Module 4: Securing the Web Server 1

Overview Securing IIS Securing Apache 2

3 Securing IIS

Securing IIS Servers Installation Authentication Permissions and Authorization Web Applications Protect the Metabase Monitoring and Logging Utilities Miscellaneous Web sites, products, training

Installation Only install necessary components Do not have server connected to Ethernet during the installation Apply all service packs and hot fixes Remove printer and file support Disable unnecessary services and subsystems Delete sample files Delete or move sample scripts Remove Internet Explorer Security Templates Remove any resource kits or SDKs that were installed Secure dangerous executables

Securing IIS Servers

Authentication Anonymous access Use of SSL

Permissions & Authorization NTFS permissions for website content volumes Set initial NTFS permissions settings on the root of the volume Administrators : Full control (Apply onto: This folder, sub folders, and files) System: Full control (Apply onto: This folder, subfolder sand files) Check the box on the Permissions tab to “Reset permissions on all child objects and enable propagation of inheritable permissions”

Best Practices for Website Folders Physical folder structure /root – starting point of the website -Home page /scr – stores scripts -Don’t call it “scripts” as this is a tip -off for hackers /exe – executables -Don’t call it “bin” or “cgi-bin” as this is a tip-off for hackers; may not even want to call it “exe” images – graphics -Reduces clutter in other folders and can be removed from logging

ISAPI Filters vs. ISAPI Extensions Filters are DLLs which register “hooks” with IIS so that they will be invoked when certain internal IIS events occur. Event triggers pass control of a request or response to an ISAPI filter DLL (Example: SSL encryptions) Extensions are DLLs or programs which are associated with files of a certain filename extensions so that when a browser makes a request to such a file, the program is automatically executed. Typically script engines or command interpreters

lISAPI Filters Four default filters SSPIFILT.DLL – implements SSL encryption for all websites using HTTPS COMPFILT.DLL – implements HTTP compressions of requested files using GZIP and DEFLATE protocols MD5FILT.DLL – used with Digest authentication FPEXEDLL.DLL – provides compatibility with FrontPage

Protect the Metabase The “metabase” is IIS’s configuration database (like the system registry) Location is determined by a registry value which can be modified (not recommended unless you’re paranoid!) Hive: HKEY_LOCAL_MACHINE Key: \Software\Microsoft\InetMgr\Parameters Value Name: MetadataFile Value Type: REG_SZ Value Data: Move the HTTP/FTP root folders off the %systemroot% volume Secure the registry key which determines the metabaselocation Audit all failed access to the metabasefile Set NTFS permissions on the metabasefile to the following: Administrators: Full Control System: Full Control

Monitoring and Logging Use performance monitor Log monitor output to a data file Determine an appropriate period of time for monitoring activity Get a baseline set of statistics

What to Monitor? Active Server Pages Errors/Sec Request Not Authorized Disk Logical Disk\% of Free Space] IP Datagrams Received Header Errors Datagrams Received Unknown Protocol Fragment Re-Assembly Failures

Event Viewer Logs NTFS File Access Audit Audit all the different types of failed access for the entire file system Audit successful actions for Everyone for: -Create Files / Write Data -Create Folder / Append Data -Delete Subfolders and Files -Delete -Change Permissions -Take Ownership

IIS Protocol Logging Enable logging at the website Disable logging for each folder/file you don’t want to log Set the location for the log files Secure the log files using NTFS permissions

Utilities Resource Kit METAEDIT.EXE – IIS configuration tool PLAYBACK.EXE –Records incoming traffic on an IIS 5.0 server then allows it to be played back on another server Stress test utility IIS Permissions Wizard Template Maker

Miscellaneous Throttling IIS -Limit connections -Set connection timeouts Administration Website (HTMLA) -Secure the site with SSL, authentication, IP address restrictions

Unused Services Follow a defense-in-depth approach to securing SQL Server Apply service packs and patches -Use MBSA to detect missing SQL updates Disable unused services -MSSQLSERVER -SQLSERVERAGENT -MSSQLServerADHelper -Microsoft Search -Microsoft DTC

Patching

SQL Server Authentication Best Practices

IIS Lockdown Tool The IIS Lockdown Tool turns off unnecessary features to reduce the attack surface of IIS 4.0, IIS 5.0, and IIS 5.1 To provide defense-in-depth, the Lockdown Tool integrates URLScan, which includes customized templates for each supported server role IIS 6.0 is installed with Security Settings configured in previous versions of IIS Lockdown, therefore no IIS Lockdown for IIS 6.0

Top 10 Actions to Secure IIS Harden the operating system and apply all relevant security updates Remove unnecessary components Configure URLScan Place content on a separate NTFS partition Protect files by using minimal permissions Require encryption for sensitive Web traffic Do not enable both the Execute and Write permissions on the same Web site Run applications using Medium or High application protection Use LPA for App Pool Account Use IPSec filtering to allow only required traffic (HTTP and HTTPS) to the Web server

IIS 6.0 Application Pools

Demonstration : Securing IIS 6.0

Unused Services The IIS Lockdown Tools provides the option to disable unused IIS-related services; however, you should manually disable other unused services The following services must be running for IIS to run properly : Event Log License Logging Service Windows NTLM Security Support Provider Remote Procedure Call (RPC) Service Windows NT Server or Windows NT Workstation IIS Admin Service MSDTC World Wide Web Publishing Service Protected Storage

The final patch

This means less for hackers to attack, less to patch and less to manage. Score one for IIS.

Once IIS is installed, this modularization continues and role services can easily be added or removed.

Disable Unused Services

31 Securing Apache

Secure the Operating System Offer no network services except HTTP (80/tcp) and HTTPS (443/tcp) to the Internet Access to and from the Internet controlled by a firewall Apache web server must be the only service running on the machine Only necessary Apache modules to be loaded Diagnostic web pages and automatic directory listings turned off 32

Minimize the amount of security disclosure Run the Apache process under a unique UID Limit the Apache process by chrooting/sandboxing Ensure no shell programs are in the chroot environment 33

Build Apache with only the modules required: Http_core Mod_access Mod_auth Mod_dir Mod_log_config Mod_mime Do not install: mod_autoindex and mod_info Compiled statically, which also removes the need for mod_so 34

10 things you should do to secure Apache Update Use the right user:group Turn off unwanted services Disable unused modules Restrict access Limit request size Employ mod_security Do not allow browsing outside the document root Hide Apache’s version number Immunize httpd.conf

Unused Services Directory browsing-This is done within a directory tag (the document root is a good place to start) using the Options directive and is set with “-Indexing”. Server side Includes-This is another feature that is disabled within a directory tag (using Options directive) and is set with “-Includes”. CGI execution-Unless your site needs CGI, turn this off. This feature is also set within a directory tag using the Options directive, with “-ExecCGI”. Symbolic links-Set this inside a (surprise, surprise) directory tag with “- FollowSymLinks”. None-You can turn off all options (in the same way you set the above) using “None” with the Option directive.

Patching A "Patch" is the set of differences between two versions of the same file. A patch comprises one or more "diff" files. These diffs are produced by the program of the same name: diff.

Steps to manually apply the FrontPage Apache patch to a new Apache server Before compiling and installing the Apache patch, you must install the FrontPage Server Extensions. When the setup script untars the FrontPage Server Extensions, it also untars the FrontPage Apache patch source file Fp-patch-apache_1.3.x. If you run Fp_install.sh, let it untar the Fp40.platform.tar.Z without installing a root Web or sub/per user Webs, or virtual Webs. Copy the Fp-patch-apache_1.3.x into your Apache server build directory (usually /usr/local/Apache_1.3.x). The Fp-patch-apache_1.3.x file is found in/usr/local/frontpage/version4.0/apache-fp/fp-patch-apache_1.3.x. Using the GNU version of the patch utility, run the patch command on the FrontPage 2000 Apache patch source file: patch -p0 <fp-patch- apache_1.3.x Create the makefile for the patched server. For a server that uses or later directory structure:./configure --add-module=mod_frontpage.c For a server that uses 1.2.x, directory structure:./configure --add- module=mod_frontpage.c --compat

Steps to manually apply the FrontPage Apache patch to a new Apache server You can append --prefix=/usr/local/apache to get your install directories the way you want them. For instance, for a install directory of /usr/local/apache:./configure --add-module=mod_frontpage.c -- prefix=/usr/local/apache Build the Apache server: make Install the server: make Install After installing the server, you will need to run the Change_server.sh. This file was untarred when you ran the Fp_install.sh script. The Change_server.sh resides in /usr/local/frontpage/version4.0. When you run the Change_server.sh, you will be prompted whether or not to replace the httpd daemon. You can install the Server Extensions using Fp_install making sure when prompted to install to Apache-fp when asked which server you are using.

Apache and MySQL configurations, patching services and cluster

41 Securing some other web server

Patching Patching and updating your server software is a critical first step towards securing your Web server. Services are prime vulnerability points for attackers. If your service software is not secure, but you need the service, try to find a secure alternative. Accounts grant authenticated access to your computer, and these accounts must be audited. Secure all files and directories with restricted NTFS permissions that only allow access to necessary Windows services and user accounts. Remove all unnecessary file shares including the default administration shares if they are not required. Audit the ports on your server regularly to ensure that an insecure or unnecessary service is not active on your Web server. 42

43