Q164882: Practical Recommendations for Securing Internet-Connections

Article: Q164882
Product(s): Internet Information Server
Version(s): 1.0,2.0,3.0,4.0,5.0
Operating System(s): 
Keyword(s): kbimu
Last Modified: 10-JUN-2002

-------------------------------------------------------------------------------
The information in this article applies to:

- Microsoft Internet Information Server versions 1.0, 2.0, 3.0, 4.0 
- Microsoft Internet Information Services version 5.0 
- Microsoft Proxy Server version 1.0 
-------------------------------------------------------------------------------

SUMMARY
=======

When you connect computers to the Internet it becomes possible to communicate
with millions of people and computers world wide by using the TCP/IP protocols.
This broad flexibility imposes a degree of risk: Not only can you communicate
with people and systems using the protocols that you choose, it is also possible
for users to try to initiate communication with your systems. Most of the
following recommendations assume you are using the Microsoft Proxy Server.
However, some may apply even if you do not have a proxy server.

MORE INFORMATION
================

Review the following list to learn how to reduce security risks:

- If your private network runs TCP/IP, the servers Enable IP Forwarding check
  box in the Network application should not be selected.

  Clearing the Enable IP Forwarding check box prevents unauthorized IP packets
  from infiltrating your network. The Enable IP Forwarding check box is located
  in the Microsoft TCP/IP Properties dialog box. To open this, use the Network
  application in Control Panel.

To disable IP forwarding on Microsoft Windows NT Server version 4.0:

1. From the Start menu, select Settings, and then click Control Panel.

2. In Control Panel, double-click the Network icon.

3. In the Network dialog box, click the Protocols tab, select TCP/IP Protocol,
  and then click Properties.

4. In the Microsoft TCP/IP Properties dialog box, click Routing.

5. Make sure the check box for Enable IP Forwarding is cleared.

6. Click OK, then click OK again.

WARNING: If the Windows NT Remote Access Service (RAS) is installed on your
gateway after Microsoft Proxy Server is installed, IP forwarding will be
enabled. You must disable IP forwarding after installing RAS.

- Block Nonessential Inbound TCP/IP Ports.

  If your Windows NT Server is highly exposed, with the mission of offering
  services like Web and FTP, then only two inbound paths need to exist from the
  router to the server: HTTP on port 80 and FTP on port 21. The router should
  block all other inbound traffic.

  If you are using the Proxy Server and have 2 netcards on your Computer, you
  can bind ONLY IPX on the Internal netcard and ONLY IP on the external
  netcard.

- Disable NetBios over TCP/IP.

  By default an Internet-connected Windows NT computer will support two
  transport protocols: NetBeui and TCP/IP. Windows networking operations
  require syntax of the form of \\Name. These operations include directory and
  printer sharing, NetDDE, and remote administration. Connecting to a drive or
  editing a registry across the Internet requires only a mapping, in the local
  LMHOSTS file, between the remote computer's NetBIOS name and its IP address.

  You can control the use of NetBIOS over TCP/IP (NBT) by going into Control
  Panel, Network and the Bindings tab and disabling any of the bindings between
  NetBIOS-based services and TCP/IP. This way no one can try to remote-mount
  drives or remote-edit registries. Windows NT networking services run
  promiscuously over multiple transports; therefore, internally your computers
  can still talk to each other over the NetBEUI protocol, which does not go
  over the Internet.

- Use NTFS volumes.

  The Windows NT File System (NTFS) provides security and access control for
  your data files. By using NTFS, you can limit access to portions of your file
  system for specific users and services. A File Allocation Table (FAT) only
  supports share level security.

  For safety's sake it is best to layer multiple defenses, so use NTFS on
  Internet-connected Windows NT computers. Windows NT takes the intersection of
  NTFS ACLs and share permissions, for example if NTFS ACLs gives a network
  user full access to a partition but the share-level permissions grant only
  read access, then the effective access is read only. If you create new
  shares, be sure to alter the default permissions assigned by Windows NT.
  Otherwise, by default, the group Everyone will have Full Control of all that
  is visible through the share.

- Run only the services that you need.

  The fewer services you are running on your computer, the less likely a mistake
  will be made in administration that could be exploited. Use the Services
  application in the Control Panel to disable any services not absolutely
  necessary. Also, if FTP or Gopher services are not needed or used, turn off
  these services using Internet Service Manager to stop each service.

- Unbind unnecessary services from your Internet adapter cards.

  Use the Bindings feature in the Network application in the Control Panel to
  unbind any unnecessary services from any network adapter cards connected to
  the Internet. For example, you might use the Server service to upload new
  images and documents from computers in your internal network, but you might
  not want users to have direct access to the Server service from the Internet.
  If you need to use the Server service on your private network, the Server
  service binding to any network adapter cards connected to the Internet should
  be disabled.

  You can use the Windows NT Server service over the Internet; however, you
  should fully understand the security implications and comply with Windows NT
  Server licensing requirements issues. When you are using the Windows NT
  Server service you are using Microsoft networking or the Server Message Block
  (SMB) protocol and all Windows NT Server licensing requirements still apply.

- Check permissions set on network shares.

  If you are running the Server service on your Internet adapter cards, be sure
  to double check the permissions set on the shares you have created on the
  computer. It is also wise to double check the permissions set on the files
  contained in the shares directories to ensure that you have set them
  appropriately.

- Access from Network privilege can be revoked.

  By default, Windows NT grants the group Everyone the right to Access from the
  network. By revoking this right you can block all networking services, but
  maintain support for the Web service because the Web server runs either as a
  System or Local user.

- Rename and limit the membership of the Administrator group.

  Rename the Administrator account by selecting User, Rename from User Manager
  menu. By limiting the members of the Administrator group, you limit the
  number of users who might choose bad passwords.

- Enforce strict account policies.

  User Manager for Domains provides configuration options called security
  policies, such as one that allows a system administrator to specify how
  quickly account passwords expire (forcing users to regularly change
  passwords), and another that determines how many bad logon attempts will be
  tolerated before a user is locked out. Use the User Manager for Domains
  security policies to configure the server against exhaustive or random
  password attacks.

- Choose good passwords.

  Although this may seem obvious, a stolen or easily guessed password is the
  best opportunity for someone to gain access to your computer. Make sure that
  all passwords used, especially those with administrative rights, have
  difficult-to-guess passwords. In particular make sure to select a good
  administrator password (long, mixed-case, alphanumeric password) and set the
  appropriate account policies. Passwords can be set by using Windows NT User
  Manager for Domains.

  For additional information, please see Chapter 2 of the Microsoft Proxy Server
  documentation has information on the above topic.

More information on securing an Internet connected Web server can be found in
Chapter 8 of the Microsoft Internet Information Server Resource Kit.
ISBN:1-57231-638-1

REFERENCES
==========

For additional information, click the article number below to view the article
in the Microsoft Knowledge Base:

  Q282060 Resources for Securing Internet Information Services

Additional query words: prx iis

======================================================================
Keywords          : kbimu 
Technology        : kbiisSearch kbAudDeveloper kbiis500 kbiis400 kbiis300 kbiis200 kbiis100 kbProxyServ100 kbProxyServSearch
Version           : :1.0,2.0,3.0,4.0,5.0
Hardware          : ALPHA x86
Issue type        : kbinfo

=============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Copyright Microsoft Corporation 1986-2002.