computing Page 22 682004
If you are setting up on a server that is already installed you might find services or virtual folders already there that are already being used
Removing them would not be a good idea if your client is using them for another purpose If you do not have access to the system administrator or they are not sure select ldquoStoprdquo to simply stop the service from accepting requests and check with the administrator
This should be done on the Administration sites FTP and SMTP services unless you are sure they are being used on the server
In the Default Web Site (could be re-named) you should delete the virtual folders IIS Help IIS Admin samples MSADC (MS Active Directory Connector) vti (FrontPage) They all include ASP and Java scripts that may have vulnerabilities found in them and are most likely not used or needed on the server If no other application is being run on the IIS server at the time you can remove any of the virtual folders in the web site The idea being that we remove anything not specifically required for our implementation this helps reduce the available ldquosurface areardquo for an attacker It is advisable to check with the system administrator Once you know you can remove them Right-click on the item and select delete
Next open the Default Web Site properties (by Right-Click then properties) which should look something like
GL Computing Page 23 682004
On the Documents Tab remove all the items there and add webgif or some other small gif that you have loaded in the default folder defined in the Home Directory tab (usually CInetpubwwwroot folder)
This means that any potential hacker just looking for a site will see something small but giving nothing away as to the content of the site
If the site is being used for another site you may need to leave another default document that is used by they site
You may want to point the Printers virtual folder at this gif file also because it sometimes re-appears and the idea is to leave nothing pointing at an application where vulnerabilities may be discovered in the future
Note You will need to re-add Defaulthtm to the actweb virtual folder after you have installed ACT For Web
To do this right-click on the Actweb virtual folder select the Documents tab and Add ldquoDefaulthtmrdquo
GL Computing Page 24 682004
Next on the Home Directory tab click on the Configuration button Remove all the Mappings except for ASA and ASP (which are required for ACT for Web to operate) It will then look something like
This is to prevent any holes in other applications being used to infiltrate your site
Next remove (or rename if you are not sure if they may be needed later) the folders that you have removed the virtual folders for earlier
GL Computing Page 25 682004
Remove Internet Guest Account (IUSR_machine_name) access from cmdexe commandcom tftpexe httpodbcdll and defaultida ndash by adding in Security properties and selecting Deny (only for IUSR) You may need to do a search of the hard disk to get all the versions of these files
This is to prevent a user being able to point to those files and execute them which has been a common hacking exploit
GL Computing Page 26 682004
If you want increased security you can remove Anonymous access and use Windows Integrated Authentication This enables you to use the additional Windows and domain logins prior to the ACT Login
Note different versions of Windows may differ slightly
1 Right-click the My Computer icon and then click Manage from the shortcut menu The Computer Management window appears
2 Expand the Services and Applications option then expand the Internet Information Services option and then select the Default Web Site option so that you can see your ActWeb virtual directory in the right pane (this is the standard installation location your ActWeb virtual directory location may differ)
3 Right-click the ActWeb virtual directory and then click Properties from the shortcut menu The ActWeb Properties dialog appears
4 Under the Directory Security tab in the Anonymous access and authentication control section click Edit The Authentication Methods dialog appears
GL Computing Page 27 682004
5 Clear the Anonymous access check box and verify that the Integrated Windows authentication check box is enabled The other check boxes are dependent on your specific security requirements and are not related to ACT for Webs configuration Note Digest authentication for Windows domain servers is an option on IIS 51 or later
6 Click OK on these two windows Your ACT for Web site is now protected by the Integrated Windows authentication You may need to close your browser and re-open it in order to receive the proper login prompt
IMPORTANT NOTE The IUSR_[machine name] account will no longer be used by IIS with this configuration You will need to make sure the user account you attempt to log in has proper permissions set for it in DCOMCNFG and in the security properties of the folder containing your ACT Database as well as the installation folder for ACT for Web (default Cwebsites)
For more information on how to do this please read httpitdominoactcomactnsfdocid200391584653
GL Computing Page 28 682004
Additional security can be achieved by making your web site more difficult to find by potential hackers Two simple ways to do this are
1 Change the default web site to another TCP port in the Web Site properties Try not to use any of the other common ports that you may wish to use later Yoursquoll need to state the port when logging in eg httpdomaincomportactweb Using SSL (Secure Sockets Layer ) on port 443 will also add to the security of your data by adding encryption to the flow across the internet This will use an https protocol instead of http when entering the URL into your browser
2 Search engines send out ldquospidersrdquo to obtain information on sites available on the web This means that searching googlecom or other search engines for the phrase ACT for Web Login (in quotes) may point to your site (good for public web sites less good for your corporate database) If you would like to prevent a site from being catalogued in a search engines database you can take steps to address this Keep in mind that if you have existing websites they may have already begun to take the steps to interact with the spiders that may crawl their site
Visit the following links for more information about meta-tags and the robotstxt file Keep in mind that it is impossible to prevent any directly accessible resource on a site from being linked to by external sites be it by their partner sites competitive sites or search engines However these methods are generally accepted by the popular search engines
httpwwwrobotstxtorgwcrobotshtml
httpwwwsearchengineworldcomrobotsrobots_tutorialhtm
httpwwwrobotstxtorgwcmeta-userhtml
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 17 682004
Protect against what
N this Chapter we will attempt to describe what types of attackers are out there and give you some ideas of the methods they may use to compromise your systems
Types of Attackers
Letrsquos start by categorising the types of attackers you may need to protect your systems from
Attacker Description
Script Kiddie This is the most common form of attack and the one which we will most need to protect our servers from These are usually kids looking for easy to hack servers so that they can take control of them and use them to attack others
Typically they will use Trojans (which your anti-virus should have detected and removed) or exploit known weaknesses in the server operating system which a combination of the Microsoft critical updates and our own lock-down procedures should keep you relatively secure from
Valuable Data This is typically done by someone who knows that specific data on your site is of significant value to the attacker It may be done by a nasty competitor who wants your data or someone who thinks you may have Credit Card numbers (or similar data) on your system If you are planning to keep Credit Cards etc in your database you will need to be very careful about your security and liability
We do not recommend keeping this type of data in an ACT database
Prestige Site This is where your site is well enough known that the hacker can get credibility from being able to by-pass your security This is unlikely to be an issue for any ACT for Web installation
Chapter
4
I
GL Computing Page 18 682004
Enemy Attack This is where someone feels so annoyed by you or your organisation that they feel like teaching you a lesson The toughest of these to protect against is an ex-employee that feels they have been wronged and knows the security of your system
Internal
Attack
This type typically does the most damage as they may know your security and usually have a legitimate reason for accessing your system Sometimes the Valuable Data Prestige Site or Enemy Attack types will also use an internal person to make their task easier The defences we are putting up will not assist in stopping this type of attack The only solutions are to ensure you have good backup procedures regularly read and inspect log files and make sure users only have access to the parts of the system that they need access to
Typically the ldquoScript Kiddierdquo will use known security flaws in the operating system and or known Trojans The other attackers will use a combination of these and ldquoun-knownrdquo attacks and are typically more skilled
We will attempt to keep your server secure from both known and un-known attacks
Known Attacks
The first defence is to make sure you are protected against the ldquoknownrdquo attacks The most common form of these is via Trojans
A Trojan (based on the story of the Trojan horse) is a piece of software that can get loaded on your server and makes it available for an attacker to access The functions it can provide to an attacker can vary ndash including damaging your data providing access for others to see your data or using itself to launch attacks on other systems
There are two main ways to prevent these
One is to ensure you have a good anti-virus running and that you keep it up-to-date GL Computing currently recommends Symantec (used to be Norton) Anti-Virus Corporate Edition for servers This should find and prevent Trojans from being installed andor remove them if already installed
The other is to make sure your firewall prevents the attacker from accessing the
Trojan if itrsquos on your system As they are usually called from specific ports this provides pretty good security against most known attacks
Many attacks like Nimda SQL-Slammer and others used operating system exploits that Microsoft had patched months earlier ndash and yet many administrators (including Microsoftrsquos own) had not patched their all their servers that were available from the Internet from these Consequently many millions of dollars in damaged data and system down-time were caused
You should make sure that all the Service Packs and Critical Updates are applied to your server Most hackercracker attempts (especially those by Script Kiddies) are done using security holes in Windows that Microsoft has already issued patches for knowing that many administrators do not apply these fixes It is a good practise to regularly check for updates
GL Computing Page 19 682004
from the Microsoft site httpwindowsupdatemicrosoftcom
Unknown Attacks
It may seem unusual to talk about preventing an ldquoUnknown Attackrdquo but that is exactly what is necessary to provide adequate defence ndash preventing as much as possible attacks that use previously undiscovered exploits
Essentially this means reducing the ldquoSurface Areardquo of attack ndash that is reducing the available entry points and services that are available for an external source to connect to your server and run tasks that you do not want them to run
Configuring the IIS server to remove the services that can be used to hook into your server will be covered in the next chapter For now wersquoll discuss reducing the entry points that are available Wersquoll look at the services in the next chapter
Port Blocking
By entry points we usually mean the ports that are open to your server and the IPs that can connect to it
There are two main transport layer protocols used on the lsquonet ndash TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) Both of these can use 64k (65536) channels of communications or ldquoportsrdquo to connect to specific applications on the server machine
So the simple rule to start with is only to permit those ports that you know you need to be allowed through your server
The default port for web servers is port 80 but it can be set to any port the administrator chooses Using a non-standard port is a simple way to help keep the server hidden means the user will need to put the port number in their URL
The most complete list of registered port numbers can be obtained from httpwwwianaorgassignmentsport-numbers
The following ports should nearly always be blocked from OUTBOUND transmissions 135 137 138 139 443 (unless using SSL) 593
IP Blocking
If you know the IP ranges used by the users who will be accessing your server you can set either the firewall or the IIS server to only permit those IPs that belong to your users to access the server Wersquoll show how to do this on the IIS server in the next chapter
GL Computing Page 20 682004
Configuring and Securing IIS
nce again it is necessary to state that these procedures if followed exactly are designed for a server that will be dedicated to serving an ACT database ndash either solely for ACT for Web or in a hybrid with local LAN users
We will also attempt to address those issues and components in IIS that you may find installed on servers that are already in operation or that will also be used for other tasks However we suggest that you work with the Administrator of the network to determine that your lock-down procedures do not also disable applications or functions that your clients may wish to run on the server
It is also important to note that security can never be guaranteed on the internet and so you must be careful as Consultants what contractual agreements you make when doing this type of work for clients
Chapter
5
O
GL Computing Page 21 682004
To modify the IIS settings in Windows 2000 we can use the Computer Management snapin at either
Start | Programs | Administrative Tools | Computer Management
Or selecting Manage from the Right-click menu on My Computer
This will bring up the Computer Management Console
It is important that you become familiar with this interface and itrsquos operation
Another method to access this is by Start | Programs | Administrative Tools | Internet Services Manager
GL Computing Page 22 682004
If you are setting up on a server that is already installed you might find services or virtual folders already there that are already being used
Removing them would not be a good idea if your client is using them for another purpose If you do not have access to the system administrator or they are not sure select ldquoStoprdquo to simply stop the service from accepting requests and check with the administrator
This should be done on the Administration sites FTP and SMTP services unless you are sure they are being used on the server
In the Default Web Site (could be re-named) you should delete the virtual folders IIS Help IIS Admin samples MSADC (MS Active Directory Connector) vti (FrontPage) They all include ASP and Java scripts that may have vulnerabilities found in them and are most likely not used or needed on the server If no other application is being run on the IIS server at the time you can remove any of the virtual folders in the web site The idea being that we remove anything not specifically required for our implementation this helps reduce the available ldquosurface areardquo for an attacker It is advisable to check with the system administrator Once you know you can remove them Right-click on the item and select delete
Next open the Default Web Site properties (by Right-Click then properties) which should look something like
GL Computing Page 23 682004
On the Documents Tab remove all the items there and add webgif or some other small gif that you have loaded in the default folder defined in the Home Directory tab (usually CInetpubwwwroot folder)
This means that any potential hacker just looking for a site will see something small but giving nothing away as to the content of the site
If the site is being used for another site you may need to leave another default document that is used by they site
You may want to point the Printers virtual folder at this gif file also because it sometimes re-appears and the idea is to leave nothing pointing at an application where vulnerabilities may be discovered in the future
Note You will need to re-add Defaulthtm to the actweb virtual folder after you have installed ACT For Web
To do this right-click on the Actweb virtual folder select the Documents tab and Add ldquoDefaulthtmrdquo
GL Computing Page 24 682004
Next on the Home Directory tab click on the Configuration button Remove all the Mappings except for ASA and ASP (which are required for ACT for Web to operate) It will then look something like
This is to prevent any holes in other applications being used to infiltrate your site
Next remove (or rename if you are not sure if they may be needed later) the folders that you have removed the virtual folders for earlier
GL Computing Page 25 682004
Remove Internet Guest Account (IUSR_machine_name) access from cmdexe commandcom tftpexe httpodbcdll and defaultida ndash by adding in Security properties and selecting Deny (only for IUSR) You may need to do a search of the hard disk to get all the versions of these files
This is to prevent a user being able to point to those files and execute them which has been a common hacking exploit
GL Computing Page 26 682004
If you want increased security you can remove Anonymous access and use Windows Integrated Authentication This enables you to use the additional Windows and domain logins prior to the ACT Login
Note different versions of Windows may differ slightly
1 Right-click the My Computer icon and then click Manage from the shortcut menu The Computer Management window appears
2 Expand the Services and Applications option then expand the Internet Information Services option and then select the Default Web Site option so that you can see your ActWeb virtual directory in the right pane (this is the standard installation location your ActWeb virtual directory location may differ)
3 Right-click the ActWeb virtual directory and then click Properties from the shortcut menu The ActWeb Properties dialog appears
4 Under the Directory Security tab in the Anonymous access and authentication control section click Edit The Authentication Methods dialog appears
GL Computing Page 27 682004
5 Clear the Anonymous access check box and verify that the Integrated Windows authentication check box is enabled The other check boxes are dependent on your specific security requirements and are not related to ACT for Webs configuration Note Digest authentication for Windows domain servers is an option on IIS 51 or later
6 Click OK on these two windows Your ACT for Web site is now protected by the Integrated Windows authentication You may need to close your browser and re-open it in order to receive the proper login prompt
IMPORTANT NOTE The IUSR_[machine name] account will no longer be used by IIS with this configuration You will need to make sure the user account you attempt to log in has proper permissions set for it in DCOMCNFG and in the security properties of the folder containing your ACT Database as well as the installation folder for ACT for Web (default Cwebsites)
For more information on how to do this please read httpitdominoactcomactnsfdocid200391584653
GL Computing Page 28 682004
Additional security can be achieved by making your web site more difficult to find by potential hackers Two simple ways to do this are
1 Change the default web site to another TCP port in the Web Site properties Try not to use any of the other common ports that you may wish to use later Yoursquoll need to state the port when logging in eg httpdomaincomportactweb Using SSL (Secure Sockets Layer ) on port 443 will also add to the security of your data by adding encryption to the flow across the internet This will use an https protocol instead of http when entering the URL into your browser
2 Search engines send out ldquospidersrdquo to obtain information on sites available on the web This means that searching googlecom or other search engines for the phrase ACT for Web Login (in quotes) may point to your site (good for public web sites less good for your corporate database) If you would like to prevent a site from being catalogued in a search engines database you can take steps to address this Keep in mind that if you have existing websites they may have already begun to take the steps to interact with the spiders that may crawl their site
Visit the following links for more information about meta-tags and the robotstxt file Keep in mind that it is impossible to prevent any directly accessible resource on a site from being linked to by external sites be it by their partner sites competitive sites or search engines However these methods are generally accepted by the popular search engines
httpwwwrobotstxtorgwcrobotshtml
httpwwwsearchengineworldcomrobotsrobots_tutorialhtm
httpwwwrobotstxtorgwcmeta-userhtml
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 18 682004
Enemy Attack This is where someone feels so annoyed by you or your organisation that they feel like teaching you a lesson The toughest of these to protect against is an ex-employee that feels they have been wronged and knows the security of your system
Internal
Attack
This type typically does the most damage as they may know your security and usually have a legitimate reason for accessing your system Sometimes the Valuable Data Prestige Site or Enemy Attack types will also use an internal person to make their task easier The defences we are putting up will not assist in stopping this type of attack The only solutions are to ensure you have good backup procedures regularly read and inspect log files and make sure users only have access to the parts of the system that they need access to
Typically the ldquoScript Kiddierdquo will use known security flaws in the operating system and or known Trojans The other attackers will use a combination of these and ldquoun-knownrdquo attacks and are typically more skilled
We will attempt to keep your server secure from both known and un-known attacks
Known Attacks
The first defence is to make sure you are protected against the ldquoknownrdquo attacks The most common form of these is via Trojans
A Trojan (based on the story of the Trojan horse) is a piece of software that can get loaded on your server and makes it available for an attacker to access The functions it can provide to an attacker can vary ndash including damaging your data providing access for others to see your data or using itself to launch attacks on other systems
There are two main ways to prevent these
One is to ensure you have a good anti-virus running and that you keep it up-to-date GL Computing currently recommends Symantec (used to be Norton) Anti-Virus Corporate Edition for servers This should find and prevent Trojans from being installed andor remove them if already installed
The other is to make sure your firewall prevents the attacker from accessing the
Trojan if itrsquos on your system As they are usually called from specific ports this provides pretty good security against most known attacks
Many attacks like Nimda SQL-Slammer and others used operating system exploits that Microsoft had patched months earlier ndash and yet many administrators (including Microsoftrsquos own) had not patched their all their servers that were available from the Internet from these Consequently many millions of dollars in damaged data and system down-time were caused
You should make sure that all the Service Packs and Critical Updates are applied to your server Most hackercracker attempts (especially those by Script Kiddies) are done using security holes in Windows that Microsoft has already issued patches for knowing that many administrators do not apply these fixes It is a good practise to regularly check for updates
GL Computing Page 19 682004
from the Microsoft site httpwindowsupdatemicrosoftcom
Unknown Attacks
It may seem unusual to talk about preventing an ldquoUnknown Attackrdquo but that is exactly what is necessary to provide adequate defence ndash preventing as much as possible attacks that use previously undiscovered exploits
Essentially this means reducing the ldquoSurface Areardquo of attack ndash that is reducing the available entry points and services that are available for an external source to connect to your server and run tasks that you do not want them to run
Configuring the IIS server to remove the services that can be used to hook into your server will be covered in the next chapter For now wersquoll discuss reducing the entry points that are available Wersquoll look at the services in the next chapter
Port Blocking
By entry points we usually mean the ports that are open to your server and the IPs that can connect to it
There are two main transport layer protocols used on the lsquonet ndash TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) Both of these can use 64k (65536) channels of communications or ldquoportsrdquo to connect to specific applications on the server machine
So the simple rule to start with is only to permit those ports that you know you need to be allowed through your server
The default port for web servers is port 80 but it can be set to any port the administrator chooses Using a non-standard port is a simple way to help keep the server hidden means the user will need to put the port number in their URL
The most complete list of registered port numbers can be obtained from httpwwwianaorgassignmentsport-numbers
The following ports should nearly always be blocked from OUTBOUND transmissions 135 137 138 139 443 (unless using SSL) 593
IP Blocking
If you know the IP ranges used by the users who will be accessing your server you can set either the firewall or the IIS server to only permit those IPs that belong to your users to access the server Wersquoll show how to do this on the IIS server in the next chapter
GL Computing Page 20 682004
Configuring and Securing IIS
nce again it is necessary to state that these procedures if followed exactly are designed for a server that will be dedicated to serving an ACT database ndash either solely for ACT for Web or in a hybrid with local LAN users
We will also attempt to address those issues and components in IIS that you may find installed on servers that are already in operation or that will also be used for other tasks However we suggest that you work with the Administrator of the network to determine that your lock-down procedures do not also disable applications or functions that your clients may wish to run on the server
It is also important to note that security can never be guaranteed on the internet and so you must be careful as Consultants what contractual agreements you make when doing this type of work for clients
Chapter
5
O
GL Computing Page 21 682004
To modify the IIS settings in Windows 2000 we can use the Computer Management snapin at either
Start | Programs | Administrative Tools | Computer Management
Or selecting Manage from the Right-click menu on My Computer
This will bring up the Computer Management Console
It is important that you become familiar with this interface and itrsquos operation
Another method to access this is by Start | Programs | Administrative Tools | Internet Services Manager
GL Computing Page 22 682004
If you are setting up on a server that is already installed you might find services or virtual folders already there that are already being used
Removing them would not be a good idea if your client is using them for another purpose If you do not have access to the system administrator or they are not sure select ldquoStoprdquo to simply stop the service from accepting requests and check with the administrator
This should be done on the Administration sites FTP and SMTP services unless you are sure they are being used on the server
In the Default Web Site (could be re-named) you should delete the virtual folders IIS Help IIS Admin samples MSADC (MS Active Directory Connector) vti (FrontPage) They all include ASP and Java scripts that may have vulnerabilities found in them and are most likely not used or needed on the server If no other application is being run on the IIS server at the time you can remove any of the virtual folders in the web site The idea being that we remove anything not specifically required for our implementation this helps reduce the available ldquosurface areardquo for an attacker It is advisable to check with the system administrator Once you know you can remove them Right-click on the item and select delete
Next open the Default Web Site properties (by Right-Click then properties) which should look something like
GL Computing Page 23 682004
On the Documents Tab remove all the items there and add webgif or some other small gif that you have loaded in the default folder defined in the Home Directory tab (usually CInetpubwwwroot folder)
This means that any potential hacker just looking for a site will see something small but giving nothing away as to the content of the site
If the site is being used for another site you may need to leave another default document that is used by they site
You may want to point the Printers virtual folder at this gif file also because it sometimes re-appears and the idea is to leave nothing pointing at an application where vulnerabilities may be discovered in the future
Note You will need to re-add Defaulthtm to the actweb virtual folder after you have installed ACT For Web
To do this right-click on the Actweb virtual folder select the Documents tab and Add ldquoDefaulthtmrdquo
GL Computing Page 24 682004
Next on the Home Directory tab click on the Configuration button Remove all the Mappings except for ASA and ASP (which are required for ACT for Web to operate) It will then look something like
This is to prevent any holes in other applications being used to infiltrate your site
Next remove (or rename if you are not sure if they may be needed later) the folders that you have removed the virtual folders for earlier
GL Computing Page 25 682004
Remove Internet Guest Account (IUSR_machine_name) access from cmdexe commandcom tftpexe httpodbcdll and defaultida ndash by adding in Security properties and selecting Deny (only for IUSR) You may need to do a search of the hard disk to get all the versions of these files
This is to prevent a user being able to point to those files and execute them which has been a common hacking exploit
GL Computing Page 26 682004
If you want increased security you can remove Anonymous access and use Windows Integrated Authentication This enables you to use the additional Windows and domain logins prior to the ACT Login
Note different versions of Windows may differ slightly
1 Right-click the My Computer icon and then click Manage from the shortcut menu The Computer Management window appears
2 Expand the Services and Applications option then expand the Internet Information Services option and then select the Default Web Site option so that you can see your ActWeb virtual directory in the right pane (this is the standard installation location your ActWeb virtual directory location may differ)
3 Right-click the ActWeb virtual directory and then click Properties from the shortcut menu The ActWeb Properties dialog appears
4 Under the Directory Security tab in the Anonymous access and authentication control section click Edit The Authentication Methods dialog appears
GL Computing Page 27 682004
5 Clear the Anonymous access check box and verify that the Integrated Windows authentication check box is enabled The other check boxes are dependent on your specific security requirements and are not related to ACT for Webs configuration Note Digest authentication for Windows domain servers is an option on IIS 51 or later
6 Click OK on these two windows Your ACT for Web site is now protected by the Integrated Windows authentication You may need to close your browser and re-open it in order to receive the proper login prompt
IMPORTANT NOTE The IUSR_[machine name] account will no longer be used by IIS with this configuration You will need to make sure the user account you attempt to log in has proper permissions set for it in DCOMCNFG and in the security properties of the folder containing your ACT Database as well as the installation folder for ACT for Web (default Cwebsites)
For more information on how to do this please read httpitdominoactcomactnsfdocid200391584653
GL Computing Page 28 682004
Additional security can be achieved by making your web site more difficult to find by potential hackers Two simple ways to do this are
1 Change the default web site to another TCP port in the Web Site properties Try not to use any of the other common ports that you may wish to use later Yoursquoll need to state the port when logging in eg httpdomaincomportactweb Using SSL (Secure Sockets Layer ) on port 443 will also add to the security of your data by adding encryption to the flow across the internet This will use an https protocol instead of http when entering the URL into your browser
2 Search engines send out ldquospidersrdquo to obtain information on sites available on the web This means that searching googlecom or other search engines for the phrase ACT for Web Login (in quotes) may point to your site (good for public web sites less good for your corporate database) If you would like to prevent a site from being catalogued in a search engines database you can take steps to address this Keep in mind that if you have existing websites they may have already begun to take the steps to interact with the spiders that may crawl their site
Visit the following links for more information about meta-tags and the robotstxt file Keep in mind that it is impossible to prevent any directly accessible resource on a site from being linked to by external sites be it by their partner sites competitive sites or search engines However these methods are generally accepted by the popular search engines
httpwwwrobotstxtorgwcrobotshtml
httpwwwsearchengineworldcomrobotsrobots_tutorialhtm
httpwwwrobotstxtorgwcmeta-userhtml
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 19 682004
from the Microsoft site httpwindowsupdatemicrosoftcom
Unknown Attacks
It may seem unusual to talk about preventing an ldquoUnknown Attackrdquo but that is exactly what is necessary to provide adequate defence ndash preventing as much as possible attacks that use previously undiscovered exploits
Essentially this means reducing the ldquoSurface Areardquo of attack ndash that is reducing the available entry points and services that are available for an external source to connect to your server and run tasks that you do not want them to run
Configuring the IIS server to remove the services that can be used to hook into your server will be covered in the next chapter For now wersquoll discuss reducing the entry points that are available Wersquoll look at the services in the next chapter
Port Blocking
By entry points we usually mean the ports that are open to your server and the IPs that can connect to it
There are two main transport layer protocols used on the lsquonet ndash TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) Both of these can use 64k (65536) channels of communications or ldquoportsrdquo to connect to specific applications on the server machine
So the simple rule to start with is only to permit those ports that you know you need to be allowed through your server
The default port for web servers is port 80 but it can be set to any port the administrator chooses Using a non-standard port is a simple way to help keep the server hidden means the user will need to put the port number in their URL
The most complete list of registered port numbers can be obtained from httpwwwianaorgassignmentsport-numbers
The following ports should nearly always be blocked from OUTBOUND transmissions 135 137 138 139 443 (unless using SSL) 593
IP Blocking
If you know the IP ranges used by the users who will be accessing your server you can set either the firewall or the IIS server to only permit those IPs that belong to your users to access the server Wersquoll show how to do this on the IIS server in the next chapter
GL Computing Page 20 682004
Configuring and Securing IIS
nce again it is necessary to state that these procedures if followed exactly are designed for a server that will be dedicated to serving an ACT database ndash either solely for ACT for Web or in a hybrid with local LAN users
We will also attempt to address those issues and components in IIS that you may find installed on servers that are already in operation or that will also be used for other tasks However we suggest that you work with the Administrator of the network to determine that your lock-down procedures do not also disable applications or functions that your clients may wish to run on the server
It is also important to note that security can never be guaranteed on the internet and so you must be careful as Consultants what contractual agreements you make when doing this type of work for clients
Chapter
5
O
GL Computing Page 21 682004
To modify the IIS settings in Windows 2000 we can use the Computer Management snapin at either
Start | Programs | Administrative Tools | Computer Management
Or selecting Manage from the Right-click menu on My Computer
This will bring up the Computer Management Console
It is important that you become familiar with this interface and itrsquos operation
Another method to access this is by Start | Programs | Administrative Tools | Internet Services Manager
GL Computing Page 22 682004
If you are setting up on a server that is already installed you might find services or virtual folders already there that are already being used
Removing them would not be a good idea if your client is using them for another purpose If you do not have access to the system administrator or they are not sure select ldquoStoprdquo to simply stop the service from accepting requests and check with the administrator
This should be done on the Administration sites FTP and SMTP services unless you are sure they are being used on the server
In the Default Web Site (could be re-named) you should delete the virtual folders IIS Help IIS Admin samples MSADC (MS Active Directory Connector) vti (FrontPage) They all include ASP and Java scripts that may have vulnerabilities found in them and are most likely not used or needed on the server If no other application is being run on the IIS server at the time you can remove any of the virtual folders in the web site The idea being that we remove anything not specifically required for our implementation this helps reduce the available ldquosurface areardquo for an attacker It is advisable to check with the system administrator Once you know you can remove them Right-click on the item and select delete
Next open the Default Web Site properties (by Right-Click then properties) which should look something like
GL Computing Page 23 682004
On the Documents Tab remove all the items there and add webgif or some other small gif that you have loaded in the default folder defined in the Home Directory tab (usually CInetpubwwwroot folder)
This means that any potential hacker just looking for a site will see something small but giving nothing away as to the content of the site
If the site is being used for another site you may need to leave another default document that is used by they site
You may want to point the Printers virtual folder at this gif file also because it sometimes re-appears and the idea is to leave nothing pointing at an application where vulnerabilities may be discovered in the future
Note You will need to re-add Defaulthtm to the actweb virtual folder after you have installed ACT For Web
To do this right-click on the Actweb virtual folder select the Documents tab and Add ldquoDefaulthtmrdquo
GL Computing Page 24 682004
Next on the Home Directory tab click on the Configuration button Remove all the Mappings except for ASA and ASP (which are required for ACT for Web to operate) It will then look something like
This is to prevent any holes in other applications being used to infiltrate your site
Next remove (or rename if you are not sure if they may be needed later) the folders that you have removed the virtual folders for earlier
GL Computing Page 25 682004
Remove Internet Guest Account (IUSR_machine_name) access from cmdexe commandcom tftpexe httpodbcdll and defaultida ndash by adding in Security properties and selecting Deny (only for IUSR) You may need to do a search of the hard disk to get all the versions of these files
This is to prevent a user being able to point to those files and execute them which has been a common hacking exploit
GL Computing Page 26 682004
If you want increased security you can remove Anonymous access and use Windows Integrated Authentication This enables you to use the additional Windows and domain logins prior to the ACT Login
Note different versions of Windows may differ slightly
1 Right-click the My Computer icon and then click Manage from the shortcut menu The Computer Management window appears
2 Expand the Services and Applications option then expand the Internet Information Services option and then select the Default Web Site option so that you can see your ActWeb virtual directory in the right pane (this is the standard installation location your ActWeb virtual directory location may differ)
3 Right-click the ActWeb virtual directory and then click Properties from the shortcut menu The ActWeb Properties dialog appears
4 Under the Directory Security tab in the Anonymous access and authentication control section click Edit The Authentication Methods dialog appears
GL Computing Page 27 682004
5 Clear the Anonymous access check box and verify that the Integrated Windows authentication check box is enabled The other check boxes are dependent on your specific security requirements and are not related to ACT for Webs configuration Note Digest authentication for Windows domain servers is an option on IIS 51 or later
6 Click OK on these two windows Your ACT for Web site is now protected by the Integrated Windows authentication You may need to close your browser and re-open it in order to receive the proper login prompt
IMPORTANT NOTE The IUSR_[machine name] account will no longer be used by IIS with this configuration You will need to make sure the user account you attempt to log in has proper permissions set for it in DCOMCNFG and in the security properties of the folder containing your ACT Database as well as the installation folder for ACT for Web (default Cwebsites)
For more information on how to do this please read httpitdominoactcomactnsfdocid200391584653
GL Computing Page 28 682004
Additional security can be achieved by making your web site more difficult to find by potential hackers Two simple ways to do this are
1 Change the default web site to another TCP port in the Web Site properties Try not to use any of the other common ports that you may wish to use later Yoursquoll need to state the port when logging in eg httpdomaincomportactweb Using SSL (Secure Sockets Layer ) on port 443 will also add to the security of your data by adding encryption to the flow across the internet This will use an https protocol instead of http when entering the URL into your browser
2 Search engines send out ldquospidersrdquo to obtain information on sites available on the web This means that searching googlecom or other search engines for the phrase ACT for Web Login (in quotes) may point to your site (good for public web sites less good for your corporate database) If you would like to prevent a site from being catalogued in a search engines database you can take steps to address this Keep in mind that if you have existing websites they may have already begun to take the steps to interact with the spiders that may crawl their site
Visit the following links for more information about meta-tags and the robotstxt file Keep in mind that it is impossible to prevent any directly accessible resource on a site from being linked to by external sites be it by their partner sites competitive sites or search engines However these methods are generally accepted by the popular search engines
httpwwwrobotstxtorgwcrobotshtml
httpwwwsearchengineworldcomrobotsrobots_tutorialhtm
httpwwwrobotstxtorgwcmeta-userhtml
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 20 682004
Configuring and Securing IIS
nce again it is necessary to state that these procedures if followed exactly are designed for a server that will be dedicated to serving an ACT database ndash either solely for ACT for Web or in a hybrid with local LAN users
We will also attempt to address those issues and components in IIS that you may find installed on servers that are already in operation or that will also be used for other tasks However we suggest that you work with the Administrator of the network to determine that your lock-down procedures do not also disable applications or functions that your clients may wish to run on the server
It is also important to note that security can never be guaranteed on the internet and so you must be careful as Consultants what contractual agreements you make when doing this type of work for clients
Chapter
5
O
GL Computing Page 21 682004
To modify the IIS settings in Windows 2000 we can use the Computer Management snapin at either
Start | Programs | Administrative Tools | Computer Management
Or selecting Manage from the Right-click menu on My Computer
This will bring up the Computer Management Console
It is important that you become familiar with this interface and itrsquos operation
Another method to access this is by Start | Programs | Administrative Tools | Internet Services Manager
GL Computing Page 22 682004
If you are setting up on a server that is already installed you might find services or virtual folders already there that are already being used
Removing them would not be a good idea if your client is using them for another purpose If you do not have access to the system administrator or they are not sure select ldquoStoprdquo to simply stop the service from accepting requests and check with the administrator
This should be done on the Administration sites FTP and SMTP services unless you are sure they are being used on the server
In the Default Web Site (could be re-named) you should delete the virtual folders IIS Help IIS Admin samples MSADC (MS Active Directory Connector) vti (FrontPage) They all include ASP and Java scripts that may have vulnerabilities found in them and are most likely not used or needed on the server If no other application is being run on the IIS server at the time you can remove any of the virtual folders in the web site The idea being that we remove anything not specifically required for our implementation this helps reduce the available ldquosurface areardquo for an attacker It is advisable to check with the system administrator Once you know you can remove them Right-click on the item and select delete
Next open the Default Web Site properties (by Right-Click then properties) which should look something like
GL Computing Page 23 682004
On the Documents Tab remove all the items there and add webgif or some other small gif that you have loaded in the default folder defined in the Home Directory tab (usually CInetpubwwwroot folder)
This means that any potential hacker just looking for a site will see something small but giving nothing away as to the content of the site
If the site is being used for another site you may need to leave another default document that is used by they site
You may want to point the Printers virtual folder at this gif file also because it sometimes re-appears and the idea is to leave nothing pointing at an application where vulnerabilities may be discovered in the future
Note You will need to re-add Defaulthtm to the actweb virtual folder after you have installed ACT For Web
To do this right-click on the Actweb virtual folder select the Documents tab and Add ldquoDefaulthtmrdquo
GL Computing Page 24 682004
Next on the Home Directory tab click on the Configuration button Remove all the Mappings except for ASA and ASP (which are required for ACT for Web to operate) It will then look something like
This is to prevent any holes in other applications being used to infiltrate your site
Next remove (or rename if you are not sure if they may be needed later) the folders that you have removed the virtual folders for earlier
GL Computing Page 25 682004
Remove Internet Guest Account (IUSR_machine_name) access from cmdexe commandcom tftpexe httpodbcdll and defaultida ndash by adding in Security properties and selecting Deny (only for IUSR) You may need to do a search of the hard disk to get all the versions of these files
This is to prevent a user being able to point to those files and execute them which has been a common hacking exploit
GL Computing Page 26 682004
If you want increased security you can remove Anonymous access and use Windows Integrated Authentication This enables you to use the additional Windows and domain logins prior to the ACT Login
Note different versions of Windows may differ slightly
1 Right-click the My Computer icon and then click Manage from the shortcut menu The Computer Management window appears
2 Expand the Services and Applications option then expand the Internet Information Services option and then select the Default Web Site option so that you can see your ActWeb virtual directory in the right pane (this is the standard installation location your ActWeb virtual directory location may differ)
3 Right-click the ActWeb virtual directory and then click Properties from the shortcut menu The ActWeb Properties dialog appears
4 Under the Directory Security tab in the Anonymous access and authentication control section click Edit The Authentication Methods dialog appears
GL Computing Page 27 682004
5 Clear the Anonymous access check box and verify that the Integrated Windows authentication check box is enabled The other check boxes are dependent on your specific security requirements and are not related to ACT for Webs configuration Note Digest authentication for Windows domain servers is an option on IIS 51 or later
6 Click OK on these two windows Your ACT for Web site is now protected by the Integrated Windows authentication You may need to close your browser and re-open it in order to receive the proper login prompt
IMPORTANT NOTE The IUSR_[machine name] account will no longer be used by IIS with this configuration You will need to make sure the user account you attempt to log in has proper permissions set for it in DCOMCNFG and in the security properties of the folder containing your ACT Database as well as the installation folder for ACT for Web (default Cwebsites)
For more information on how to do this please read httpitdominoactcomactnsfdocid200391584653
GL Computing Page 28 682004
Additional security can be achieved by making your web site more difficult to find by potential hackers Two simple ways to do this are
1 Change the default web site to another TCP port in the Web Site properties Try not to use any of the other common ports that you may wish to use later Yoursquoll need to state the port when logging in eg httpdomaincomportactweb Using SSL (Secure Sockets Layer ) on port 443 will also add to the security of your data by adding encryption to the flow across the internet This will use an https protocol instead of http when entering the URL into your browser
2 Search engines send out ldquospidersrdquo to obtain information on sites available on the web This means that searching googlecom or other search engines for the phrase ACT for Web Login (in quotes) may point to your site (good for public web sites less good for your corporate database) If you would like to prevent a site from being catalogued in a search engines database you can take steps to address this Keep in mind that if you have existing websites they may have already begun to take the steps to interact with the spiders that may crawl their site
Visit the following links for more information about meta-tags and the robotstxt file Keep in mind that it is impossible to prevent any directly accessible resource on a site from being linked to by external sites be it by their partner sites competitive sites or search engines However these methods are generally accepted by the popular search engines
httpwwwrobotstxtorgwcrobotshtml
httpwwwsearchengineworldcomrobotsrobots_tutorialhtm
httpwwwrobotstxtorgwcmeta-userhtml
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 21 682004
To modify the IIS settings in Windows 2000 we can use the Computer Management snapin at either
Start | Programs | Administrative Tools | Computer Management
Or selecting Manage from the Right-click menu on My Computer
This will bring up the Computer Management Console
It is important that you become familiar with this interface and itrsquos operation
Another method to access this is by Start | Programs | Administrative Tools | Internet Services Manager
GL Computing Page 22 682004
If you are setting up on a server that is already installed you might find services or virtual folders already there that are already being used
Removing them would not be a good idea if your client is using them for another purpose If you do not have access to the system administrator or they are not sure select ldquoStoprdquo to simply stop the service from accepting requests and check with the administrator
This should be done on the Administration sites FTP and SMTP services unless you are sure they are being used on the server
In the Default Web Site (could be re-named) you should delete the virtual folders IIS Help IIS Admin samples MSADC (MS Active Directory Connector) vti (FrontPage) They all include ASP and Java scripts that may have vulnerabilities found in them and are most likely not used or needed on the server If no other application is being run on the IIS server at the time you can remove any of the virtual folders in the web site The idea being that we remove anything not specifically required for our implementation this helps reduce the available ldquosurface areardquo for an attacker It is advisable to check with the system administrator Once you know you can remove them Right-click on the item and select delete
Next open the Default Web Site properties (by Right-Click then properties) which should look something like
GL Computing Page 23 682004
On the Documents Tab remove all the items there and add webgif or some other small gif that you have loaded in the default folder defined in the Home Directory tab (usually CInetpubwwwroot folder)
This means that any potential hacker just looking for a site will see something small but giving nothing away as to the content of the site
If the site is being used for another site you may need to leave another default document that is used by they site
You may want to point the Printers virtual folder at this gif file also because it sometimes re-appears and the idea is to leave nothing pointing at an application where vulnerabilities may be discovered in the future
Note You will need to re-add Defaulthtm to the actweb virtual folder after you have installed ACT For Web
To do this right-click on the Actweb virtual folder select the Documents tab and Add ldquoDefaulthtmrdquo
GL Computing Page 24 682004
Next on the Home Directory tab click on the Configuration button Remove all the Mappings except for ASA and ASP (which are required for ACT for Web to operate) It will then look something like
This is to prevent any holes in other applications being used to infiltrate your site
Next remove (or rename if you are not sure if they may be needed later) the folders that you have removed the virtual folders for earlier
GL Computing Page 25 682004
Remove Internet Guest Account (IUSR_machine_name) access from cmdexe commandcom tftpexe httpodbcdll and defaultida ndash by adding in Security properties and selecting Deny (only for IUSR) You may need to do a search of the hard disk to get all the versions of these files
This is to prevent a user being able to point to those files and execute them which has been a common hacking exploit
GL Computing Page 26 682004
If you want increased security you can remove Anonymous access and use Windows Integrated Authentication This enables you to use the additional Windows and domain logins prior to the ACT Login
Note different versions of Windows may differ slightly
1 Right-click the My Computer icon and then click Manage from the shortcut menu The Computer Management window appears
2 Expand the Services and Applications option then expand the Internet Information Services option and then select the Default Web Site option so that you can see your ActWeb virtual directory in the right pane (this is the standard installation location your ActWeb virtual directory location may differ)
3 Right-click the ActWeb virtual directory and then click Properties from the shortcut menu The ActWeb Properties dialog appears
4 Under the Directory Security tab in the Anonymous access and authentication control section click Edit The Authentication Methods dialog appears
GL Computing Page 27 682004
5 Clear the Anonymous access check box and verify that the Integrated Windows authentication check box is enabled The other check boxes are dependent on your specific security requirements and are not related to ACT for Webs configuration Note Digest authentication for Windows domain servers is an option on IIS 51 or later
6 Click OK on these two windows Your ACT for Web site is now protected by the Integrated Windows authentication You may need to close your browser and re-open it in order to receive the proper login prompt
IMPORTANT NOTE The IUSR_[machine name] account will no longer be used by IIS with this configuration You will need to make sure the user account you attempt to log in has proper permissions set for it in DCOMCNFG and in the security properties of the folder containing your ACT Database as well as the installation folder for ACT for Web (default Cwebsites)
For more information on how to do this please read httpitdominoactcomactnsfdocid200391584653
GL Computing Page 28 682004
Additional security can be achieved by making your web site more difficult to find by potential hackers Two simple ways to do this are
1 Change the default web site to another TCP port in the Web Site properties Try not to use any of the other common ports that you may wish to use later Yoursquoll need to state the port when logging in eg httpdomaincomportactweb Using SSL (Secure Sockets Layer ) on port 443 will also add to the security of your data by adding encryption to the flow across the internet This will use an https protocol instead of http when entering the URL into your browser
2 Search engines send out ldquospidersrdquo to obtain information on sites available on the web This means that searching googlecom or other search engines for the phrase ACT for Web Login (in quotes) may point to your site (good for public web sites less good for your corporate database) If you would like to prevent a site from being catalogued in a search engines database you can take steps to address this Keep in mind that if you have existing websites they may have already begun to take the steps to interact with the spiders that may crawl their site
Visit the following links for more information about meta-tags and the robotstxt file Keep in mind that it is impossible to prevent any directly accessible resource on a site from being linked to by external sites be it by their partner sites competitive sites or search engines However these methods are generally accepted by the popular search engines
httpwwwrobotstxtorgwcrobotshtml
httpwwwsearchengineworldcomrobotsrobots_tutorialhtm
httpwwwrobotstxtorgwcmeta-userhtml
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 22 682004
If you are setting up on a server that is already installed you might find services or virtual folders already there that are already being used
Removing them would not be a good idea if your client is using them for another purpose If you do not have access to the system administrator or they are not sure select ldquoStoprdquo to simply stop the service from accepting requests and check with the administrator
This should be done on the Administration sites FTP and SMTP services unless you are sure they are being used on the server
In the Default Web Site (could be re-named) you should delete the virtual folders IIS Help IIS Admin samples MSADC (MS Active Directory Connector) vti (FrontPage) They all include ASP and Java scripts that may have vulnerabilities found in them and are most likely not used or needed on the server If no other application is being run on the IIS server at the time you can remove any of the virtual folders in the web site The idea being that we remove anything not specifically required for our implementation this helps reduce the available ldquosurface areardquo for an attacker It is advisable to check with the system administrator Once you know you can remove them Right-click on the item and select delete
Next open the Default Web Site properties (by Right-Click then properties) which should look something like
GL Computing Page 23 682004
On the Documents Tab remove all the items there and add webgif or some other small gif that you have loaded in the default folder defined in the Home Directory tab (usually CInetpubwwwroot folder)
This means that any potential hacker just looking for a site will see something small but giving nothing away as to the content of the site
If the site is being used for another site you may need to leave another default document that is used by they site
You may want to point the Printers virtual folder at this gif file also because it sometimes re-appears and the idea is to leave nothing pointing at an application where vulnerabilities may be discovered in the future
Note You will need to re-add Defaulthtm to the actweb virtual folder after you have installed ACT For Web
To do this right-click on the Actweb virtual folder select the Documents tab and Add ldquoDefaulthtmrdquo
GL Computing Page 24 682004
Next on the Home Directory tab click on the Configuration button Remove all the Mappings except for ASA and ASP (which are required for ACT for Web to operate) It will then look something like
This is to prevent any holes in other applications being used to infiltrate your site
Next remove (or rename if you are not sure if they may be needed later) the folders that you have removed the virtual folders for earlier
GL Computing Page 25 682004
Remove Internet Guest Account (IUSR_machine_name) access from cmdexe commandcom tftpexe httpodbcdll and defaultida ndash by adding in Security properties and selecting Deny (only for IUSR) You may need to do a search of the hard disk to get all the versions of these files
This is to prevent a user being able to point to those files and execute them which has been a common hacking exploit
GL Computing Page 26 682004
If you want increased security you can remove Anonymous access and use Windows Integrated Authentication This enables you to use the additional Windows and domain logins prior to the ACT Login
Note different versions of Windows may differ slightly
1 Right-click the My Computer icon and then click Manage from the shortcut menu The Computer Management window appears
2 Expand the Services and Applications option then expand the Internet Information Services option and then select the Default Web Site option so that you can see your ActWeb virtual directory in the right pane (this is the standard installation location your ActWeb virtual directory location may differ)
3 Right-click the ActWeb virtual directory and then click Properties from the shortcut menu The ActWeb Properties dialog appears
4 Under the Directory Security tab in the Anonymous access and authentication control section click Edit The Authentication Methods dialog appears
GL Computing Page 27 682004
5 Clear the Anonymous access check box and verify that the Integrated Windows authentication check box is enabled The other check boxes are dependent on your specific security requirements and are not related to ACT for Webs configuration Note Digest authentication for Windows domain servers is an option on IIS 51 or later
6 Click OK on these two windows Your ACT for Web site is now protected by the Integrated Windows authentication You may need to close your browser and re-open it in order to receive the proper login prompt
IMPORTANT NOTE The IUSR_[machine name] account will no longer be used by IIS with this configuration You will need to make sure the user account you attempt to log in has proper permissions set for it in DCOMCNFG and in the security properties of the folder containing your ACT Database as well as the installation folder for ACT for Web (default Cwebsites)
For more information on how to do this please read httpitdominoactcomactnsfdocid200391584653
GL Computing Page 28 682004
Additional security can be achieved by making your web site more difficult to find by potential hackers Two simple ways to do this are
1 Change the default web site to another TCP port in the Web Site properties Try not to use any of the other common ports that you may wish to use later Yoursquoll need to state the port when logging in eg httpdomaincomportactweb Using SSL (Secure Sockets Layer ) on port 443 will also add to the security of your data by adding encryption to the flow across the internet This will use an https protocol instead of http when entering the URL into your browser
2 Search engines send out ldquospidersrdquo to obtain information on sites available on the web This means that searching googlecom or other search engines for the phrase ACT for Web Login (in quotes) may point to your site (good for public web sites less good for your corporate database) If you would like to prevent a site from being catalogued in a search engines database you can take steps to address this Keep in mind that if you have existing websites they may have already begun to take the steps to interact with the spiders that may crawl their site
Visit the following links for more information about meta-tags and the robotstxt file Keep in mind that it is impossible to prevent any directly accessible resource on a site from being linked to by external sites be it by their partner sites competitive sites or search engines However these methods are generally accepted by the popular search engines
httpwwwrobotstxtorgwcrobotshtml
httpwwwsearchengineworldcomrobotsrobots_tutorialhtm
httpwwwrobotstxtorgwcmeta-userhtml
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 23 682004
On the Documents Tab remove all the items there and add webgif or some other small gif that you have loaded in the default folder defined in the Home Directory tab (usually CInetpubwwwroot folder)
This means that any potential hacker just looking for a site will see something small but giving nothing away as to the content of the site
If the site is being used for another site you may need to leave another default document that is used by they site
You may want to point the Printers virtual folder at this gif file also because it sometimes re-appears and the idea is to leave nothing pointing at an application where vulnerabilities may be discovered in the future
Note You will need to re-add Defaulthtm to the actweb virtual folder after you have installed ACT For Web
To do this right-click on the Actweb virtual folder select the Documents tab and Add ldquoDefaulthtmrdquo
GL Computing Page 24 682004
Next on the Home Directory tab click on the Configuration button Remove all the Mappings except for ASA and ASP (which are required for ACT for Web to operate) It will then look something like
This is to prevent any holes in other applications being used to infiltrate your site
Next remove (or rename if you are not sure if they may be needed later) the folders that you have removed the virtual folders for earlier
GL Computing Page 25 682004
Remove Internet Guest Account (IUSR_machine_name) access from cmdexe commandcom tftpexe httpodbcdll and defaultida ndash by adding in Security properties and selecting Deny (only for IUSR) You may need to do a search of the hard disk to get all the versions of these files
This is to prevent a user being able to point to those files and execute them which has been a common hacking exploit
GL Computing Page 26 682004
If you want increased security you can remove Anonymous access and use Windows Integrated Authentication This enables you to use the additional Windows and domain logins prior to the ACT Login
Note different versions of Windows may differ slightly
1 Right-click the My Computer icon and then click Manage from the shortcut menu The Computer Management window appears
2 Expand the Services and Applications option then expand the Internet Information Services option and then select the Default Web Site option so that you can see your ActWeb virtual directory in the right pane (this is the standard installation location your ActWeb virtual directory location may differ)
3 Right-click the ActWeb virtual directory and then click Properties from the shortcut menu The ActWeb Properties dialog appears
4 Under the Directory Security tab in the Anonymous access and authentication control section click Edit The Authentication Methods dialog appears
GL Computing Page 27 682004
5 Clear the Anonymous access check box and verify that the Integrated Windows authentication check box is enabled The other check boxes are dependent on your specific security requirements and are not related to ACT for Webs configuration Note Digest authentication for Windows domain servers is an option on IIS 51 or later
6 Click OK on these two windows Your ACT for Web site is now protected by the Integrated Windows authentication You may need to close your browser and re-open it in order to receive the proper login prompt
IMPORTANT NOTE The IUSR_[machine name] account will no longer be used by IIS with this configuration You will need to make sure the user account you attempt to log in has proper permissions set for it in DCOMCNFG and in the security properties of the folder containing your ACT Database as well as the installation folder for ACT for Web (default Cwebsites)
For more information on how to do this please read httpitdominoactcomactnsfdocid200391584653
GL Computing Page 28 682004
Additional security can be achieved by making your web site more difficult to find by potential hackers Two simple ways to do this are
1 Change the default web site to another TCP port in the Web Site properties Try not to use any of the other common ports that you may wish to use later Yoursquoll need to state the port when logging in eg httpdomaincomportactweb Using SSL (Secure Sockets Layer ) on port 443 will also add to the security of your data by adding encryption to the flow across the internet This will use an https protocol instead of http when entering the URL into your browser
2 Search engines send out ldquospidersrdquo to obtain information on sites available on the web This means that searching googlecom or other search engines for the phrase ACT for Web Login (in quotes) may point to your site (good for public web sites less good for your corporate database) If you would like to prevent a site from being catalogued in a search engines database you can take steps to address this Keep in mind that if you have existing websites they may have already begun to take the steps to interact with the spiders that may crawl their site
Visit the following links for more information about meta-tags and the robotstxt file Keep in mind that it is impossible to prevent any directly accessible resource on a site from being linked to by external sites be it by their partner sites competitive sites or search engines However these methods are generally accepted by the popular search engines
httpwwwrobotstxtorgwcrobotshtml
httpwwwsearchengineworldcomrobotsrobots_tutorialhtm
httpwwwrobotstxtorgwcmeta-userhtml
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 24 682004
Next on the Home Directory tab click on the Configuration button Remove all the Mappings except for ASA and ASP (which are required for ACT for Web to operate) It will then look something like
This is to prevent any holes in other applications being used to infiltrate your site
Next remove (or rename if you are not sure if they may be needed later) the folders that you have removed the virtual folders for earlier
GL Computing Page 25 682004
Remove Internet Guest Account (IUSR_machine_name) access from cmdexe commandcom tftpexe httpodbcdll and defaultida ndash by adding in Security properties and selecting Deny (only for IUSR) You may need to do a search of the hard disk to get all the versions of these files
This is to prevent a user being able to point to those files and execute them which has been a common hacking exploit
GL Computing Page 26 682004
If you want increased security you can remove Anonymous access and use Windows Integrated Authentication This enables you to use the additional Windows and domain logins prior to the ACT Login
Note different versions of Windows may differ slightly
1 Right-click the My Computer icon and then click Manage from the shortcut menu The Computer Management window appears
2 Expand the Services and Applications option then expand the Internet Information Services option and then select the Default Web Site option so that you can see your ActWeb virtual directory in the right pane (this is the standard installation location your ActWeb virtual directory location may differ)
3 Right-click the ActWeb virtual directory and then click Properties from the shortcut menu The ActWeb Properties dialog appears
4 Under the Directory Security tab in the Anonymous access and authentication control section click Edit The Authentication Methods dialog appears
GL Computing Page 27 682004
5 Clear the Anonymous access check box and verify that the Integrated Windows authentication check box is enabled The other check boxes are dependent on your specific security requirements and are not related to ACT for Webs configuration Note Digest authentication for Windows domain servers is an option on IIS 51 or later
6 Click OK on these two windows Your ACT for Web site is now protected by the Integrated Windows authentication You may need to close your browser and re-open it in order to receive the proper login prompt
IMPORTANT NOTE The IUSR_[machine name] account will no longer be used by IIS with this configuration You will need to make sure the user account you attempt to log in has proper permissions set for it in DCOMCNFG and in the security properties of the folder containing your ACT Database as well as the installation folder for ACT for Web (default Cwebsites)
For more information on how to do this please read httpitdominoactcomactnsfdocid200391584653
GL Computing Page 28 682004
Additional security can be achieved by making your web site more difficult to find by potential hackers Two simple ways to do this are
1 Change the default web site to another TCP port in the Web Site properties Try not to use any of the other common ports that you may wish to use later Yoursquoll need to state the port when logging in eg httpdomaincomportactweb Using SSL (Secure Sockets Layer ) on port 443 will also add to the security of your data by adding encryption to the flow across the internet This will use an https protocol instead of http when entering the URL into your browser
2 Search engines send out ldquospidersrdquo to obtain information on sites available on the web This means that searching googlecom or other search engines for the phrase ACT for Web Login (in quotes) may point to your site (good for public web sites less good for your corporate database) If you would like to prevent a site from being catalogued in a search engines database you can take steps to address this Keep in mind that if you have existing websites they may have already begun to take the steps to interact with the spiders that may crawl their site
Visit the following links for more information about meta-tags and the robotstxt file Keep in mind that it is impossible to prevent any directly accessible resource on a site from being linked to by external sites be it by their partner sites competitive sites or search engines However these methods are generally accepted by the popular search engines
httpwwwrobotstxtorgwcrobotshtml
httpwwwsearchengineworldcomrobotsrobots_tutorialhtm
httpwwwrobotstxtorgwcmeta-userhtml
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 25 682004
Remove Internet Guest Account (IUSR_machine_name) access from cmdexe commandcom tftpexe httpodbcdll and defaultida ndash by adding in Security properties and selecting Deny (only for IUSR) You may need to do a search of the hard disk to get all the versions of these files
This is to prevent a user being able to point to those files and execute them which has been a common hacking exploit
GL Computing Page 26 682004
If you want increased security you can remove Anonymous access and use Windows Integrated Authentication This enables you to use the additional Windows and domain logins prior to the ACT Login
Note different versions of Windows may differ slightly
1 Right-click the My Computer icon and then click Manage from the shortcut menu The Computer Management window appears
2 Expand the Services and Applications option then expand the Internet Information Services option and then select the Default Web Site option so that you can see your ActWeb virtual directory in the right pane (this is the standard installation location your ActWeb virtual directory location may differ)
3 Right-click the ActWeb virtual directory and then click Properties from the shortcut menu The ActWeb Properties dialog appears
4 Under the Directory Security tab in the Anonymous access and authentication control section click Edit The Authentication Methods dialog appears
GL Computing Page 27 682004
5 Clear the Anonymous access check box and verify that the Integrated Windows authentication check box is enabled The other check boxes are dependent on your specific security requirements and are not related to ACT for Webs configuration Note Digest authentication for Windows domain servers is an option on IIS 51 or later
6 Click OK on these two windows Your ACT for Web site is now protected by the Integrated Windows authentication You may need to close your browser and re-open it in order to receive the proper login prompt
IMPORTANT NOTE The IUSR_[machine name] account will no longer be used by IIS with this configuration You will need to make sure the user account you attempt to log in has proper permissions set for it in DCOMCNFG and in the security properties of the folder containing your ACT Database as well as the installation folder for ACT for Web (default Cwebsites)
For more information on how to do this please read httpitdominoactcomactnsfdocid200391584653
GL Computing Page 28 682004
Additional security can be achieved by making your web site more difficult to find by potential hackers Two simple ways to do this are
1 Change the default web site to another TCP port in the Web Site properties Try not to use any of the other common ports that you may wish to use later Yoursquoll need to state the port when logging in eg httpdomaincomportactweb Using SSL (Secure Sockets Layer ) on port 443 will also add to the security of your data by adding encryption to the flow across the internet This will use an https protocol instead of http when entering the URL into your browser
2 Search engines send out ldquospidersrdquo to obtain information on sites available on the web This means that searching googlecom or other search engines for the phrase ACT for Web Login (in quotes) may point to your site (good for public web sites less good for your corporate database) If you would like to prevent a site from being catalogued in a search engines database you can take steps to address this Keep in mind that if you have existing websites they may have already begun to take the steps to interact with the spiders that may crawl their site
Visit the following links for more information about meta-tags and the robotstxt file Keep in mind that it is impossible to prevent any directly accessible resource on a site from being linked to by external sites be it by their partner sites competitive sites or search engines However these methods are generally accepted by the popular search engines
httpwwwrobotstxtorgwcrobotshtml
httpwwwsearchengineworldcomrobotsrobots_tutorialhtm
httpwwwrobotstxtorgwcmeta-userhtml
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 26 682004
If you want increased security you can remove Anonymous access and use Windows Integrated Authentication This enables you to use the additional Windows and domain logins prior to the ACT Login
Note different versions of Windows may differ slightly
1 Right-click the My Computer icon and then click Manage from the shortcut menu The Computer Management window appears
2 Expand the Services and Applications option then expand the Internet Information Services option and then select the Default Web Site option so that you can see your ActWeb virtual directory in the right pane (this is the standard installation location your ActWeb virtual directory location may differ)
3 Right-click the ActWeb virtual directory and then click Properties from the shortcut menu The ActWeb Properties dialog appears
4 Under the Directory Security tab in the Anonymous access and authentication control section click Edit The Authentication Methods dialog appears
GL Computing Page 27 682004
5 Clear the Anonymous access check box and verify that the Integrated Windows authentication check box is enabled The other check boxes are dependent on your specific security requirements and are not related to ACT for Webs configuration Note Digest authentication for Windows domain servers is an option on IIS 51 or later
6 Click OK on these two windows Your ACT for Web site is now protected by the Integrated Windows authentication You may need to close your browser and re-open it in order to receive the proper login prompt
IMPORTANT NOTE The IUSR_[machine name] account will no longer be used by IIS with this configuration You will need to make sure the user account you attempt to log in has proper permissions set for it in DCOMCNFG and in the security properties of the folder containing your ACT Database as well as the installation folder for ACT for Web (default Cwebsites)
For more information on how to do this please read httpitdominoactcomactnsfdocid200391584653
GL Computing Page 28 682004
Additional security can be achieved by making your web site more difficult to find by potential hackers Two simple ways to do this are
1 Change the default web site to another TCP port in the Web Site properties Try not to use any of the other common ports that you may wish to use later Yoursquoll need to state the port when logging in eg httpdomaincomportactweb Using SSL (Secure Sockets Layer ) on port 443 will also add to the security of your data by adding encryption to the flow across the internet This will use an https protocol instead of http when entering the URL into your browser
2 Search engines send out ldquospidersrdquo to obtain information on sites available on the web This means that searching googlecom or other search engines for the phrase ACT for Web Login (in quotes) may point to your site (good for public web sites less good for your corporate database) If you would like to prevent a site from being catalogued in a search engines database you can take steps to address this Keep in mind that if you have existing websites they may have already begun to take the steps to interact with the spiders that may crawl their site
Visit the following links for more information about meta-tags and the robotstxt file Keep in mind that it is impossible to prevent any directly accessible resource on a site from being linked to by external sites be it by their partner sites competitive sites or search engines However these methods are generally accepted by the popular search engines
httpwwwrobotstxtorgwcrobotshtml
httpwwwsearchengineworldcomrobotsrobots_tutorialhtm
httpwwwrobotstxtorgwcmeta-userhtml
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 27 682004
5 Clear the Anonymous access check box and verify that the Integrated Windows authentication check box is enabled The other check boxes are dependent on your specific security requirements and are not related to ACT for Webs configuration Note Digest authentication for Windows domain servers is an option on IIS 51 or later
6 Click OK on these two windows Your ACT for Web site is now protected by the Integrated Windows authentication You may need to close your browser and re-open it in order to receive the proper login prompt
IMPORTANT NOTE The IUSR_[machine name] account will no longer be used by IIS with this configuration You will need to make sure the user account you attempt to log in has proper permissions set for it in DCOMCNFG and in the security properties of the folder containing your ACT Database as well as the installation folder for ACT for Web (default Cwebsites)
For more information on how to do this please read httpitdominoactcomactnsfdocid200391584653
GL Computing Page 28 682004
Additional security can be achieved by making your web site more difficult to find by potential hackers Two simple ways to do this are
1 Change the default web site to another TCP port in the Web Site properties Try not to use any of the other common ports that you may wish to use later Yoursquoll need to state the port when logging in eg httpdomaincomportactweb Using SSL (Secure Sockets Layer ) on port 443 will also add to the security of your data by adding encryption to the flow across the internet This will use an https protocol instead of http when entering the URL into your browser
2 Search engines send out ldquospidersrdquo to obtain information on sites available on the web This means that searching googlecom or other search engines for the phrase ACT for Web Login (in quotes) may point to your site (good for public web sites less good for your corporate database) If you would like to prevent a site from being catalogued in a search engines database you can take steps to address this Keep in mind that if you have existing websites they may have already begun to take the steps to interact with the spiders that may crawl their site
Visit the following links for more information about meta-tags and the robotstxt file Keep in mind that it is impossible to prevent any directly accessible resource on a site from being linked to by external sites be it by their partner sites competitive sites or search engines However these methods are generally accepted by the popular search engines
httpwwwrobotstxtorgwcrobotshtml
httpwwwsearchengineworldcomrobotsrobots_tutorialhtm
httpwwwrobotstxtorgwcmeta-userhtml
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 28 682004
Additional security can be achieved by making your web site more difficult to find by potential hackers Two simple ways to do this are
1 Change the default web site to another TCP port in the Web Site properties Try not to use any of the other common ports that you may wish to use later Yoursquoll need to state the port when logging in eg httpdomaincomportactweb Using SSL (Secure Sockets Layer ) on port 443 will also add to the security of your data by adding encryption to the flow across the internet This will use an https protocol instead of http when entering the URL into your browser
2 Search engines send out ldquospidersrdquo to obtain information on sites available on the web This means that searching googlecom or other search engines for the phrase ACT for Web Login (in quotes) may point to your site (good for public web sites less good for your corporate database) If you would like to prevent a site from being catalogued in a search engines database you can take steps to address this Keep in mind that if you have existing websites they may have already begun to take the steps to interact with the spiders that may crawl their site
Visit the following links for more information about meta-tags and the robotstxt file Keep in mind that it is impossible to prevent any directly accessible resource on a site from being linked to by external sites be it by their partner sites competitive sites or search engines However these methods are generally accepted by the popular search engines
httpwwwrobotstxtorgwcrobotshtml
httpwwwsearchengineworldcomrobotsrobots_tutorialhtm
httpwwwrobotstxtorgwcmeta-userhtml
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 29 682004
Appendix
More tips for the paranoid
ere are some more security suggestions to tighten the security on the server ndash as before these need to be discussed with the administrator of the server you are implementing as some may effect other operations on the server in question
Rename the Administrator account or disable it after creating another named account with administrator access Renaming the ldquoEveryonerdquo group to a different name can also be useful
Do not use the server to browse the internet also do not browse the internet from an account who is a member of the Admin group Any web attacks would then have complete access to install software and access your system in potentially undesired ways
Run minimal services on the server Run only those services that are necessary for
your purposes Each additional service that you run presents a potential entry point for malicious attacks
Once again we strongly recommend you make sure you regularly update your server with the critical updates from httpwindowsupdatemicrosoftcom and also keep your anti-virus up-to-date
Subscribe to security bulletins to keep aware of the latest threats and vulnerabilities as discovered Some that we recommend include wwwmicrosoftcomsecuritysecurity_bulletinsdecisionasp wwwcertorgcontact_certcertmaillisthtml nctsymantecstorecomvirusalert
Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
httpwwwmicrosoftcomtechnettreeviewurl=technetsecuritytoolsToolsMBSAhomeasp Select the applicable type of server configuration Note This product will automatically set some of the settings below
Start | Run - syskeyexe select Encryption Enabled then select Ok For more information on this (before doing it) see
httpsupportmicrosoftcomdefaultaspxscid=kben-us310105ampProduct=win2000
Chapter
A
H
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 30 682004
Your server should now be reasonably secure For more information also read httpitdominoactcomactnsfdocid20033410728
Some more suggested Registry changes ndash BACKUP THE REGISTRY FIRST
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
Change LegalNoticeCaption value to your company name or site owner
Change LegalNoticeText value to ldquoUnauthorized Userdquo
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsOS2
o Delete HKLMSystemCurrentControlSetControlSession ManagaerSubSystemsPosix
o Delete HKLMSystemCurrentControlSetControlSession
ManagaerSubSystemsOptional
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncacn_ip_tcp
o Delete HKLMSoftwareMicrosoftRPC ClientProtocolsncagd_ip_upd
Some more suggested Control Panel changes
o Control Panel | System | Advanced Startup and Recovery
Set display list to 10 seconds
Check ldquoAutomatic Rebootrdquo
Set Write Debugging Information to ldquononerdquo
o Control Panel | Administrative Tools | Local Security Policy | Account Policies | Password
Policy
Enforce password history to 8
Minimum password length to 8
Maximum password age to 30
o Control Panel | Administrative Tools | Local Security Policy | Account Policies |
Account Lockout Policy
Account lockout duration to 10 minutes
Account lockout threshold to 5
Reset account lockout counter to 10 minutes
o Control Panel | Administrative Tools | Local Security Policy | Local Policies | Audit
Policy
Audit account logon events to Success Failure
Audit account management to Success Failure
Audit directory service access to Success Failure
Audit login events to Success Failure
Audit policy change to Success Failure
Audit privilege use to Success Failure
Audit process tracking to Success Failure
Audit system events to Success Failure
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 31 682004
o Control Panel Administrative ToolsLocal Security PolicyLocal PoliciesSecurity
Options
Allow System to Be Shut Down Without Having to Login On to Disabled
Audit Use of Backup and Restore Privilege to Enabled
Clear Virtual Memory Pagefile When System Shuts Down to Enabled
Disable CTRL-ALT-DEL Requirements for Login to Disabled
Do Not Display Last User Name in Login Screen to Enabled
Message Text for Users Attempting to Log On to ldquoUnauthorized use prohibitedrdquo
Message Title for Users Attempting to Log On to company or site owners name
Prevent Users from Installing Printer Drivers to Enabled
Recovery Console Allow Automatic Administrative Login to Disabled
Restrict CD-ROM Access to Locally Logged-On User to Enabled
Restrict Floppy Access to Locally Logged-On user to Enabled
Set Unsigned Driver Installation Behavior to Do not allow (NOTE May prevent
software installs)
Unsigned Non-Driver Installation Behavior to Do no allow (NOTE May prevent
software installs)
Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral
Deselect all components except ldquoInternet Protocol (TCPIP)rdquo
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedWins
Disable NetBIOS over TCPIP
Disable LMHOSTS lookup
o Control PanelNetwork and Dial-up Connectionsltapplicable
connectionsgtPropertiesGeneral select Internet Protocol (TCPIP) select
Properties select AdvancedOptionsTCPIP filtering
Disable or filter all TCP UDP and IP ports as needed ndash although it is often better to
do this from an external firewall doing it through both assists in protecting you against
breeches of the firewall
o Control Panel Administrative ToolsComputer ManagementLocal Users and
GroupsUsers
Guest accountGeneral TabCannot change password
Guest accountGeneral TabPassword never expires
Guest accountGeneral TabAccount disabled
Guest accountDial-in Tab Remote Access PermissionDeny access
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 32 682004
Services
o Configure the following Windows Services to start automatically
DNS Client
Event Log
Logical Disk Manager
IPSec Policy Agent
Plug and Play
Protected Storage
Remote Registry Service
RunAs
Security Accounts Manager
Task Scheduler
o Configure the following Windows Services to start manually
Application Management
ClipBook
COM+ Event System
Logical Disk Manager Administrative Service
Distributed Link Tracking Server
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
Net Logon
Netmeeting Remote Desktop
Network Connections
Network DDE
Network DDE DSDM
NT LM Security Support Provider
Performance Logs and Alerts
Qos RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Smart Card
Smart Card Helper
Unit Power Supply
Utility Manager
Windows Installer
Windows Management Instrumentation Driver Extensions
o Disable the following Windows Services if they are not being used
Intersite Messaging
Kerberos Key Distribution Center
Routing and Remote Access
Terminal Services
Print Spooler
Simple Mail Transport Protocal (SMTP)
DHCP Client
Messenger
Telephony
Telnet
Windows Time
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts
GL Computing Page 33 682004
Other General Changes
o For the Everyone Group (that may have been renamed)
C Drive Document and Settings folder rights Read amp Execute List Folder Contents
Read
C Drive WinNT folder rights none
Web folder Read amp Execute List Folder Contents Read
o Remove all rights for the Everyone group (that may have been renamed) and the IUSR
account from following cwinntsystem32 files in addition to the ones mentioned
above
arpexe ipconfigexe netstatexe atexe netexe pingexe caclsexe nslookupexe
rdiskexe cmdexe posixexe regedt32exe debugexe rcpexe routeexe editcom
regeditexe runoneexe edlinexe rexecexe syskeyexe fingerexe rshexe tracertexe
ftpexe telnetexe commandexe xcopyexe nbtstatexe
(And any others not needed)
o Display Properties
Set screen saver to ldquoLogon Screen Saverrdquo
Set screen saver to 5 minutes
Check password protect
o Check AntiVirus program
Enable ldquostart program on Windows startuprdquo option
Turn on all activity logs (detection quarantine etc)
Disable ldquoaudible alertrdquo option
Check that ldquohow to respond when a virus is foundrdquo is set for an automatic solution
(Norton for example uses the a default of ldquoask me what to dordquo)
Enable scan of ldquomaster boot recordsrdquo
Enable scan of ldquoboot recordsrdquo
Scan all inbound file types
o Vulnerability Scan
Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist A web search for the term ldquovulnerability scannerrdquo will yield numerous
companies to select from
NOTE Other security steps may be required based on you system architecture and specific needs
Site and server security requires daily procedures to insure a proper defence Security patched must be
applied upon release and the system and firewall logs need to be reviewed daily to track activity and
intrusion attempts