|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
default scripts and manualsHello,
I have a LAN 2003 server running IIS for WSUS and DeskNow WebMessenger jabber server. No public exposure for the IIS. On a recent security audit by outside consultant, they recommended the following: .... the default scripts and manual pages are installed and should be removed from IIS. No being much of an IIS admin, can I get some direction to verify and cleanup if needed? Thanks In advance, Kevin B -- RHCE, Linux+ and MCP Start here;
http://www.windowsecurity.com/articles/Installing_Securing_IIS_Servers_Part1.html http://www.microsoft.com/technet/community/events/iis/tnt1-40.mspx ..... and almost all of the server admins you'll come accross, will recommend disabling the defaults .... it's standard practice to ensure a little more security - even for internal only servers. Show quoteHide quote "Kevin1aB" <Kevin***@discussions.microsoft.com> wrote in message news:61E74F5A-9E89-4A8F-BFF5-449F4F45E85B@microsoft.com... > Hello, > I have a LAN 2003 server running IIS for WSUS and DeskNow WebMessenger > jabber server. No public exposure for the IIS. > On a recent security audit by outside consultant, they recommended the > following: > > ... the default scripts and manual pages are installed and should be removed > from IIS. > > No being much of an IIS admin, can I get some direction to verify and > cleanup if needed? > > Thanks In advance, > > Kevin B > -- > RHCE, Linux+ and MCP Thanks for the prompt reply.
I'll take a look this week and reply again asap. Kevin Show quoteHide quote "Steven Burn" wrote: > Start here; > > http://www.windowsecurity.com/articles/Installing_Securing_IIS_Servers_Part1.html > http://www.microsoft.com/technet/community/events/iis/tnt1-40.mspx > > ..... and almost all of the server admins you'll come accross, will recommend > disabling the defaults .... it's standard practice to ensure a little more > security - even for internal only servers. > > -- > Regards > > Steven Burn > Ur I.T. Mate Group > www.it-mate.co.uk > > Keeping it FREE! > > "Kevin1aB" <Kevin***@discussions.microsoft.com> wrote in message > news:61E74F5A-9E89-4A8F-BFF5-449F4F45E85B@microsoft.com... > > Hello, > > I have a LAN 2003 server running IIS for WSUS and DeskNow WebMessenger > > jabber server. No public exposure for the IIS. > > On a recent security audit by outside consultant, they recommended the > > following: > > > > ... the default scripts and manual pages are installed and should be > removed > > from IIS. > > > > No being much of an IIS admin, can I get some direction to verify and > > cleanup if needed? > > > > Thanks In advance, > > > > Kevin B > > -- > > RHCE, Linux+ and MCP > > > IIS6 installs in a locked down state to pass such "audits" by default.
Your outside consultant has to tell you more than "do something". I am talking from the perspective of a clean-installed Windows Server 2003 machine. If you upgraded to Windows Server 2003, most of the cruft from IIS5 will be left behind for "Compat" reasons. People never like Microsoft deleting things on upgrade. 1. I have no idea what "manual pages" are being referenced. Older IIS versions had an HTML based manual but that was cut for clean-installed IIS6. The "pages" we ship by default are the Custom Error pages and a default "under construction" page, all sanitized. 2. I also have no idea what "default scripts" are being referenced. Older IIS versions had a Scripts directory as well as several script tools available. On IIS6 we cut all those things by default. The only scripts available are the Admin Script Tools in System32 (which are locked down by System32 and only function if you are an Administrator) as well as the old AdminScripts (those are locked down to Administrators only and only work as such). In other words, your security audit is pretty weak on details to me. I can't even tell you what is being referenced to clean up because they don't exist by default on clean IIS6 installs. -- Show quoteHide quote//David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Kevin1aB" <Kevin***@discussions.microsoft.com> wrote in message news:E09AAA32-8544-43BD-967A-40F0254DF90A@microsoft.com... > Thanks for the prompt reply. > I'll take a look this week and reply again asap. > Kevin > > > "Steven Burn" wrote: > >> Start here; >> >> http://www.windowsecurity.com/articles/Installing_Securing_IIS_Servers_Part1.html >> http://www.microsoft.com/technet/community/events/iis/tnt1-40.mspx >> >> ..... and almost all of the server admins you'll come accross, will >> recommend >> disabling the defaults .... it's standard practice to ensure a little >> more >> security - even for internal only servers. >> >> -- >> Regards >> >> Steven Burn >> Ur I.T. Mate Group >> www.it-mate.co.uk >> >> Keeping it FREE! >> >> "Kevin1aB" <Kevin***@discussions.microsoft.com> wrote in message >> news:61E74F5A-9E89-4A8F-BFF5-449F4F45E85B@microsoft.com... >> > Hello, >> > I have a LAN 2003 server running IIS for WSUS and DeskNow WebMessenger >> > jabber server. No public exposure for the IIS. >> > On a recent security audit by outside consultant, they recommended the >> > following: >> > >> > ... the default scripts and manual pages are installed and should be >> removed >> > from IIS. >> > >> > No being much of an IIS admin, can I get some direction to verify and >> > cleanup if needed? >> > >> > Thanks In advance, >> > >> > Kevin B >> > -- >> > RHCE, Linux+ and MCP >> >> >> Kevin1aB wrote:
Show quoteHide quote > Hello, I get the impression your auditor wasn't fully upto speed on IIS 6.0.> I have a LAN 2003 server running IIS for WSUS and DeskNow WebMessenger > jabber server. No public exposure for the IIS. > On a recent security audit by outside consultant, they recommended the > following: > > ... the default scripts and manual pages are installed and should be removed > from IIS. > > No being much of an IIS admin, can I get some direction to verify and > cleanup if needed? > > Thanks In advance, > > Kevin B > -- > RHCE, Linux+ and MCP Previous versions of IIS came with a webadmin toolset, examples and help. Vulnerabilities were often found in these components so everyone disabled them or removed them. On 6 it's nowhere near the issue it used to be. You can still add some of these components but the default install is nice and clean. As a comparision, I've done some hardening documentation for IIS enviroments. On 4 the document was over a 100 pages, on 5 it was 54 pages and on 6 my document is 19 pages. Jeroen MCSA http://wijnands.blogspot.com I'm actually interested in what sort of things are in your 19 pages for
IIS6... -- Show quoteHide quote//David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // <jeroen.wijna***@gmail.com> wrote in message news:1145629629.728099.197530@t31g2000cwb.googlegroups.com... > > Kevin1aB wrote: >> Hello, >> I have a LAN 2003 server running IIS for WSUS and DeskNow WebMessenger >> jabber server. No public exposure for the IIS. >> On a recent security audit by outside consultant, they recommended the >> following: >> >> ... the default scripts and manual pages are installed and should be >> removed >> from IIS. >> >> No being much of an IIS admin, can I get some direction to verify and >> cleanup if needed? >> >> Thanks In advance, >> >> Kevin B >> -- >> RHCE, Linux+ and MCP > > I get the impression your auditor wasn't fully upto speed on IIS 6.0. > Previous versions of IIS came with a webadmin toolset, examples and > help. Vulnerabilities were often found in these components so everyone > disabled them or removed them. > > On 6 it's nowhere near the issue it used to be. You can still add some > of these components but the default install is nice and clean. > > As a comparision, I've done some hardening documentation for IIS > enviroments. On 4 the document was over a 100 pages, on 5 it was 54 > pages and on 6 my document is 19 pages. > > Jeroen > MCSA > http://wijnands.blogspot.com > David Wang [Msft] wrote:
> I'm actually interested in what sort of things are in your 19 pages for To be honest, very little for IIS itself. It's mainly disabling> IIS6... > unneeded services and accounts, restricting some rights for the accounts that stay in place and adding an ipsec policy to restrict network traffic. The latter is only done if there's more than one server in the DMZ. Oh, and another thing we do is place a restricting robots.txt I can't post the whole thing since that's classified company confidential. I got a lot of inspiration from this: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/a14eeb71-c583-48b7-9d2c-083e81095d6e.mspx?mfr=true The tricky bit is always getting the ASP application settings right, often takes quite a few mails between me and the developers. Jeroen http://wijnands.blogspot.com Show quoteHide quote > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no rights. > // > > <jeroen.wijna***@gmail.com> wrote in message > news:1145629629.728099.197530@t31g2000cwb.googlegroups.com... > > > > Kevin1aB wrote: > >> Hello, > >> I have a LAN 2003 server running IIS for WSUS and DeskNow WebMessenger > >> jabber server. No public exposure for the IIS. > >> On a recent security audit by outside consultant, they recommended the > >> following: > >> > >> ... the default scripts and manual pages are installed and should be > >> removed > >> from IIS. > >> > >> No being much of an IIS admin, can I get some direction to verify and > >> cleanup if needed? > >> > >> Thanks In advance, > >> > >> Kevin B > >> -- > >> RHCE, Linux+ and MCP > > > > I get the impression your auditor wasn't fully upto speed on IIS 6.0. > > Previous versions of IIS came with a webadmin toolset, examples and > > help. Vulnerabilities were often found in these components so everyone > > disabled them or removed them. > > > > On 6 it's nowhere near the issue it used to be. You can still add some > > of these components but the default install is nice and clean. > > > > As a comparision, I've done some hardening documentation for IIS > > enviroments. On 4 the document was over a 100 pages, on 5 it was 54 > > pages and on 6 my document is 19 pages. > > > > Jeroen > > MCSA > > http://wijnands.blogspot.com > > |
|||||||||||||||||||||||
Other interesting topics