Running 2000 IIS, and have questions about security

[DeadSeaSquirrels]

I am running the windows 2000 IIS package right now, because I want to learn about hosting a website, ftp site, etc. and also I want to learn ASP, JSP, Servlets, J2EE stuff. I don't know if IIS can do JSP or servlets, or J2EE stuff, but maybe Servlets with some MS java SDK as a wrapper. Anyway, my real question is about security. I am running the latest security roll up package on my IIS server. But I was just wondering if there was anything else I could do other than that to make it more secure. Basically I don't know how to secure my server other than disabling all anonymous access, or disabling any access from any user I don't know. Short of somebody I know getting kidnapped and having their password stolen, is there other ways hackers can break into my super sensative list of personal .doc files and .mp3:beer:?

If somebody did crack my non-existent site, and server at this point, honestly I would have no idea how to track somebody right now. I'd just turn off the freakin machine for now, or disable the port fowarding on my router. But is there anything else I should be doing, that is a must right now, while I'm learning?

 

[Saltin]

There are a million things you can do, but the most important are...

1) Patching (you have this done)
2) IIS lockdown tool and URLScanner (they come together from MS, for free. Google for them)
3) Put the box behind a good firewall and only expose the services you need exposed.

Those are in no particular order, each is as important as the other, and all are pretty useless without the others.

i.e. All three are a must

 

[Mucman]

Urlscan and only allowing port 80 to reach the box is a pretty good start. Make sure the site runs under an underpriveledged IUSR, and
that the site is running in high process (thus under the IWAM user).

Also log everything. Don't delete the FTP or WEB logs. Store them and archive them.

 

[DeadSeaSquirrels]

ok...what is the IWAM user. I'll try to do a google search...does anybody have any idea what I should search under?
Personal Server Security?
Server Security?
setup first server?

I want to look for something that will be low level enough for me to understand.
For now, I am not autostarting the FTP and Web server, I don't want things to be screwed up when I'm not being careful. Thanks for the info.

 

[Phalnix]

Hey i'm going to keep tabs on this because right now i'm trying to teach myself much of the samethings. i'm working on a machine with win2k serv adv right now. Network security is a main concern of mine mainly because i dont know a whole lot about doing it :< (hacking didnt interest me when i was younger, as much as system building and optimization for gaming).. anyways. onto my question. If a firewall is running off of a router with Nat and dhcp built in.. and all incomming ports closed to the external is there a way for that system to be hacked? I assume its possible to piggyback an outgoing communication or something. or to fool something into communicating with it to the point of being manipulated. am i correct?

 

[WarmAndSCSI]

The only way you can do JSP with IIS is to download and install Tomcat from Apache.org. It's a pain in the @ss to get working, though.

 

[DeadSeaSquirrels]

Is Tomcat the most common JSP engine then?

 

[WarmAndSCSI]

Originally posted by: DeadSeaSquirrels
Is Tomcat the most common JSP engine then?

Yes, for non-Java platforms (Unix and Windows).

 

[Transition]

I've been running a IIS5 server for a while on Win2k. The best thing i did was purchased a security app from eEye called SecureIIS. The basic rule of thumb for running an IIS server are the following.

1.) You MUST keep updated on your patches.
2.) Do not enable more then you need. Keep the server running with the bare minimum amount of extensions/privelages.

It's unbelievable the amout of crap i see in our logs. Make sure when you run the server your not running under an Adminstrative account. If someone hacks your box, make their life difficult with an underprivelaged account.

HTH,

- RJ