Abstract

This paper is designed to demonstrate the common IIS web server security specifications in the form of a checklist that aids web masters or penetration testers to implement a secure web server infrastructure swiftly. It is mandatory for a web application to be duly full proof from vicious attacks and for stopping damage which could be in any form. Security professionals and penetration testers are typically part of a web project to ensure the website is protected from various attacks by detecting loopholes which might be exploited later. But such a critical task is typically not followed in a proper manner, and web applications go live into the production environment with inherent vulnerabilities, or even without complying to security guidelines. It is so because developers and organizations are often in a hurry to launch the software into the production environment due to various unnamed pressures.

Unfortunately, there is no single tool available which can claim comprehensive security of an application, because attacks can come in any form, in fact the horizon is so extensive that it is beyond assumption. So such summarized checklist snapshots have proven to be truly a savior for hardening or to improve our deployment workstation security precipitously.

Virtual Directory

Security Specifications

Status

Ensure restriction is enabled to those directories that allow anonymous access

Ensure IISAdmin, IISHelp, IISamples directory are removed

Confirm PARENT PATH configuration is disabled

Ensure unused Front pages extension is removed

Ensure website directories are dislocated from the system partition drive

Ensure directory traversing is disabled (uncheck write permission)

Ensure other unused utilities such resource kit, SDK are detached

Machine Configuration File

Want to learn more?? The InfoSec Institute Web Application Penetration Testing Boot Camp focuses on preparing you for the real world of Web App Pen Testing through extensive lab exercises, thought provoking lectures led by an expert instructor. We review of the entire body of knowledge as it pertains to web application pen testing through a high-energy seminar approach.

The Web Application Penetration Testing course from InfoSec Institute is a totally hands-on learning experience. From the first day to the last day, you will learn the ins and outs of Web App Pen Testing by attending thought provoking lectures led by an expert instructor. Every lecture is directly followed up by a comprehensive lab exercise (we also set up and provide lab workstations so you don't waste valuable class time installing tools and apps). Benefits to you are:

  • Get CWAPT Certified
  • Learn the Secrets of Web App Pen Testing in a totally hands-on classroom environment
  • Learn how to exploit and defend real-world web apps: not just silly sample code
  • Complete the 83 Step "Web App Pen Test Methodology", and bring a copy back to work with you
  • Learn how perform OWASP Top 10 Assessments: for PCI DSS compliance

Security Specifications

Status

Ensure DEBUG is turned off in WEB.CONFIG file

Ensure TRACE is set to false or disabled
Ensure unnecessary HTTP Modules are removed

Secure Communication

Security Specifications

Status

Ensure HTTP requests are filtered or categorized
Ensure HTTPS is enabled, in case your website deals with sensitive data
Ensure Server Certificates are updated and issued by a trusted organization
Ensure Certificates have not withdrawn

In case of remote administration, ensure proper time-outs and encryption are configured

Ensure communication happens through only port 80 or 443

Ensure that IPSec is formed in the network for secure communication

Logging and Audit

Security Specifications

Status

Ensure Failed Logon Attempts are regularly inspected
Ensure Log files are properly maintained and audited
Confirm W3C extended format is enabled for auditing

IIS Metabase and Filters

Security Specifications

Status

Ensure Banner grabbing is disabled
Ensure File (%systemroot%system32inetsrvmetabase.bin)
access is restricted
Ensure unused extensions (.shtml, .hta, .htw, .stm) are removed

Ensure unemployed ISAPI filters are disabled or removed.

Ensure ‘Forbidden Handler’ is mapped to unemployed ASP.NET files extension

Server Accounts

Security Specifications

Status

Ensure anonymous logon is disabled
Ensure unused IUSR_MACHINE account is disabled
Ensure a solitary administrator account only

Ensure administrator account is properly hardened by strong password scheme

Ensure GUEST account is disabled

Ensure remote logon is disabled

Ensure ASP.NET process account is configured to least access

Ensure anyone couldn’t login locally except administrator

Code Access Security

Security Specifications

Status

Confirm CAS is enabled
Confirm source code is obfuscated
Confirm custom error page is installed on server

Confirm permissions removed from Internet and Intranet zone

System Configuration

Security Specifications

Status

Confirm ASP .NET state service is disabled
Confirm Remote Registry Administration is disabled
Confirm WebDAW service is disabled
Confirm FTP and SMTP services are disabled

Confirm SMB service is disabled

Confirm All Redundant share’s (C$, D$,..) is removed

Confirm Remote Administration by TELNET is disabled

Confirm only essential System Services are given least privileges

Confirm redundant system services are stopped

Ensure IIS is not installed on domain controller

Ensure IDS is installed in the network perimeter

Ensure that IIS server is configured inside DMZ

Server Updates

Security Specifications

Status

Ensure Windows Operating System is updated
Ensure .NET Framework is Updated
Ensure IIS web server is duly patched

Ensure MBSA is configured and running regularly

Ensure EMET is installed on server and enabled

Ensure Microsoft Notification Service is Enabled

Ensure effective Anti-virus is installed and running

Final Note

In this article, we have seen how to harden the IIS web server to protect ASP.NET websites. This article in fact didn’t explain various attacks and their countermeasure. Instead, it is pinpointing major security guidelines in the form of checklists which can be applied swiftly over a web server, so that a developer can ensure himself that a particular security mechanism is applied and it is enabled. Because some critical bugs go unnoticed and remain in the final version of the software, which could get the application into trouble. Hence, such a synopsis reference eases the undertaking of developers or security professionals in terms of not overlooking or forgetting critical security configurations on the web server.