Microsoft Internet Information Server 4 Security Checklist

Microsoft Internet Information Server 4.0 Security Checklist

Last Updated: 3-Nov-1999

This table outlines some of the steps you should take to secure a Windows NT 4.0 Server running Microsoft Internet Information Server 4.0 on the Internet. Note, this document does not take into consideration firewalls or proxy servers. It also assumes the company has a security policy in place.

Please email the author, mikehow@microsoft.com, if you find any problems. Thanks!

Step 1: General Information

Server Name
Asset #
Setup Date
Manufacturer
Location
Set up by

Step 2: Background Work

	Step
	Read your corporate security policy
	Configure hardware to meet security policy
	Read the IIS4 Resource Kit Security Chapter
	Subscribe to Microsoft Security Notification Service

Step 3: Windows NT 4.0 Settings

	Step
	Latest Service Pack and Hot-fixes applied
	Hard disk(s) formatted to NTFS
	Set NTFS ACLs
	Turn off NTFS 8.3 Name Generation
	System boot time set to zero seconds
	Set Domain controller type
	OS/2 Subsystem removed
	POSIX Subsystem removed
	Remove All Net Shares
	Audit for Success/Failed Logon/Logoff
	Set Overwrite interval for Audit Log
	Hide last logon user name
	Display a legal notice before log on
	Remove Shutdown button from logon dialog
	Set Password length
	Disable Guest account
	Rename Administrator account
	Allow network-only lockout for Administrator account
	Check user accounts, group membership and privileges
	Set a very strong password for Admin account
	Restrict Anonymous Network Access
	Prevent unauthenticated access to the registry
	ACL and Monitor Critical Registry Keys
	Change "Access this computer from the network" from Everyone to Authenticated Users
	Run SYSKEY Utility
	Unbind NetBIOS from TCP/IP
	Configure TCP/IP Filtering
	Disable IP Routing
	Move and ACL critical files
	Synchronize Times

Step 4: Internet Information Server 4.0 Settings

	Step
	Install minimal Internet services required
	Set appropriate authentication methods
	Set appropriate virtual directory permissions and partition Web application space
	Executable content validated for trustworthiness
	Set IP Address/DNS Address restrictions
	Set up Secure Sockets Layer
	Migrate new Root Certificates to IIS
	Remove Non-trusted Root Certificates
	Set Appropriate IIS Log file ACLs
	Logging enabled
	Index Server only indexing documentation
	Lock down Microsoft Certificate Server ASP Enrollment pages
	Remove the iisadmpwd vdir
	Remove Used Script Mappings
	Disable RDS support
	Disable or remove all sample applications
	Disable or remove unneeded COM Components
	Check <FORM> input
	Disable calling the command shell with #exec
	Disable 'Parent Paths'
	Disable IP Address in Content-Location

Step 5: Install Scanner/Intrusion Software

Regularly run a security scanner on your Web server, such as software from one of the companies listed.

Step 6: Update the Emergency Repair Disk

You should regularly update the ERD by running the RDISK tool.

THE INFORMATION PROVIDED IN THIS CHECKLIST IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.