IIS and Server: Securing Server 2003

1. Checking for Updates. After you have installed the OS you should run Windows update, which will look for updates that have been released since the software's release.

If you have installed any Office software you need to check for updates at

2. Microsoft Baseline Security Analyzer (MBSA). Microsoft has released a security analyzer tool that will scan your computer and determine your security state in accordance with Microsoft's security recommendations and offers specific remediation guidance. You can download the tool here

Run MBSA and correct any of the high and medium risk items. All items with red or yellow Xs must be corrected. Red indicates a missing security update while yellow indicates missing update rollups or service packs.

You can click the How to Correct This link to obtain more information on what has to be done to solve this issue.

3. Security Configuration Wizard (SCW). With this tool, you can quickly and easily disable unnecessary services, remove unwanted IIS virtual folders, block unused ports configure audit settings and lock down access to critical system files. The only condition is that the server running SCW must be Windows 2003 SP1. Install SCW by going to the Control Panel and selecting add/remove programs. Then within Add or Remove Programs select Add/Remove Window Components.

Scroll down until you see the security configuration wizard and select it. Click Next to install it. You will need your windows server 2003 R disc two to complete the installation.

You can access the SCW by going to the Administrative Tools menu found in the Start Menu. Upon start up you should note the message that is highlighted with the yellow yield sign. The message indicates that the wizard will detect inbound ports that are being used by this server. This requires that all applications that use inbound ports be running before you run the Wizard and create the security policy. Click Next to continue.

Select Create a New Security Policy and click Next to continue.

Next, you must select the server that the wizard will use to create the security policy. This is an important step because the wizard will use the server's configurations to create the security policy. By default, the wizard will enter the server you are running the tool one. If this is correct click Next to continue if not change the server name to continue.

The remaining portion of this wizard will be specific to each server. The wizard will scan the serverís current settings and configurations to be used as default selections when creating the security policy. These selections can be changed during the questioning.

The questions will cover role based services, network security, registry setting, audit policy, and IIS. After completing the wizard, you will be prompted to save the security policy and have the option to install the policy now or later. Select to Apply the Policy Now.

4. Edit Groups. The Everyone group should be removed from Local Users and Groups. This account acts as a catch all for all users and should be removed to prevent potential attackers from taking advantage of its permissions.

This can be done through the Computer Management window, which can be accessed by clicking the Start Menu and right clicking My Computer and selecting Manage.

5. Edit Local Users and Groups. There are a number of default Users and Groups that are installed, which can be helpful for an attacker. This accounts need to be removed or disabled. As you install products on your server there is the possibility of that piece of software creating another User. This account will be a vendor account, which can also be used to compromise your server. It should be determined at that time if the account should remain active.

To access the Local Users and Groups click the Start Menu and go to Administrative Tools. There you will find Computer Management that will allow you to edit settings on your computer.

In the Computer Management expand Local Users and Groups, which is under System Tools.

Click on the Users folder and disable the Guest account and any other account you do not wish to use. This can be done by right clicking the Guest account and selecting Properties. Select the General tab under the properties window and select Account is Disabled. Click OK to continue.

Then click on the Groups folder and remove the Everyone group and any other groups that are not required. The Guests group is required because it is used for to IIS the ability to allow anonymous access. The account can be deleted by right clicking it and selecting Delete. This is a permanent action. You will receive a warning message stating that even if you recreated the group you will not restore access to resources. Click Yes to delete the group.

6. NTFS. All secure files should be grouped together in a directory and strict security permissions should be applied. To do this right click the folder you wish to edit the NTFS permissions and select Properties. Select the Security tab and remove or add groups or users.