|
The folllowing steps may be used to install and configure a Microsoft
Internet Information Services 5 server.
The information below addresses the installation of a basic IIS Web Server.
It does not cover every potential configuration of IIS and its related
services.
Install Windows 2000 from the original installation media (via CD)
Install Windows 2000 as a standalone server. Whenever possible do not
make it a Domain Controller of the member of a domain. Make sure the server
does not have an Internet connection during install.
Install the operating system on an NTFS partition
Installing the OS on an NTFS permission will allow us to further secure
critical files and directories using Access Control Lists (ACLs). NT can
be installed on a FAT partition and this partition can later be "converted"
to NTFS, however, the default ACLs are not applied during the conversion
process.
DO NOT use the default installation paths.
If at all possible, install your system files to a partition other than
C: and a folder other than WINNT. Place your Intepub folder on a seperate
partition from your system folder.
DO NOT set a password for the administrator account during installation
This will be set later.
Install only necessary protocols
Avoid installing NetBEUI and IPX/SPX if at all possible.
Configure network cards and video adapters as needed.
Cards that are not auto-detected will need to have drivers manually installed.
Install Service Pack 2 for Windows 2000
Install the Service Pack and any other hotfixes.
Remove or disable all sample applications and directories
Item Location
IIS ?\Inetpub\iissamples
Admin Scripts ?\Inetpub\AdminScripts
IIS Documentation %systemroot%\help\iishelp
Data Access ?\Program Files\common files\system\msadc
Secure the Telnet server
Create a local TelnetClients group. Add users allowed to access the Telnet
server to this group. When this group is created, only members of this
group can access the Telnet server. If you don't need Telnet, disable
the service.
Set appropriate ACLs
The Microsoft reccomended ACLs are:
File Type ACL
CGI (.exe, .dll, .cmd, .pl) Everyone (X)
Administrators (Full Control)
System (Full Control)
Script Files (.asp) Everyone (X)
Administrators (Full Control)
System (Full Control)
Include files (.inc, .shtm, .shtml) Everyone (X)
Administrators (Full Control)
System (Full Control)
Static content (.txt, .gif, .jpg, .html) Everyone (R)
Administrators (Full Control)
System (Full Control)
Check ftproot and mailroot ACLs
By default the ACLs on these folders are set to Everyone (Full Control).
More restrictive settings are reccomended, but will vary according to
needs. If there is no need for these folders on the webserver, remove
them and disable the corresponding services.
Set IIS log file ACLs
The Microsoft reccomended ACLs for %systemroot%\system32\logfiles are:
Administrators (Full Control)
System (Full Control)
Everyone (RWC)
Remove dangerous script mappings
If you don't use the following script types, remove their mappings:
Script Type Mapping
Web-based password reset .htr
Internet Database Connector .idc
Server-Side Includes .stm .shtml .shtm
Internet Printing .printer
Index Server .ida .idq .hta
It is important to note that most of these script mappings have been used
to exploit IIS in the past. If you must use these script mappings, ensure
you are up to date on all Service Packs and Hotfixes.
|