Win 2000 Web server security

[y2kc]

note: also posted in the networking forum (no response).

I'm in the process of planning and designing a website for my small business. I have some experience with web-design and since the site will be strictly informational it won't be too complex (10 pages deep max). I'm sure I won't have too much trouble in that regard. here's my question; How unsecure is W2K as a web server? I know that linux/apache is one the most secure platforms to run a web site from, but honestly, when it comes to 'nix, I have no clue and (after doing some research) I really do not have time to figure it out.

As my plans do not include any type of web-based commerce and will not utilize a database (strictly advertisement) I'm not concerned about any type of data theft. I just don't want to be hacked, spoofed or used to distribute trojans. I did get a "coming soon" page up and running using IIS 5 with no experience so I'm assuming that if it's this easy to get out it can't be too hard to break in.

Any advice would be appreciated.

 

[nichomach]

1. DO NOT put a default clean install of IIS on the net without appying AT LEAST SP2 and the post-SP2 roll-up fixes package. You WILL be code-redded and nimda'ed faster than you can say knife - this might not hurt you, but you'll become a vector for infecting other vulnerable systems. Apply all available security fixes from http://corporate.windowsupdate.microsoft.com.

2. Ensure that you ONLY install necessary services - disable the ones you won't use - and unless you're using them, that includes FTP and SMTP.

3. Go to http://www.microsoft.com/technet/treeview/default.asp and look specifically for the IIS lockdown tool and use it; use the secure webserver template, customise as needed. It's available in the Security section of the above URL.

4. Place it behind a firewall (or at least in the DMZ) and disable outgoing connections; you don't need your webserver to initiate connections to other systems, so why allow it? Incidentally, that doesn't mean placing it on your internal network. If you don't have 2 firewall boxen available, use the DMZ on your existing firewall. If your existing firewall doesn't have a DMZ, get one that does. If you don't have an existing firewall...well, get one. Don't allow machines in the DMZ to initiate connections to your LAN - sounds basic, but you'd be surprised....

5. Document your configuration, and update your docs as new fixes (and you will need new fixes) are applied. You should do that with any server anyway.

6. I forgot, lock down the perms as far as possible and don't allow authoring to anyone but the admin, and choose a really weird complex password; you can rename the admin account if you want, too.

This stuff's pretty basic, I know.

Does any of that help, or was it what you were doing anyway?

Nick

 

[y2kc]

1. DO NOT put a default clean install of IIS on the net without appying AT LEAST SP2 and the post-SP2 roll-up fixes package. You WILL be code-redded and nimda'ed faster than you can say knife - this might not hurt you, but you'll become a vector for infecting other vulnerable systems. Apply all available security fixes from http://corporate.windowsupdate.microsoft.com.

I immediately patched the server as soon as the install was done (one of my better habits)

2. Ensure that you ONLY install necessary services - disable the ones you won't use - and unless you're using them, that includes FTP and SMTP.

I know that SMTP is running and FTP so I'll kill those.

3. Go to http://www.microsoft.com/technet/treeview/default.asp and look specifically for the IIS lockdown tool and use it; use the secure webserver template, customise as needed. It's available in the Security section of the above URL.

I actually downloaded the lockdown tool but I've yet to install it as I'm thinking of rebuilding the machine in lieu of my hack job so far.

4. Place it behind a firewall (or at least in the DMZ) and disable outgoing connections; you don't need your webserver to initiate connections to other systems, so why allow it? Incidentally, that doesn't mean placing it on your internal network. If you don't have 2 firewall boxen available, use the DMZ on your existing firewall. If your existing firewall doesn't have a DMZ, get one that does. If you don't have an existing firewall...well, get one. Don't allow machines in the DMZ to initiate connections to your LAN - sounds basic, but you'd be surprised....

The server does have it's own firewall (cisco 1605r router), it has absolutely no connection at all to my LAN.

5. Document your configuration, and update your docs as new fixes (and you will need new fixes) are applied. You should do that with any server anyway.

Great advice, will do.

6. I forgot, lock down the perms as far as possible and don't allow authoring to anyone but the admin, and choose a really weird complex password; you can rename the admin account if you want, too.

Again, Great advice.

Thanks alot Nick, that was exactly what I was hoping for!


Vive' la Nick! Nick for Elite!

 

[FUBAR]

Now that you have a good start, make sure to go for a windowsupdate at least every week... since there's new fixes and holes coming out all the time be sure to be safe. The damn site does it for you so take advantage of it. Just don't get too complacent that you have a secure box because it's as patched as it can be at this moment.

 

[n0cmonkey]

The server does have it's own firewall (cisco 1605r router), it has absolutely no connection at all to my LAN.

You know how to setup a cisco router as a firewall but you cant learn Unix-like systems?

disable outgoing connections; you don't need your webserver to initiate connections to other systems, so why allow it? I just wanted to remind you of this part of his comment, its an important one. Just block everything coming in that is more than a syn and put it in the state table and block everything that is going out.

EDIT: consider using apache too, last week was the exception, not the rule.

 

[singh]

Originally posted by: n0cmonkey
EDIT: consider using apache too, last week was the exception, not the rule.

Yeah, yeah, so you say J/K I know it's pretty secure

 

[n0cmonkey]

Originally posted by: singh

Originally posted by: n0cmonkey
EDIT: consider using apache too, last week was the exception, not the rule.

Yeah, yeah, so you say J/K I know it's pretty secure

Yeah, what the heck do I know, my machine is currently offline because of the first remote root hole in my OS in almost 6 years. Im a llama

 

[singh]

Originally posted by: n0cmonkey

Originally posted by: singh

Originally posted by: n0cmonkey
EDIT: consider using apache too, last week was the exception, not the rule.

Yeah, yeah, so you say J/K I know it's pretty secure

Yeah, what the heck do I know, my machine is currently offline because of the first remote root hole in my OS in almost 6 years. Im a llama

There goes the uptime You won't be bragging about that to anyone anytime soon

 

[n0cmonkey]

Originally posted by: singh

Originally posted by: n0cmonkey

Originally posted by: singh

Originally posted by: n0cmonkey
EDIT: consider using apache too, last week was the exception, not the rule.

Yeah, yeah, so you say J/K I know it's pretty secure

Yeah, what the heck do I know, my machine is currently offline because of the first remote root hole in my OS in almost 6 years. Im a llama

There goes the uptime You won't be bragging about that to anyone anytime soon

The power company keeps me from bragging about that already. I just pulled the ethernet cable anyhow.

 

[y2kc]

You know how to setup a cisco router as a firewall but you cant learn Unix-like systems?

the cisco IOS is cake compared to 'nix. I just wish I had the time to learn it ('nix)

EDIT: consider using apache too.......

do you mean Apache for W32 systems?

 

[n0cmonkey]

Originally posted by: y2kc

You know how to setup a cisco router as a firewall but you cant learn Unix-like systems?

the cisco IOS is cake compared to 'nix. I just wish I had the time to learn it ('nix)

I always thought they seemed similar, but then again, I dont mess with cisco much (unfortunately).

EDIT: consider using apache too.......

do you mean Apache for W32 systems?

Yes. AT uses it as do many of the people here. Its worth looking into atleast.

 

[y2kc]

I always thought they seemed similar, but then again, I dont mess with cisco much (unfortunately).

you should grab a router sim off of the web or if you could get your hands on a cisco to play around with...trust me, with your networking knowledge, you'd pick it up real quick (and be great at it).

Yes. AT uses it as do many of the people here. Its worth looking into atleast

I will indeed look into it, I was under the impression that since it was "apache for windows" it would be problematic (especially in the hands of a n00b such as myself), but if it gets the n0c's seal of approval and since I have a month before going "live", I'll give it a whirl.

Thanks.

 

[n0cmonkey]

Originally posted by: y2kc

I always thought they seemed similar, but then again, I dont mess with cisco much (unfortunately).

you should grab a router sim off of the web or if you could get your hands on a cisco to play around with...trust me, with your networking knowledge, you'd pick it up real quick (and be great at it).

Ill be doing that as soon as my friend passes his CCNA tests. I get to borrow his books then

Yes. AT uses it as do many of the people here. Its worth looking into atleast

I will indeed look into it, I was under the impression that since it was "apache for windows" it would be problematic (especially in the hands of a n00b such as myself), but if it gets the n0c's seal of approval and since I have a month before going "live", I'll give it a whirl.

Thanks.

Everything is problematic int he computer world. Ive never tried it on win32, but several other people have and none of the problems seem to be all that big. Do a search around here for some of the thread on it. You shouldnt see any major problems.