ตอนนี้ศึกษาเรื่อง Security อย่างเต็มรูปแบบไปเจอ Check list ของ Microsoft เอาไว้ติดตั้ง IIS Web Serverจำเป็นต้องตรวจสอบว่าตอนนี้Server เรามีช่องทางที่จะโดนhackได้ทางไหนบ้าง เข้าทำนองที่ว่ากันไว้ดีกว่าแก้
How to Use This Checklist
This checklist is a companion to Chapter 16, "Securing Your Web Server." Use it to help implement a secure Web server, or as a quick evaluation snapshot of the corresponding chapter.
This checklist should evolve with steps that you discover to secure your Web server.
Patches and Updates
| Check | Description |
|---|
 | MBSA is run on a regular interval to check for latest operating system and components updates. |
| The latest updates and patches are applied for Windows, IIS server, and the .NET Framework. (These are tested on development servers prior to deployment on the production servers.) |
| Subscribe to the Microsoft Security Notification Service at http://www.microsoft.com/technet/security/bulletin/notify.asp. |
IISLockdown
| Check | Description |
|---|
| IISLockdown has been run on the server. |
| URLScan is installed and configured. |
Services
| Check | Description |
|---|
| Unnecessary Windows services are disabled. |
| Services are running with least-privileged accounts. |
| FTP, SMTP, and NNTP services are disabled if they are not required. |
| Telnet service is disabled. |
| ASP .NET state service is disabled and is not used by your applications. |
Protocols
| Check | Description |
|---|
| WebDAV is disabled if not used by the application OR it is secured if it is required. For more information, see Microsoft Knowledge Base article 323470, "How To: Create a Secure WebDAV Publishing Directory." |
| TCP/IP stack is hardened. |
| NetBIOS and SMB are disabled (closes ports 137, 138, 139, and 445). |
Accounts
| Check | Description |
|---|
| Unused accounts are removed from the server. |
| Windows Guest account is disabled. |
| Administrator account is renamed and has a strong password.. |
| IUSR_MACHINE account is disabled if it is not used by the application. |
| If your applications require anonymous access, a custom least-privileged anonymous account is created. |
| The anonymous account does not have write access to Web content directories and cannot execute command-line tools. |
| ASP.NET process account is configured for least privilege. (This only applies if you are not using the default ASPNET account, which is a least-privileged account.) |
| Strong account and password policies are enforced for the server. |
| Remote logons are restricted. (The "Access this computer from the network" user-right is removed from the Everyone group.) |
| Accounts are not shared among administrators. |
| Null sessions (anonymous logons) are disabled. |
| Approval is required for account delegation. |
| Users and administrators do not share accounts. |
| No more than two accounts exist in the Administrators group. |
| Administrators are required to log on locally OR the remote administration solution is secure. |
Files and Directories
| Check | Description |
|---|
| Files and directories are contained on NTFS volumes. |
| Web site content is located on a non-system NTFS volume. |
| Log files are located on a non-system NTFS volume and not on the same volume where the Web site content resides. |
| The Everyone group is restricted (no access to \WINNT\system32 or Web directories). |
| Web site root directory has deny write ACE for anonymous Internet accounts. |
| Content directories have deny write ACE for anonymous Internet accounts. |
| Remote IIS administration application is removed (\WINNT\System32\Inetsrv\IISAdmin). |
| Resource kit tools, utilities, and SDKs are removed. |
| Sample applications are removed (\WINNT\Help\IISHelp, \Inetpub\IISSamples). |
Shares
| Check | Description |
|---|
| All unnecessary shares are removed (including default administration shares). |
| Access to required shares is restricted (the Everyone group does not have access). |
| Administrative shares (C$ and Admin$) are removed if they are not required (Microsoft Management Server (SMS) and Microsoft Operations Manager (MOM) require these shares). |
Ports
| Check | Description |
|---|
| Internet-facing interfaces are restricted to port 80 (and 443 if SSL is used). |
| Intranet traffic is encrypted (for example, with SSL) or restricted if you do not have a secure data center infrastructure. |
Registry
| Check | Description |
|---|
| Remote registry access is restricted. |
| SAM is secured (HKLM\System\CurrentControlSet\Control\LSA\NoLMHash). This applies only to standalone servers. |
Auditing and Logging
| Check | Description |
|---|
| Failed logon attempts are audited. |
| IIS log files are relocated and secured. |
| Log files are configured with an appropriate size depending on the application security requirement. |
| Log files are regularly archived and analyzed. |
| Access to the Metabase.bin file is audited. |
| IIS is configured for W3C Extended log file format auditing. |
Sites and Virtual Directories
| Check | Description |
|---|
| Web sites are located on a non-system partition. |
| "Parent paths" setting is disabled. |
| Potentially dangerous virtual directories, including IISSamples, IISAdmin, IISHelp, and Scripts virtual directories, are removed. |
| MSADC virtual directory (RDS) is removed or secured. |
| Include directories do not have Read Web permission. |
| Virtual directories that allow anonymous access restrict Write and Execute Web permissions for the anonymous account. |
| There is script source access only on folders that support content authoring. |
| There is write access only on folders that support content authoring and these folder are configured for authentication (and SSL encryption, if required). |
| FrontPage Server Extensions (FPSE) are removed if not used. If they are used, they are updated and access to FPSE is restricted. |
Script Mappings
| Check | Description |
|---|
| Extensions not used by the application are mapped to 404.dll (.idq, .htw, .ida, .shtml, .shtm, .stm, idc, .htr, .printer). |
| Unnecessary ASP.NET file type extensions are mapped to "HttpForbiddenHandler" in Machine.config. |
ISAPI Filters
| Check | Description |
|---|
| Unnecessary or unused ISAPI filters are removed from the server. |
IIS Metabase
| Check | Description |
|---|
| Access to the metabase is restricted by using NTFS permissions (%systemroot%\system32\inetsrv\metabase.bin). |
| IIS banner information is restricted (IP address in content location disabled). |
Server Certificates
| Check | Description |
|---|
| Certificate date ranges are valid. |
| Certificates are used for their intended purpose (for example, the server certificate is not used for e-mail). |
| The certificate's public key is valid, all the way to a trusted root authority. |
| The certificate has not been revoked. |
Machine.config
| Check | Description |
|---|
| Protected resources are mapped to HttpForbiddenHandler. |
| Unused HttpModules are removed. |
| Tracing is disabled <trace enable="false"/> |
| Debug compiles are turned off. <compilation debug="false" explicit="true" defaultLanguage="vb"> |
Code Access Security
| Check | Description |
|---|
| Code access security is enabled on the server. |
| All permissions have been removed from the local intranet zone. |
| All permissions have been removed from the Internet zone. |
Other Check Points
| Check | Description |
|---|
| IISLockdown tool has been run on the server. |
| HTTP requests are filtered. URLScan is installed and configured. |
| Remote administration of the server is secured and configured for encryption, low session time-outs, and account lockouts. |
reference site: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/CL_SecWebs.asp
