I find it valuable to separate network attacks on IIS servers into two groups - those that are specific to http (ports 80 and 443) and those that aren't related to http, such as attacks on other services (e.g., FTP or Telnet) running on the server. While attention is often paid to dealing with http-specific attacks it's equally important to check the other doorways on your server. In this article, I'll look at how attackers might find other ways into your server and what you can do to prevent these attacks.
Services are the doorway into your computer from over the network. We could start out with a list of obviously dangerous services to disable but let's approach it from the opposite direction. A time-honored rule for securing a server on an untrusted network is to disable all unneeded services, an approach that offers several advantages, including less drain on resources and protection against yet-to-be-discovered attacks. Even if a service doesn't offer direct access to system resources, it might expose a system to buffer overflow attacks and denial of service (DoS) attacks. Moreover, the fewer services you enable, the fewer security hotfixes you'll be required to load when new vulnerabilities are discovered. Table 1 shows a list of services required on a Windows 2000 IIS server that is not a member of a domain. You can probably disable all other services except for those required for your specific needs. For instance, you don't need Distributed Transaction Coordinator unless you are actually using distributed transactions.
Services That Pose Risks
I would like to point out a number of services that are definite risks. The SMTP service makes your server vulnerable to SMTP-based denial of service and buffer overflow exploits and may provide attackers with a route for spamming. Another SMTP may already be available at your company or ISP, so it's seldom necessary to expose your Web server to SMTP attacks. The Indexing Service opens another doorway into your server and has been the source of some IIS-related exploits. If you aren't using the Indexing Service to provide searching ability on your Web server, disable the service. If you need the Indexing Service, make sure you configure it to index public content only. One of my clients accidentally configured his intranet Web server to index the entire volume, which included personnel documents. Very confidential information was disclosed when an innocent user searched on another employee's name. Of course, this situation could have been prevented with better file permissions, but it re-enforces the recommendation to disable unneeded functionality.
Disable NetMeeting Remote Desktop Sharing to prevent someone from taking over your server via NetMeeting. There should be no need to enable Internet Connection Sharing unless your Web server is doing double duty as the Internet gateway for your company's users. This is a dangerous scenario because of the complexity in configuring one computer to handle both tasks securely.
The Terminal Services, Telnet, Remote Registry, and FTP services give remote access to the command prompt, registry, and file system and are usually used by administrators for remote administration. I regard all of these services as dangerous because of the level of access they provide and the history of vulnerabilities discovered, especially in Telnet and FTP. You should disable as many of these services as you can. If you really need some of them, make sure you understand how to configure each one securely so that only appropriate users can access them. To limit remote access to the registry, create a new group called RemoteRegistryEditors, then edit the ACL of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg and replace the current entries with RemoteRegistryEditors.
It doesn't matter whether you grant Read or Full Control. After you make this change, only members of RemoteRegistryEditors will be able to access the registry remotely. To limit who can access your Telnet service, create a group called TelnetClients and populate it with just the users who should be able to connect via Telnet. When this group is created, Win2k automatically uses it to control Telnet access. Securing IIS's FTP Service is a more complicated task. If possible, separate your FTP server from your Web server. Enable FTP only if your Web server must accept file uploads via FTP. For some good tips on FTP security see http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=16395.
Watching for Advanced Attacks
While these are good steps they don't protect you against more advanced attacks such as buffer overflows, which could allow an attacker opportunity to run arbitrary code under the system context. I am very enthused about the capabilities of IP Security to wrap a layer of solid security around otherwise vulnerable services. With IP Security Policies you can use simple packet filter rules to limit which client IP addresses can access given ports. But you can go much further and limit connections to services like Telnet, FTP, Terminal Services, and Remote Registry through strong certificate or shared secret based authentication.
A final service to think about is the Server service. While often thought of as just a file and printer sharing service, the Server service opens up much more of the system to attack than files and printers. It provides administrators remote access to other Win2k resources managed through the Computer Management snap-in including event log, local user and group maintenance, services, scheduled tasks and more. Don't forget that even if no one has explicitly shared any folders the Server service automatically creates hidden administrative shares at the root of each volume such as C$ for the C: drive. You are certainly safer with the Server service disabled however your ability to administer it is severely restricted.
Look for ways to reduce your attack surface by disabling unneeded services or blocking them with Windows Firewall if you are running Windows Server 2003 or Internet Connection Firewall on Windows 2000. In fact, instead of just disabling them from the Services MMC, make it a habit to collect this and all other security settings you make to your server into a security templates with the Security Templates MMC. That way you can reapply these settings if it becomes necessary to rebuild your web server or install a new one. For more information about security templates see http://www.winowsitpro.com/Articles/Index.cfm?ArticleID=21001.
| Table 1 - Services required on a Windows 2000 IIS server that is not a member of a domain | |
| Service | Comments |
| COM+ Event System | |
| DNS Client | Only needed if your web server references other computers via DNS |
| IIS Admin Service | |
| IPSEC Policy Agent | |
| Network Connections | Can be disabled except when you need to configure your NICs |
| Logical disk manager | Can be disabled unless you use dynamic volumes |
| Plug and Play | |
| Protected Storage | |
| RPC | |
| Security Acct Mgr | |
| System Event Notification | |
| TCP/IP NetBIOS Helper Service | Can be disabled if Server service is disabled you don't need to access NetBIOS resources on other computers (e.g. file sharing) |
| Workstation | Can be disabled if you don't need to access other Windows computers from the web server |
| Worldwide Web Publishing Service |