Windows NT Specific Security
Latest Service Pack and Hot-fixes applied
Currently Windows NT 4.0 SP6a is the latest Service Pack and is recommended for secure IIS4 sites. Review all Microsoft Security Bulletins and then check for hot-fixes - Windows NT, IIS, and Certificate Server. Also review the Microsoft Security Web site.
You should also consider placing a 'favorites shortcut' to the Microsoft Security Advisor Program. To do so, follow these steps:
- Open Internet Explorer on your desktop
- Navigate to http://www.microsoft.com/security
- Select Favorites on the menu, then choose Add to Favorites
- Check 'Make Available Offline'
- Select Customize | Next | Yes (links to other pages) | '2' links deep
- Next | Select 'I would like to create a new schedule' | use the defaults | finish
- OK
- Select Favorites on the menu, then choose Organize Favorites
- Select Properties | Download | uncheck 'Follow links outside of this page's Web site'
- OK
- Close
If you now click on the Favorites icon in the toolbar, you can drag the 'Microsoft Security Advisory Program' link to your desktop. A small red mark will appear on the icon when there is new security news.
Hard disk(s) formatted to NTFS
Because NTFS supports Access Control Lists you can set security policy in Windows NT rather then spread around applications. If you are using FAT you can convert to NTFS using the CONVERT.EXE tool.
Set NTFS ACLs
There are many references to what the appropriate ACLs should be, such as the IIS4 Resource Kit and Windows NT Security Guidelines - a study for NSA Research by Trusted Systems Services Inc.
Turn off NTFS 8.3 Name Generation
NTFS can auto-generate 8.3 names for backward compatibility with 16-bit applications. As 16-bit apps should not be used on a secure web server 8.3 name generation can be safely turned off. Also note, there is a performance benefit to setting this. To turn off 8.3 name generation set the following registry entry:
| Hive | HKEY_LOCAL_MACHINE\SYSTEM |
| Key | \CurrentControlSet\Control\FileSystem |
| Name | NtfsDisable8dot3NameCreation |
| Type | REG_DWORD |
| Value | 1 |
Set Domain controller type
Generally you should set the IIS server to be a standalone server as this will minimize any possible exposure of domain user accounts.
OS/2 and POSIX subsystems removed
Remove these subsystems by performing the following registry actions:
| Hive | HKEY_LOCAL_MACHINE\SOFTWARE |
| Key | \Microsoft\OS/2 Subsystem for NT |
| Action | Delete all sub keys |
| Hive | HKEY_LOCAL_MACHINE\SYSTEM |
| Key | \CurrentControlSet\Control\Session Manager\Environment |
| Name | Os2LibPath |
| Action | Delete Os2LibPath key |
| Hive | HKEY_LOCAL_MACHINE\SYSTEM |
| Key | \CurrentControlSet\Control\Session Manager\SubSystems |
| Action | Delete Optional, Posix and OS/2 keys |
Then delete the \winnt\system32\os2 directory and all subdirectories. The changes will take effect on the next reboot.
Remove All Net Shares
Run Net Share from the command-line and make sure you delete all of them using Net Share /d. You should also prevent all administrative shares (C$, D$, ADMIN$) by setting the following in the Registry:
| Hive | HKEY_LOCAL_MACHINE\SYSTEM |
| Key | CurrentControlSet\Services\LanmanServer\Parameters |
| Name | AutoShareServer |
| Type | REG_DWORD |
| Value | 0 |
System boot time set to zero seconds
Go to Control Panel | System | Startup/Shutdown and set "Show list for" to zero.
Hide last logon user name
Set the following in the Registry to hide the name of the last user that logged on:
| Hive | HKEY_LOCAL_MACHINE\SOFTWARE |
| Key | \Microsoft\Windows NT\Current Version\Winlogon |
| Name | DontDisplayLastUserName |
| Type | REG_SZ |
| Value | 1 |
Display a legal notice before logon
Set the following in the Registry to display legal information about the use of this computer:
| Hive | HKEY_LOCAL_MACHINE\SOFTWARE |
| Key | \Microsoft\Windows NT\Current Version\Winlogon |
| Name | LegalNoticeCaption |
| Type | REG_SZ |
| Value | Whatever you want for the title of the message box |
| Hive | HKEY_LOCAL_MACHINE\SOFTWARE |
| Key | Microsoft\Windows NT\Current Version\Winlogon |
| Name | LegalNoticeText |
| Type | REG_SZ |
| Value | Whatever you want for the text of the message box |
An excellent resource for login banner wording can be found at the CIAC web-site.
Set password length
Set to at least nine characters. This makes it much harder to guess than eight characters or less owing to the way Windows NT creates the hash of the password. Also, use punctuation and other non-alphabetic characters in the first 7 characters.
Remove Shutdown button from logon dialog
Set the following value in the Registry to remove the shutdown option at logon:
| Hive | HKEY_LOCAL_MACHINE\SOFTWARE |
| Key | \Microsoft\Windows NT\Current Version\Winlogon |
| Name | ShutdownWithoutLogon |
| Type | REG_SZ |
| Value | 0 |
Check user accounts, group membership and privileges
Minimize the number of users and groups on the server and keep group membership small. There should be only the most trusted accounts listed in the Administrators and Domain Admins groups. Also, be wary of the privileges given to users and groups beyond the default. You can access privilege information by opening User Manager | Policies | User Rights. A complete list of recommended user rights is detailed in the IIS4 Resource Kit.
Note, three particularly powerful rights are:
- Debug privilege
- Act as part of operating system
- Backup privilege
Run SYSKEY Utility
SYSKEY, a tool introduced in Windows NT4, SP3 provides an extra safeguard for the SAM database. Refer to Q143475 for further details.
Rename Administrator account
While this is an example of "security through obscurity", it's an extra step a hacker must make to determine the admin account. Consider adding a 'fake' administrator to help detect account attacks. Give this 'Administrator' no rights and carefully audit its use.
Note:
nbtstat -aor
nbtstat -Amay be used to determine the real administrator account if they are currently logged on.
Allow network-only lockout for the Administrator account
Normally, the Administrator account cannot be locked out if an attacker attempts to guess the password. However, a tool in the Windows NT Resource Kit called PASSPROP supports this option. If you run the following command the Administrator account will be locked out if an attacker attempts a brute force or dictionary attack but the administrator can still logon locally at the server:
passprop /adminlockout
Set a very strong password for Admin account
Make sure the admin account has a very difficult to guess password and change it frequently. Click here for more info.
The Registry Editor
supports remote access to the Windows NT registry. To restrict network
access to the registry, use the Registry Editor to create the following
registry Key
The security permissions
(ACLs) set on this key define which users or groups can connect to the
system for remote registry access.
Windows NT has a feature
that allows non-authenticated users to enumerate users on a Windows NT
domain. If you do not want this functionality, set the following in the
Registry:
The following registry
entries should be tightly ACL'd and monitored as they can be used to launch
trojan programs:
The default ACLs
should be:
This only allows users
having an account in the domain or on the machine to access shares on
the server. You can perform this by opening User Manager | Policies |
User Rights, then choosing "Access this computer from network",
remove Everyone from the list and add Authenticated Users to the list.
Unbinding NetBIOS
from TCP/IP will prevent a user from accessing machine information using
tools like NBTSTAT.
If routing is enabled,
you run the risk of passing data between the intranet and Internet. To
disable routing, open the Control Panel | Network | Protocols | TCP/IP
Protocol | Properties | Routing and clear the Enable IP Forwarding check
box.
Open User Manager
| Policies | Audit | Audit these Events.
Open Event Viewer
| Log | Log Settings, and set a maximum size and "Overwrite Events
Older than" for all three logs. If you are going to overwrite logs
after only a few days and your log maximum size is small then you need
to check the logs more frequently.
Configure TCP/IP filtering
by specifying which ports are allowable on each network card. Go to Control
Panel | Network | Protocols | TCP/IP | Advanced | Enable Security | Configure.
Now set the following options:
Place all commonly
used administrative tools in a special directory out of %systemroot% and
ACL them so that only administrators have full access to these files.
For example create a directory called \CommonTools and place the following
files in there:
If you have multiple
Web servers you should make sure the times are synchronized. This will
aid you when you need to evaluate multiple audit logs in the case of any
intrusion detection. The simplest way is to use the NET TIME command and
nominate one server as having the base time.
Some sample applications
install ODBC data sources for sample databases, while others may install
unused ODBC/OLE-DB database drivers. It is prudent to remove any unwanted
data sources and drivers using the ODBC Data Source Administrator tool.
It is generally considered
good practice to reduce the number of entry points into a server, for
Windows NT this means reducing the number of services. You should stop
and disable unneeded services using the Service Configuration Manager.
The following services must be running to use IIS:
These are application
specific but you need to make sure you use 'strong enough' authentication
for your application. The following lists the authentication schemes supported
by IIS4 in increasing trust:
Refer to Q229694
for further details.
This is also application
dependant, but the following rules-of-thumb apply:
Administrators
(Full Control)
System (Full
Control)
Administrators
(Full Control)
System (Full
Control)
Administrators
(Full Control)
System (Full
Control)
Administrators
(Full Control)
System (Full
Control)
Rather than setting
ACLs on each file, you are better off setting new directories for each
type of file and setting ACLs on the dir and allow the ACLs to inherit
to the files. For example a directory structure may look like this:
Real ACL inheritance
is a feature of Windows NT4 SP4 with the Security Config Editor installed.
Also be aware that
two directories need special attention:
They are both Everyone
(Full Control) and should be overridden with something tighter depending
on your level of functionality. Place the folder on a different volume
to the IIS server if you are going to support Everyone (Write).
Make sure the ACLs
on the IIS-generated log files (%systemroot%\system32\LogFiles) are:
This is to help prevent
malicious users deleting the files to cover their tracks.
Logging is paramount
when you want to see if your server is being attacked. You should use
W3C Extended Logging format by Loading the IIS MMC tool | Right-click
on site in question | Properties | Web Site | Enable Logging (W3C Extended
Log), then set the following properties:
This is not a common
option to set, but if you wish to restrict your Web sites to certain users
then this is one option. Note, if you enter DNS names then IIS has to
do a lookup, which can be time consuming.
It is difficult to
know whether executable content can be trusted or not. One small test
is use the DumpBin tool to see if the executable calls certain APIs. DumpBin
is included with many Win32 developer tools. For example, use the following
syntax if you wish to see if a file called MyISAPI.DLL calls RevertToSelf():
If no result appears
on screen then MyISAPI.DLL does not call RevertToSelf() directly. It may
call the API through LoadLibrary() in which case you could search for
this too.
SSL/TLS can be used
to secure data as it's transferred from the client to the web server.
SSL/TLS is used mainly when passwords or credit cards are to be transferred
across the Internet. However, using SSL/TLS is slow, especially during
the initial handshake, so keep pages that use SSL/TLS to a minimum and
keep the content minimal.
If you are using
SP4 or later you do not need to use the IISCA tool. Instead you can use
the new certificate UI. Refer to Q194788
for further details.
In a public key infrastructure
trust is determined by the root certifying authority (CA) certificates
you have enabled. If you trust certificates issued by a CA then you must
have that root CA certificate loaded in the operating system. You need
to do the following to implement who you trust when using IIS:
How you achieve the
second bullet point depends on what version of IIS, IE and Windows NT4
you are using:
IIS4 + IE4 + Windows
NT 4 + SP4 or better
In this scenario,
all root CA certificates are handled by schannel.dll, which stores its
data in the registry. You will see a series of registry keys under the
following "CertificationAuthorities" key, one for each preinstalled
CA. Each CA key has an "Enabled" entry under it, set to 0x1
if the CA is trusted and 0x0 if the CA is not trusted.
Note: you
should not delete these registry entries, as Schannel will notice that
they're missing and recreate them. For this scenario
you need to perform the steps noted above and modify trusted roots in
IE5: Check what documents
you are indexing, make sure you are not indexing confidential source code!
By default the installed
ASP pages for Certificate Server are not secured. You should either remove
the pages or set very limited ACLs on the pages. They are located in the
%systemroot%/certsrv directory. You should set the ACLs to:
Samples are just that,
samples, they are not installed by default and should never be installed
on a production server. This includes documentation (the SDK docs include
sample code), the Exploration Air sample site and others. Here are the
default locations for some of the samples:
Some COM components
are not required for most applications and should be removed. Most notably
consider disabling the File System Object component, however, this will
also remove the Dictionary object. Be aware that some programs may require
components you are disabling. For example, Site Server 3.0 uses the File
System Object. The following will disable the File System Object:
This directory allows
you to reset Windows NT passwords, it is designed primarily for intranet
scenarios. It should be removed if this feature is not required or if
the server is on the Web. Refer to Q184619
for more info about this functionality.
IIS is preconfigured
to support common filename extensions such as .ASP and .SHTM. When IIS
receives a request for a file of one of these types the call is handled
by a DLL. If you don't use some of these extensions or functionality you
should remove the mappings by open Internet Services Manager then right-clicking
the Web server | Properties | Master Properties | WWW Service | Edit |
HomeDirectory | Configuration and remove these references:
This
is an extremely important setting
When incorrectly
configured Remote Data Services can make a server vulnerable to denial
of service and arbitrary code execution attacks. You should either remove
the capability or restrict it's usage using ACLs. Refer to MS98-004,
MS99-025
and Q184375
for more info.
Also, check your
IIS logs regularly for signs of attack, the signature to look for is something
like:
You can automate
the searching process by using commend:
Many sites use input
from a user to call other code or build SQL statements directly. In other
words they are treating the input as valid, well formed, non-malicious
input. This should not be so, there are a number of attacks, most notably
on Unix where user input was treated incorrectly as valid input and the
user gained access to the server or caused damage. You should always check
all user <FORM> input before passing it onto another process or
method call which may use an external resource such as the file system
or a database.
Checking the text
can be performed with the new JScript and VBScript regular expression
capabilities. The following example code will strip a string of all invalid
characters (not 0-9a-zA-Z and _):
The following sample
will strip all text after a '|' operator:
Also, be careful
you are using the opening or creating files using Scripting File System
Object, where the filename is based on user's input, the user may attempt
to open a serial port or printer. The following JScript code will strip
out invalid filenames:
The new pattern syntax
is the same as that in Perl 5.0. Refer to the v5 scripting engine documentation
at http://www.microsoft.com/jscript
for further detail and http://msdn.microsoft.com/workshop/languages/clinic/scripting051099.asp
for examples.
Parent Paths allows
you to use '..' in calls to MapPath and the like. By default this option
is enabled and should be disabled. To disable this option go to the root
of the Web site in question, right click select Properties | Home Directory
| Configuration | App Options and uncheck Enable Parent Paths.
The command can be
used to call arbitrary commands at the Web server from within an HTML
page. IIS disables this by default. You can double-check this by making
sure the following is set to zero or is missing:
The Content-Location
header may expose internal IP addresses that are usually hidden or masked
behind a Network Address Translation (NAT) Firewall or proxy server. Refer
to Q218180
for further information about disabling this option.
Prevent unauthenticated
access to the registry
Hive
HKEY_LOCAL_MACHINE\SYSTEM
Key
\CurrentControlSet\Control\SecurePipeServers
Name
\winreg
Restrict Anonymous
Network Access
Hive
HKEY_LOCAL_MACHINE\SYSTEM
Key
CurrentControlSet\Control\LSA
Name
RestrictAnonymous
Type
REG_DWORD
Value
1
ACL and Monitor Critical
Registry Keys
Hive
Key HKEY_LOCAL_MACHINE\SOFTWARE
Microsoft\Windows\CurrentVersion\Run
Hive
Key HKEY_LOCAL_MACHINE\SOFTWARE
Microsoft\Windows\CurrentVersion\RunOnce
Hive
Key HKEY_LOCAL_MACHINE\SOFTWARE
Microsoft\Windows\CurrentVersion\RunOnceEx
Hive
Key HKEY_LOCAL_MACHINE\SOFTWARE
Microsoft\Windows NT\CurrentVersion\AeDebug
Hive
Key HKEY_LOCAL_MACHINE\SOFTWARE
Microsoft\Windows NT\CurrentVersion\WinLogon
Change "Access
this computer from the network" from Everyone to Authenticated Users
Unbind NetBIOS from
TCP/IP
Disable IP Routing
Audit for Success/Failed
Logon/Logoff
Set Overwrite interval
for Audit log
Configure TCP/IP
Filtering
Move and ACL Critical
Files
xcopy.exe
wscript.exe
cscript.exe
net.exe
ftp.exe
telnet.exe
arp.exe
edlin.exe
ping.exe
route.exe
at.exe
finger.exe
posix.exe
rsh.exe
atsvc.exe
qbasic.exe
runonce.exe
syskey.exe
cacls.exe
ipconfig.exe
rcp.exe
secfixup.exe
nbtstat.exe
rdisk.exe
debug.exe
regedt32.exe
regedit.exe
edit.com
netstat.exe
tracert.exe
nslookup.exe
rexec.exe
cmd.exe
Synchronize Times
Remove Unused ODBC/OLE-DB
Data Sources and Drivers
IIS
Specific Security
Install minimal Internet
services required
Set appropriate authentication
methods
Set appropriate virtual
directory permissions/Web application space
File
Type
ACL
CGI
etc .EXE, .DLL, .CMD, .PL
Everyone
(X)
Script
Files .ASP etc
Everyone
(X)
Include
Files .INC, .SHTML, .SHTM
Everyone
(X)
Static
Content .HTML, .GIF, .JPEG
Everyone
(R)
c:\inetpub\wwwroot\myserver\static (.html)
c:\inetpub\wwwroot\myserver\include (.inc)
c:\inetpub\wwwroot\myserver\script (.asp)
c:\inetpub\wwwroot\myserver\executable (.dll)
c:\inetpub\wwwroot\myserver\images (.gif, .jpeg)
c:\inetpub\ftproot (FTP server)
c:\inetpub\mailroot (SMTP server)
Set appropriate IIS
log file ACLs
Logging enabled
Set IP Address/DNS
Address restrictions
Executable content
validated for trustworthiness
dumpbin /imports MyISAPI.DLL | find "RevertToSelf"
Set up Secure Sockets
Layer
Migrate new Root
Certificates to IIS
Remove non-Trusted
Root Certificates
Hive
HKEY_LOCAL_MACHINE\SYSTEM
Key
CurrentControlSet\Control\SecurityProviders\SCHANNEL\CertificationAuthorities
Name
Enabled
Type
REG_DWORD
Value
0
IIS4 + IE5 + Windows NT 4 + SP4 or better
Regardless of which route
you take, you will need to stop and start IIS:
Index Server only
indexing documentation
Lock down Microsoft
Certificate Server ASP Enrollment pages
then add trusted certificate
operators to the Certificate Issuers group.
Disable or remove
all sample applications
Technology
Location
IIS
c:\inetpub\iissamples
IIS
SDK
c:\inetpub\iissamples\sdk
Admin
Scripts
c:\inetpub\AdminScripts
Data
access
c:\Program
Files\Common Files\System\msadc\Samples
Disable or remove
unneeded COM Components
regsvr32 scrrun.dll /u
Remove the IISADMPWD
virtual directory
Remove Unused Script
Mappings
If
you don't use
Remove
this entry
Web-based
Password Reset
.htr
Internet
Database Connector
(new Web sites don't use this, they use ADO from Active Server Pages)
.idc
Server-side
includes
.shtm,
.stm, .shtml
Disable RDS support
1999-10-24 20:38:12 - POST /msadc/msadcs.dll ...
find /i "msadcs" logfile.log
Check <FORM>
input in your ASP code
Set reg = New RegExp
reg.Pattern = "\W+" ' One or more characters which are NOT 0-9a-zA-Z or '_'
strUnTainted = reg.Replace(strTainted, "")
Set reg = New RegExp
reg.Pattern = "^(.+)\|(.+)" ' Any character from the start of the string to a '|'
strUnTainted = reg.Replace(strTainted,"$1")
var strOut = strIn.replace(/(AUX|PRN|NUL|COM\d|LPT\d)+\s*$/i,"");
Disable Parent Paths
Disable calling the
command shell with #exec
Hive
HKEY_LOCAL_MACHINE\SYSTEM
Key
CurrentControlSet\Services\W3SVC\Parameters
Name
SSIEnableCmdDirective
Type
REG_DWORD
Value
0
Disable IP Address
in Content-Location