Installing Windows 2000 or Windows NT 4.0 (with the Option Pack) renders IIS operational under its default security settings. Some of these default settings can result in security exposures, as the CodeRed Worm showed.
Microsoft has created two tools that let you better control IIS configuration and operation: IIS Lockdown and URLScan (which is included in IIS Lockdown 2.1). IIS Lockdown 2.1 offers the following capabilities:
- disables or removes unnecessary IIS services and components
- secures system files and Web content directories beyond the default settings
- installs URLScan to filter HTTP requests
I show you how to use IIS Lockdown 2.1 to perform the first two bulleted items. Note that the information I present here is for IIS Lockdown 2.1 specifically. Previous versions of the utility operate quite differently.
IIS Lockdown Caveats
IIS Lockdown alters the behavior of IIS, so the tool is likely to conflict with applications that depend on certain IIS features. For example, you must give special consideration to installing IIS Lockdown and URLScan on servers that support Microsoft Exchange 2000 Server, Exchange Server 5.5, or Microsoft SharePoint Portal Server (formerly code-named Tahoe). Two Microsoft articles outline difficulties you might encounter and how to work around them: "XADM: Known Issues and Fine Tuning When You Use the IIS Lockdown Wizard in an Exchange 2000 Environment" (http://support.microsoft.com/default.aspx?scid=kb;en-us;q309677) and "SPS: IIS Lockdown Tool Affects SharePoint Portal Server" (http://support.microsoft.com/default.aspx?scid=kb;en-us;q309675). You should also search the Microsoft Knowledge Base before implementing either IIS Lockdown or URLScan to make sure you have the most up-to-date information about any problems pertaining to your type of installation. After you've read the latest Microsoft articles and considered their suggestions, install IIS Lockdown on a test server and perform rigorous testing to verify that features required by your applications, both proprietary and commercial, are still available and functioning. Finally, you should perform a full system backup to speed system recovery in the event that testing results in an extreme loss of functionality.
You can obtain IIS Lockdown 2.1 from the IIS Lockdown Tool (version 2.1) download site (http://www.microsoft.com/downloads/release.asp?releaseid=33961). After you download iislockd.exe to your system, you can double-click the filename in Windows Explorer or click Start, Run and type
to extract the files to a temporary directory and launch the IIS Lockdown Wizard. However, if you have multiple servers to protect, extracting the files to a permanent working directory as I outline in the steps below is best.
You should be aware that the IIS Lockdown self-extracting executable and the standalone executable inside the self-extracting executable have the same name. This duplicate naming causes problems if you try to download the self-extracting executable and unpack it into the same directory. Avoid these problems by performing these installation steps:
- Download iislockd.exe to a temporary directory.
- From the temporary directory, open a command prompt and execute the command
iislockd.exe /q /c /t:c:\IISLockdown
to extract the IIS Lockdown files. The /q switch places the installation in quiet mode, and the /c switch instructs IIS Lockdown to perform only the file extraction and works in conjunction with the /t switch, which specifies the temporary working directory to which you would like to extract the files. Enclose the directory name in double quotes if it contains spaces (e.g., /t:"c:\IIS Lockdown"). Web Table 1 lists the files that iislockd.exe places into the specified directory. (You can access Web Table 1 at http://www.windowswebsolutions.com, InstantDoc ID 24480.)Notice that iislockd.exe contains the files for URLScan, which I don't cover in detail in this article. IIS Lockdown doesn't install any menu or desktop shortcuts, so you must launch the tool from Windows Explorer; Start, Run; or a command line.
IIS Lockdown operation is fairly straightforward. When you launch iislockd.exe, the Internet Information Services Lockdown Wizard steps you through the lockdown process. After an opening dialog box and an End User License Agreement (EULA) dialog box, the wizard prompts you to select the type of server you want to secure, as Figure 1 shows. Select the server template that most closely matches your server configuration. For this article, I used the Static Web server template. Select the View template settings check box to see a series of dialog boxes that present configuration options for your server type. If the check box isn't selected, the wizard will bypass these dialog boxes and take you straight to the URLScan installation.
Click Next to see the Internet Services dialog box (which Web Figure 1 shows)—the first of the actual IIS Lockdown configuration pages. IIS Lockdown can disable or remove the four IIS services: HTTP, FTP, SMTP, and Network News Transport Protocol (NNTP). How do you know which services you require? The server template you chose gives you some hints, and personal experience and lab testing your environment and applications are also helpful. The IIS service options in the Internet Services dialog box are in one of three states:
- Enabled—The option is selected, and the check box has a checkmark. Clearing the check box will disable the service.
- Enabled, disabling recommended—The option isn't selected, and the check box doesn't have a checkmark. Leaving the check box cleared will disable the service.
- Disabled, not selectable—If an option is shaded and its check box has no checkmark, you can't alter the service because the service isn't installed or the server template you've chosen requires the service.
If the Remove unselected services check box is selected, IIS Lockdown will remove the services from the server, not just disable them. Removing unused services is a good idea on servers whose role doesn't change often because if the services are gone, no one can accidentally activate them later.
Next, the wizard displays the Script Maps dialog box, which Figure 2 shows. Script maps associate a specific file extension with the Internet Server API (ISAPI) executable that interprets the file's contents (e.g., .asp maps to asp.dll). IIS Lockdown disables specified file types by altering the script map to point to a DLL that returns a File not found message when a user attempts to execute a file of that type. Clear a file type's check box to disable that file type.
Figure 3 shows the final IIS Lockdown dialog box, Additional Security, which lets you remove unnecessary directories and secure your file system from unauthorized access. IIS is installed with a variety of virtual directories that are intended for development and training purposes but aren't required in a production environment. IIS Lockdown removes the virtual directories you select but leaves intact the data those directories contain.
By default, IIS restricts anonymous access to Web content directories. But you should place another level of security on your system utilities (e.g., cmd.exe) to prevent unauthorized access in the event of a system security failure. If you select the Running system utilities (for example, Cmd.exe, Tftp.exe) check box, IIS Lockdown modifies the access control entry (ACE) for all executable files in \%windir% and its subdirectories, explicitly denying execute rights for the local groups Web Anonymous Users and Web Applications. If you select the Writing to content directories check box, IIS Lock-down also secures all Web content directories, including files and folders on remote computers, by setting the ACE to deny write rights for the local groups Web Anonymous Users and Web Applications.
Web Distributed Authoring and Versioning (WebDAV) allows for remote Web content creation and management. Do you use this technology? If not, select the Disable Web Distributed Authoring and Versioning (WebDAV) check box. IIS Lockdown will set an ACE on httpext.dll, the WebDAV executable, to prevent it from being loaded into the inetinfo.exe process and to effectively disable the WebDAV functionality.
IIS Lockdown next asks whether you want to install URLScan. If you'd like to install a filter that prevents IIS from processing certain types of URLs that crackers commonly use as attack vectors, you can use URLScan as the front door (i.e., the filter). A future article in this newsletter will cover URLScan in depth. In the meantime, you can learn more about it at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/urlscan.asp.
Before starting the modification process, IIS Lockdown displays a list of actions it will perform. You can stop IIS Lockdown or click Next to begin the lockdown process. After the lockdown begins, you can't stop it.
Depending on the changes IIS Lockdown makes, the tool might create in the \%windir%\system32\inetsrv folder several of the log and IIS metabase—backup files that Web Table 2 shows. I can't stress enough that you need to safeguard the IIS Lockdown log and metabase-backup files. Unless you want to reverse IIS Lockdown's actions manually or reinstall the OS, you need the log files to undo the IIS Lockdown operation. Copy the files to a disk or store them on a separate server in a directory associated with the modified server.
If you run IIS Lockdown on a production server, be sure to do so during scheduled downtime. IIS Lockdown stops the server's Web services when the tool starts applying changes and you don't want to inconvenience users more than necessary.
If you attempt to run IIS Lockdown a second time, the only option that's available is to undo the previous operation. If you can find the oblt-log.log file, IIS Lockdown can perform an undo. If you want to apply a new IIS Lockdown configuration, first you must undo the previous operation, then restart IIS Lockdown and continue with the new configuration. If you chose to remove unnecessary IIS services during lockdown, you'll need to use the Control Panel Add/Remove Programs applet to reinstall them. Similarly, if you chose to install URLScan during lockdown, you must use the Add/Remove Programs applet to uninstall it.
IIS Lockdown's undo operation also reapplies the backup copy of the metabase the tool created before it performed the lockdown operation. Thus, any changes you make to IIS between lockdown and undo will be lost. However, the undo process makes another metabase backup before applying the previous backup, so you can recreate lost changes, if necessary.
IIS Lockdown Unattended
Using unattended mode for IIS Lockdown is fairly straightforward. Open iislockd.ini in Notepad and modify two keys in the \[Info\] group so that they read as follows:
Unattended=TRUE UnattendedServerType= <ServerType>
For ServerType, choose a value from those listed in the ServerTypesNT4 and ServerTypes keys, also in the \[Info\] group.
IIS Lockdown 2.1 doesn't support command-line options, so modifying iislockd.ini is the only method for automation. This limitation presents a problem when you have multiple configurations or classes of servers. To circumvent the problems, perform these steps:
- Create a separate directory for each configuration.
- In the iislockd.ini file in each directory, turn on unattended mode and select the desired server type.
- Launch IIS Lockdown from the appropriate directory as required for the server class.
The final key of interest in iislockd.ini's \[Info\] group is Undo, which lets you undo the previous lockdown operation if set to TRUE. If Undo is TRUE, IIS Lockdown performs the undo operation; it doesn't rerun itself to install the server type that the UnattendedServerType key specifies.
Custom Server Templates
You can create custom server templates and add them to the IIS Lockdown configuration list by modifying and adding information to the iislockd.ini file. Use the following process to create a custom server template:
- Open iislockd.ini in Notepad.
- Review the template names in the ServerTypesNT4 and ServerTypes keys, and come up with a new name (i.e., a name that IIS Lockdown isn't already using) for your new template.
- Copy one of the existing server templates in the .ini file, and paste it at the bottom of the .ini file.
- Change the template name (the word in brackets \[\]) to the name you chose in Step 2.
- Change the label key to a description of your new template.
- Add the new template name to ServerTypesNT4 (for an NT 4.0 server template) or ServerTypes (for a Win2K server template).
- Edit the iislockd.ini keys as necessary to enable or disable IIS Lockdown options.
IIS Lockdown can help you create a more secure Web server, but you can't stop there. Security is an ongoing process and should always be at the top of your priority list.