IIS and NTS 4.0 Hardening Guide
__________________________________________________________________
Technical Reference: NT Server 4.0 Hardening Guide
Contents
Overview
Table 1: Install & Setup
Table 2: Configuration
Table 3: Hardening
Table 4: Registry Edits
Table 5: Securing Permissions
Table 6: Firewall ACL
Table 7: SSHD
Resources
Overview
This document is applicable ONLY to NTS 4.0 running IIS 4.0. If any
other application is running on the server to support its function
(e.g., Cold Fusion), then that application must also be secured.
The steps in this guide should be performed on new installations
only to avoid unpredictable results. This hardening procedure
should NOT be used on general-purpose NT servers on an internal LAN
(e.g., file servers), as it removes several of the services that NT
uses for default functionality.
Support Tables
Table 1: NT Server Installation and Setup
Step
Action
1.
Install NT 4.0 Server:
- NTFS Format ALL Partitions
- Standalone server, not a PDC
- Member of a workgroup, not a domain
2.
Install IE 4.0 SP2: Install IE 4.0 SP2 browser-only:
- No active desktop.
3.
Install the latest applicable SP and Hotfixes:
Bugtraq List
As of 11/6/2000:
SP6a
q241041 Enabling NetBT to Open IP Ports Exclusively
q243404 WINOBJ.EXE May Let You View Securable Objects Created/Opened
by JET500.DLL
q243405 Device Drivers Create their Corresponding DeviceObject with
FILE_DEVICE_SECURE_OPEN Device Characteristics
q244599 Fixes Required in TCSEC C2 Security Evaluation Configuration
for Windows NT 4.0 Service Pack 6a. Windows NT Appears to Hang When
You Log Off After Installing Service Pack 6.
q188806 NTFS Alternate Data Stream Name of a File May Return Source
q252463 Security Update, April 13, 2000
q267559 Security Update, July 17, 2000
q269862 Security Update, August 15, 2000
q271652 Security Update, September 8, 2000
4.
Install Option pack:
Choose custom install:
Select the following items ONLY
[_] Internet Information Server
[_] Internet Service Manager
[_] World Wide Web Server
[_] Microsoft Data Access Components 1.5
[_] Data Sources
[_] MDAC: ADO, OBDC, and OLE DB
[_] Remote Data Service 1.5
[_] RDS Core Files
[_] Microsoft Management Console
[_] NT Option Pack Common Files
[_] Transaction Server
[_] Transaction Server Core Components
Install WWW site on separate partition or disk from the operating
system.
Choose default/local administration for transaction server.
5.
Install the latest compatible version of MDAC (2.6 RTM as of 10/30/00)
Back to top
Table 2: Configuration of the NT Server
Step
Action
1.
Set Permissions:
Use File Manager to recursively set permissions on the root directory
of all partitions to:
* Administrators: FULL CONTROL
* System: FULL CONTROL
2.
Set Screen Saver:
To protect the console of the server, set up the screen saver for the
administrator's profile:
Select [Display]
Select [Screen Saver] <TAB>
For Screen Saver Select [Logon Screen Saver]
Enable [Password Protect]
Click [OK]
3.
Configure Services:
______________________________________________________________
Disable the following services:
Alerter (disable)
ClipBook Server (disable)
Computer Browser (disable)
DHCP Client (disable)
Directory Replicator (disable)
FTP publishing service (disable)
License Logging Service (disable)
Messenger (disable)
Netlogon (disable)
Network DDE (disable)
Network DDE DSDM (disable)
Network Monitor (disable)
Plug and Play (disable after all hardware configuration)
Remote Access Server (disable)
Remote Procedure Call (RPC) locater (disable)
Schedule (disable)
Server (disable)
Simple Services (disable)
Spooler (disable)
TCP/IP Netbios Helper (disable)
Telephone Service (disable)
______________________________________________________________
Optionally disable the following services:
SNMP service (optional)
SNMP trap (optional)
UPS (optional)
______________________________________________________________
Set the following services to automatic:
Eventlog ( required )
NT LM Security Provider (required)
RPC service (required)
WWW (required)
Workstation (leave service on: will be disabled later in the
document)
MSDTC (required)
Protected Storage (required)
4.
Set SNMP Properties and Change Community Strings (if SNMP Service
installed):
In Network Control Panel, select [Services] tab and click
[Properties]
Click on the [Security Tab] to receive the following screen:
Under Accepted Community Names
Select [public] community name
Click [Edit...].
Enter [YOUR COMMUNITY STRING]
Click [OK] to accept the changes that were made.
Click [OK] to close the MS SNMP Properties.
5.
Remove all IIS Sample directories:
IIS d:\inetpub\iissamples
Admin Scripts d:\inetpub\scripts
Admin Samples c:\winnt\system32\inetsrv\adminsamples
IISADMPWD c:\winnt\system32\inetsrv\iisadmpwd
IISADMIN c:\winnt\system32\inetsrv\iisadmin
Data access c:\Program Files\Common Files\System\msadc\Samples
6.
Remove directories from Internet Services Manager (ISM):
IISSamples
Scripts
IISAdmin
IISHelp
IISADMPWD (This directory allows you to reset Windows NT passwords on
an intranet)
7.
Remove unnecesssary IIS extension mapping.
In ISM:
Highlight computer name, right mouseclick, and select [Properties]
Click [Edit] under Master Properties
Selct the [Home Directory] tab
Click on [Configuration...]
Highlight ".HTA", ".HTR" and ".IDC" extensions, click [Remove]
Do the same for all other unneeded extensions (for example .shtm
.stm and .shtml are not needed unless you will be using server side
includes).
8.
Disable the default website.
In ISM: right-click on the "Default Web Site" and select [Stop].
Note: Do not use the default website and disable/delete the
administrative one.
9.
Enable network lockout of admin account.
Use the NT Resource Kit's passprop utility to run the following
command:
passprop /adminlockout /complex
10.
Allow only necessary ports on the host.
In Network Control Panel, select the [Protocols] tab
Highlight TCP/IP Protocol and click [Properties...]
Click [Advanced...}
Check "Enable Security" and click [Configure...]
Change permit all to permit only explicitly needed ports:
TCP Ports UDP Ports IP Protocols
80 HTTP 161 SNMP 6
443 SSL 162 SNMP 8
22 SSH
11.
Ensure that TCP/IP is the only protocol installed:
In the Network Control Panel under the Protocols tab, remove all
except for TCP.
12.
Disable NetBIOS:
In the Network Control Panel under the Bindings tab, right-click on
"NetBIOS Interface" and choose Disable.
13.
Move and ACL Critical Files:
Remove the following files from the system32 directory and copy
them to an admin-created directory,
AND ACL the files so only administrators have access to these
files:
Create a directory called c:\somedirname and place the following
files in the directory:
xcopy.exe, wscript.exe, cscript.exe, net.exe, ftp.exe, telnet.exe,
arp.exe, edlin.exe, ping.exe, route.exe, at.exe, finger.exe,
posix.exe, rsh.exe atsvc.exe qbasic.exe runonce.exe syskey.exe
cacls.exe ipconfig.exe, rcp.exe, secfixup.exe, nbtstat.exe,
rdisk.exe, debug.exe, regedt32.exe, regedit.exe, edit.com,
netstat.exe, tracert.exe, nslookup.exe, rexec.exe, cmd.exe,
nslookup.exe
Back to top
Table 3: Run bastion.inf Hardening Script
Step
Action
1.
Download bastioninf.zip and run the following command:
secedit /configure /cfg bastion.inf /db %temp%\secedit.sdb /verbose
/log %temp%\seclog.txt
Note: The changes that will be made by this script are as follows:
1.
Password policy:
Enforce password uniqueness by remembering last passwords 6
Minimum password age: 2
Maximum password age: 42
Minimum password length: 10
Complex passwords (passfilt.dll): Enabled
User must logon to change password: Enabled
Account lockout policy Account lockout count: 5
Lockout account time forever Reset lockout count after: 720 minutes
2.
Audit policy:
Audit account management Success: Failure
Audit logon events Success: Failure
Audit object access: Failure
Audit policy change Success: Failure
Audit privilege use: Failure
Audit process tracking: No auditing
Audit system events Success: Failure
3.
User rights assignment:
SeAssignPrimaryTokenPrivilege: No one
SeAuditPrivilege: No one
SeBackupPrivilege: Administrators
SeCreatePagefilePrivilege: Administrators
SeCreatePermanentPrivilege: No one
SeCreateTokenPrivilege: No one
SeDebugPrivilege: No one
SeIncreaseBasePriorityPrivilege: Administrators
SeIncreaseQuotaPrivilege: Administrators
SeInteractiveLogonRight: Administrators
SeLoadDriverPrivilege: Administrators
SeLockMemoryPrivilege: No one
SeNetworkLogonRight: No one
SeProfileSingleProcessPrivilege: Administrators
SeRemoteShutdownPrivilege: No one
SeRestorePrivilege: Administrators
SeSecurityPrivilege: Administrators
SeShutdownPrivilege: Administrators
SeSystemEnvironmentPrivilege: Administrators
SeSystemProfilePrivilege: Administrators
SeSystemTimePrivilege: Administrators
SeTakeOwnershipPrivilege: Administrators
SeTcbPrivilege: No one
SeMachineAccountPrivilege: No one
SeChangeNotifyPrivilege: Everyone
SeBatchLogonRight: No one
SeServiceLogonRight: No one
4.
Event log settings:
The Application, System and Security logs are configured to be up
to 100MB each.
They will overwrite events as needed, but only entries older than
30 days.
Anonymous access to the logs is disabled
5.
Registry Values:
The policy will also apply the following changes to the registry:
KEY Type Value
MACHINE\SOFTWARE\Microsoft\DataFactory\HandlerInfo\ HandlerRequired
REG_DWORD 1
MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\
NtfsDisable8dot3NameCreation REG_DWORD 1
MACHINE\Software\Microsoft\Windows
NT\Version\Winlogon\AllocateCDRoms REG_SZ 1
MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects
REG_DWORD 1
MACHINE\System\CurrentControlSet\Control\Lsa\Su
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan
PrintServices\AddPrintDrivers REG_DWORD 1
MACHINE\System\CurrentControlSet\Services\Rdr\
Parameters\EnablePlainTextPassword REG_DWORD 0
MACHINE\System\CurrentControlSet\Services\LanManServer\
Parameters\AutoDisconnect REG_DWORD 15
MACHINE\System\CurrentControlSet\Services\LanManServer\
Parameters\AutoShareWks REG_DWORD 0
MACHINE\System\CurrentControlSet\Services\LanManServer\
Parameters\AutoShareServer REG_DWORD 0
MACHINE\System\CurrentControlSet\Services\LanManServer\
Parameters\EnableForcedLogOff REG_DWORD 1
MACHINE\System\CurrentControlSet\Services\LanManServer\
Parameters\RequireSecuritySignature REG_DWORD 1
MACHINE\System\CurrentControlSet\Services\LanManServer\
Parameters\EnableSecuritySignature REG_DWORD 1
MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\
RequireSecuritySignature REG_DWORD 1
MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\
EnableSecuritySignature REG_DWORD 1
MACHINE\System\CurrentControlSet\Services\Netlogon\
Parameters\RequireSignOrSeal REG_DWORD 1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\
SealSecureChannel REG_DWORD 1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\
SignSecureChannel REG_DWORD 1
MACHINE\System\CurrentControlSet\Control\Lsa\ RestrictAnonymous
REG_DWORD 1
MACHINE\System\CurrentControlSet\Control\Session Manager\
ProtectionMode REG_DWORD 1
MACHINE\System\CurrentControlSet\Control\Lsa\ LmCompatibilityLevel
REG_DWORD 2
MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\LegalNoticeText REG_SZ This is a private
system. Unauthorized use is prohibited.
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\
Winlogon\LegalNoticeCaption REG_SZ CISD
MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\DontDisplayLastUserName REG_SZ 1
MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail
REG_DWORD 1
MACHINE\System\CurrentControlSet\Control\Session Manager\Memory
Management\ClearPageFileAtShutdown REG_DWORD 1
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\
Winlogon\CachedLogonsCount REG_SZ 0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\
Winlogon\AllocateFloppies REG_SZ 1
MACHINE\Software\Microsoft\Windows NT\Current bmitControl REG_DWORD
0
MACHINE\System\CurrentControlSet\Control\Lsa\ FullPrivilegeAuditing
REG_BINARY 1
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\
Winlogon\ShutdownWithoutLogon REG_SZ 1
6.
File system and Registry Access Control Lists:
The ACLs applied to the file system and the registry are identical
to what Microsoft ships as the "Highly secure workstation" template
in SCE. For details check the bastion.inf file with the SCE snap-in
in MMC
7.
Administrator Account:
The bastion.inf policy renames the Administrator account to "root".
Set a strong password on the admin account and rename the account
to something unique for your environment.
Back to top
Table 4: Additional Registry Edits
Step
Action
1.
Remove OS/2 and POSIX subsystems:
Remove any keys in this directory:
HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\OS/2 Subsystem for NT
Remove Os2LibPath key by removing the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\Environment\Os2LibPath
Remove Optional, Posix and OS/2 keys by removing the following
keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\SubSystems\Optional
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\SubSystems\Posix
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\SubSystems\Os2
Delete the following directory and all subdirectories.
c:\winnt\system32\os2
2.
Remove RDS vulnerability:
Delete the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\
Parameters\ADCLaunch\RDSServer.DataFactory
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\
Parameters\ADCLaunch\AdvancedDataFactory
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\
Parameters\ADCLaunch\VbBusObj.VbBusObjCls
3.
Remove unnecessary services from Network services:
Remove: Netbios, Computer Browser, Server, Workstation
Leave: RPC Configuration, SNMP (if necessary).
Note: When you remove the Workstation service, you will get a
message every time you start the Network application in Control
Panel: "Windows NT Networking is not installed. Do you want to
install it now?" Ignore this question by answering NO.
Back to top
Table 5: Securing Permissions
Step
Action
1.
Secure the Internet Guest User account:
In User Manager:
· Under Local users and groups rename Internet Guest Account to an
obscure name. Set a STRONG PASSWORD.
· Ensure guest account is disabled.
· Remove the renamed Internet Guest Account from the guest group.
Permissions:
· Set permissions for the renamed Internet Guest Account on all
volumes to "No Access".
· Change the renamed Internet Guest Account permissions to Read
Only for a few specific directories in order to allow the web
server to function properly:
Default Path Enviroment Variable
c:\ %SystemDrive%
c:\winnt %SystemRoot%
d:\InetPub\wwwroot wherever your IIS root is
Note: Do not recurse permissions for the above directories!
2.
Modify User Rights:
In User Manager, Select [Policies] and "User Rights":
Right: Grant To:
Access this computer from network Administrators
Log on locally Administrators, renamed Internet Guest Account,
and Users
Shut down the system Administrators
Force shutdown from a remote system
Change System Time Administrators
3.
Lock down "Users":
Recursively set permissions for the built-in NT group "Users" to
"No Access" for all volumes:
- Since a newly created user is automatically added to the Users
group, new users, by default, will not have access to any
information on any of the volumes.
Back to top
Table 6: Firewall ACL
This hardening alone is not enough to ensure security. The box must
be placed behind a firewall or router.
Step
Action
1.
Example ACL for router to permit only HTTP, SSH, SSL, and SNMP:
access-list 150 permit tcp any host yourwebserver eq 80
access-list 150 permit tcp any host yourwebserver eq 443
access-list 150 permit tcp SSH Client networks yourwebserver eq 22
access-list 150 permit udp SNMP Server networks host yourwebserver
eq 161
access-list 150 permit udp SNMP Server networks host yourwebserver
eq 161
access-list 150 permit udp SNMP Server networks host yourwebserver
eq 162
access-list 150 permit udp SNMP Server network host yourwebserver
eq 162.
Back to top
Table 7: SSHD for NT Remote Management
Ok. Now you need to be able to access this machine remotely. Here
are the current ports of SSHD for NT we are using. NOTE: There are
issues with the cygwin.dll and separating simultaneous user space.
Use with caution!
Step
Action
1.
Download and unzip sshdnt.zip
2.
Run install.bat
This batch file should do the following:
1. Create a server key.
2. Install SSHD as a service.
3. Start the sshd service.
Note: Check to make sure SSHD is installed as a service and
running. If it is not, refer to "sshd_install.txt" for instructions
on how to create a server key and install SSHD as a service.
3.
Edit the passwd file (in c:\etc) to add additional users in this
format:
<Username>:x:<User ID>:<Group ID>:<Full Name>:<home directory>:
Example:
administrator:x:1:10:Local Administrator:/bin:
4.
Using scp
SCP use on NT DMZ host
1. Move file you need to Unix box running sshd (e.g. host.com)
2. Use srt or terra to connect to NT host running sshd
3. Type scp.exe <username>@<hostname with file>: <filename><path to
place file>
Examples:
* To move the file "net.txt" from a Unix host (e.g. host.com) to the
directory /bin on an NT host running sshd (with IP address
10.0.0.20) do the following:
1. Login to host.com
2. scp net.txt administrator@10.0.0.20:/bin
To pull test.exe from an NT host running sshd (with IP address
10.0.0.20) to my user directory on host.com do the following:
1. Login to host.com
2. scp administrator@10.0.0.20:test.exe /home/user
Back to top
Additional Resources
* IIS RDS Vulnerability NTBugtraq; Russ Cooper
http://www.ntbugtraq.com/default.asp?sid=1&pid=47&aid=47
* Microsoft IIS security Checklist; Michael Howard
http://www.microsoft.com/technet/security/iischk.asp
* Windows NT C2 Configuration Checklist
http://www.microsoft.com/technet/security/c2config.asp
* Windows NT Bastion Host HP; Stefan Norberg
http://people.hp.se/stnor/
V1.1 10/01/00 Author:
Gavin Reid gavin@shebeen.com NOTE: Do not reproduce only link to this
page. That way you can get updates
Hit Counter
Back to top