| | | |
| | 
| | 
| |
| | Internet Information Services Index IIS is a powerful web server component for Server Editions of Windows going back to Windows NT 3.51
(which supported the original version 1.0 of the Server), and more recently as a component of the 'Professional' Edition of Windows 2000 and XP.
Over the next few pages I hope that you will learn enough information to operate your own
basic website or FTP Server, regulate access to it, be able to create a virtual directory and most importantly of all configure IIS for greater security.
Part 1: Setting up a password protected FTP Server
Part 2: Controlling Server Access
Part 3: Virtual Directories
Part 4: Locking down the server | |
| | 
| | 
| |
| | | |
| 
| | 
|
Copyright © 2002-2008, Mark Salloway, All Rights Reserved. All images and product names used within this site are the property of their respective copyright owners and are used as an example. Reproduction of information on this site, in any form, is prohibited without express written permission.
Microsoft is in no way affiliated with, nor offers endorsement of, this site. Members of the MVP program are not employees of the Microsoft Corporation. This site's owner assumes no liability for use of any information provided. Usage of this site's content, links and any downloadable items provided is at your own risk
| 
| 
| 
|
| | | |
| |
| |
| |
| | Creating a password protected Personal FTP Server using
Microsoft Internet Information Services 5.x and 6.x
Note: Installation steps apply only to Microsoft Windows 2000, XP Professional, Media Center Edition, Tablet PC Edition or Windows Server 2003. If you are using Windows XP Home Edition you will need to install a 3rd Party FTP server as the components used in this guide are not available on Home Edition Machines. It should be noted that there is a 10 connection limit and a maximum file size limit of 2 Gb in IIS on non Server editions of Windows.
To find a list of 3rd party servers click here.
First of all you would need to create a new limited password protected user
which will be used to logon to the ftp server. In Windows XP you can do this via Users in the control Panel
Next go to add/remove programs, then add/remove windows components from the left bar, an item called 'Internet information services (IIS)' will be listed, select this and click the details button. For an FTP server you only require 'common files', 'file transfer protocol (FTP) service' and 'Internet Information Services Snap-in', click ok and then next (you'll be prompted for your Windows installer CD at this point). If you wish to host web pages you will need common files and the world wide web service item within the details of world wide web service.
After IIS has installed go to administrative tools in the control panel (classic view) and open Internet Information Services.
Expand <Your PC Name> (Local Computer) and do the same for FTP Sites. Now
right click on 'default ftp site' and view its properties. Click the
security accounts tab and uncheck 'allow anonymous connections'. if you also
wish your users to write to the server click the home directory tab and put
a tick in the Write box. If your using the Windows XP firewall or 3rd Party firewall you will need to open port 21 for to allow users to connect to the server.
The area files will be read and written to on your hard disk is C:\Inetpub\ftproot. The FTP service logs are stored in %windir%\system32\Logfiles\MSFTPSVC1 in the
default configuration. These locations can be changed on the Home Directory and FTP Site tabs of the default ftp site properties respectively.
After reaching this stage it is advisable to visit the Windows Update site as the
Security roll up patches for IIS are fairly important. If you are using Windows XP be sure to have installed Service Pack 1, or Service Pack 4 if you are using Windows 2000 (Users of Windows 2000 and XP please see part 4 of this guide). If you are using Windows Server 2003 and have terminal services also installed, check the properties of the new user you have created for this server and be sure to uncheck ‘Allow logon to Terminal Services’ on the Remote Access tab, by default this will be checked and enable remote logon which is a security risk.
Part 2: Controlling Server Access | |
| |
| |
| |
| | | |
|
| |
|
Copyright © 2002-2004, Mark Salloway, All Rights Reserved. All images and product names used within this site are the property of their respective copyright owners and are used as an example. Reproduction of information on this site, in any form, is prohibited without express written permission.
Microsoft is in no way affiliated with, nor offers endorsement of, this site. Members of the MVP program are not employees of the Microsoft Corporation. This site's owner assumes no liability for use of any information provided. Usage of this site's content, links and any downloadable items provided is at your own risk
|
| 
|
|
| | | |
| |
| |
| |
| | Controlling user access and permissions to your IIS FTP Server Please note modifying permissions requires a hard disk formatted using the NTFS file system, should you need to convert your drive or want to know more about NTFS see here
To use NTFS restrictions to control user access on your server the first thing you will need to do is to disable simple file sharing. To do this open my computer, go to Tools > Folder Options and select the View tab. Scroll down the the bottom of the advanced settings list and uncheck 'Use simple file sharing'. 
What this does is enable us to manage security setting for folders and file shares manually. Now open C:\Inetpub\ftproot right click on the file or folder you wish to restrict and view its properties. Select the security tab, then the advanced button and uncheck 'Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here'. Then click OK. A message box will appear containing the following text | ---------------------------
Security
---------------------------
You have denied everyone access to <Folder Name>. No one will be able to access <Folder Name> and only the owner will be able to change the permissions.
Do you wish to continue?
---------------------------
Yes No
--------------------------- | Select Yes (Should you need to take ownership of a file this can be done in the owner tab of advanced). You can then add users by clicking on the 'Add' button shown under 'group or user names' (You should add your username to this list also). You require list folder contents and read to open the folder over ftp (Also list folder contents if a folder). If you are managing the permissions on a folder be sure to go back into advanced after you have created your user list and 'replace permission entries on all child objects with entries shown here that apply to child objects'. Doing this ensures all objects in a folder have the same permissions as the folder containing them. FTP/User Home Directories
A home directory on an ftp server is the location that a particular user will go to directly when they logon. So if you have two users, one will go to one folder automatically, and the other to a different one. To the user it will appear they are at the root of the ftp server. To set this up all you need to do is create a folder at the root of the ftp with the name of the user you wish to go there. If you want to do this so the user can only read their folder you would need to ensure they had NTFS read permissions to their folder but not for the root of the FTP site or anyone elses folder.
Part 3: Virtual Directories | |
| |
| |
| |
| | | |
|
| |
|
Copyright © 2002-2003, Mark Salloway, All Rights Reserved. All images and product names used within this site are the property of their respective copyright owners and are used as an example. Reproduction of information on this site, in any form, is prohibited without express written permission.
Microsoft is in no way affiliated with, nor offers endorsement of, this site. Members of the MVP program are not employees of the Microsoft Corporation. This site's owner assumes no liability for use of any information provided. Usage of this site's content, links and any downloadable items provided is at your own risk
|
|
|
|
| | | |
| |
| |
| |
| | Virtual Directories When your using IIS to serve web pages what normally happens is you need to have all files which will be accessible over HTTP in the wwwroot folder of the server. What a virual directory will do is enable you to give the impression that a file is in a certain place on the server, when infact it could be somewhere else on the machines hard disk or on another networked system. This was something I used when creating this site, my actual pages were stored in F:\Site\v2\Beta but I was able to access the files by going to http://localhost/site. There isn't really a need to use virtual directories unless your using content which is spread out. To create a Virtual Directory you first need to open the IIS Managment Console, you can do this either from Administrative tools or by going to start > run and entering
%SystemRoot%\System32\inetsrv\iis.msc Now expand either the default web site or ftp site which you wish to ad a virtual directory to, right click on it and select New > Virtual Directory. A wizard will now appear, click next and give your virtual directory an alias (this will be the name used to access the content, servername/alias). Click next and select the directory to point the virtual directory towards. Once you've selected a path and pressed next you will be asked to grant permission on this directory to read, run scripts, execute, write and browse. If you don't need to execute programs, write or browse do not check them. If Directory Browsing is checked it will allow the user to view a list of files in the virtual directory, which isn't always a good thing. Click next again, then finish and your directory has been created. You should now be able to access the content by going to http://localhost/alias_name
Note on an NTFS formatted drive IIS will respect the NTFS ACL restrictions placed on files, depending what your doing you might want to edit file permission or possibly need to add the Internet User Guest Accounts (IUSR_MachineName). Part 4: Locking down your Server | |
| |
| |
| |
| | | |
|
| |
|
Copyright © 2002-2003, Mark Salloway, All Rights Reserved. All images and product names used within this site are the property of their respective copyright owners and are used as an example. Reproduction of information on this site, in any form, is prohibited without express written permission.
Microsoft is in no way affiliated with, nor offers endorsement of, this site. Members of the MVP program are not employees of the Microsoft Corporation. This site's owner assumes no liability for use of any information provided. Usage of this site's content, links and any downloadable items provided is at your own risk
|
|
|
|
| | | |
| |
| |
| |
| | Locking down your Windows XP IIS Server (v5.1)
(Please note if your using IIS 6.0 on Windows Server 2003, Windows XP 64 Bit version 2003 or IIS 6.5/7.0 on Windows Codename "Longhorn" you may find you actually need to enable what you want rather than disabling features as I'm suggesting here. This is because IIS 6.0 and above come with most additional features beyond serving html pages disabled. If you're using Windows NT4 you should make sure you have IIS 4.0 and immediately skip to the IIS Lockdown Tool and Microsoft Baseline Security Analyzer
IIS Parent Paths
If ASPEnableParentPaths has been enabled on a particular website in IIS in addition to the parent directories have execute access rights, a script could be executed causing an unauthorized program to run in a parent directory. If you require this functionality in your application or use Microsoft Project Central and Project Server 2002 do not disable parent paths.
The ASPEnableParentPaths metabase property allows or disallows an ASP page to refer to items which are related to the current directory path (e.g. ..\). Disabling ASPEnableParentPaths will only affect content dynamically created using ASP. So if you disabled ASPEnableParentPaths the following code would no longer work (and show a 0131 error)
<img src="../example_directory/mydynamiclylinkedpicture.jpg">
But you would still be able to link to static .html .php .aspx .asp and use
<img src="/example_directory/mystaticlylinkedpicture.jpg">
To disable parent paths in Windows XP Professional/SP1 go to start > run and enter
%SystemRoot%\System32\inetsrv\iis.msc
This command will load the Internet Information Services Management console.
Expand <Machine Name> Local Computer > Websites. Then right click and view the properties of the ‘Default Web Site'. Click the home directory tab and then the configuration button. A new window called ‘Application Configuration' will appear, select the options tab. Now uncheck ‘Enable Parent Paths' and click OK.
IIS Sample Applications
Although this samples are a good source of information when learning about IIS they do contain well know scripts which could potentially be exploited by a malicious attacker
To remove this threat you can remove the virtual directories which these samples use (seem part 3 for information on Virtual Directories). To do this simply select the following virtual directories under the default website and hit the delete key.
IISsamples - \Inetpub\iissamples
IISHelp - %windir%\help\iishelp
MSADC - \Program Files\common files\system\msadc
You should also remove the scripts virtual directory unless you are using them. IIS Lockdown Tool (and other security related tools)
• Microsoft Security Baseline Analyzer
The Microsoft Security Baseline Analyzer (MSBA for short) is a tool which will look at your system or scan a network for possible risks in various Microsoft products. MSBA will run on Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003 and run scans against Internet Information Server (IIS) 4.0 and 5.0, SQL Server 7.0 and 2000, Internet Explorer (IE) 5.01 and later, and Office 2000 and 2002. MBSA will also scan for missing security updates for the following products: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, IIS 4.0 and 5.0, SQL Server 7.0 and 2000, IE 5.01 and later, Exchange 5.5 and 2000, and Windows Media Player 6.4 and later.
MSBA downloads an XML configuration file from Microsoft when it is run to stay up to date with current issues; so it may raise issues with your particular IIS version that I've not listed here (if your using Windows 2000 there will be).
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/mbsahome.asp
• IIS Lockdown Tool (v2.1)
The lockdown tool works by effectively ‘switching off' parts of IIS which you specify as not being required. This means the overall number of IIS features available to the internet is greatly reduced, and thus reduces the ‘surface area' of your server. This then means if there is an exploit or worm making used of ‘fancy feature #5' and you've shut it off the attack will not work against your server.
http://www.microsoft.com/downloads/details.aspx?FamilyID=dde9efc0-bb30-47eb-9a61-fd755d23cdec&DisplayLang=en
The IIS lockdown tool also incorporates URLScan which acts as a buffer restricting possible dangerous types of HTTP requests that will actually get to the server. However since the lockdown tool was released a newer version of URLScan has been released
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/urlscan.asp
Patch, Patch, Patch!
IIS is potentially one of the most important services on your machine which you should apply patches for (as it could be accepting connections through a firewall from any machine on the internet). Just because you've not had a chance to install the latest hot fix or service pack, doesn't mean someone hasn't come up with a tool to exploit it. I say this not implying that there are hundreds of patches for IIS but you should check the Windows Update regularly for new critical updates.
Windows Update Site | |
| |
| |
| |
| | | |
|
| |
|
Copyright © 2002-2003, Mark Salloway, All Rights Reserved. All images and product names used within this site are the property of their respective copyright owners and are used as an example. Reproduction of information on this site, in any form, is prohibited without express written permission.
Microsoft is in no way affiliated with, nor offers endorsement of, this site. Members of the MVP program are not employees of the Microsoft Corporation. This site's owner assumes no liability for use of any information provided. Usage of this site's content, links and any downloadable items provided is at your own risk
No comments:
Post a Comment