IIS and Server: Securing
1. Checking for Updates. After you have installed the OS you
should run Windows update, which will look for updates that have been
released since the software's release. http://update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us.
If you have installed any Office software you need to check for updates
2. Microsoft Baseline Security Analyzer (MBSA). Microsoft has
released a security analyzer tool that will scan your computer and
determine your security state in accordance with Microsoft's security
recommendations and offers specific remediation guidance. You can
download the tool here http://www.microsoft.com/technet/security/tools/mbsahome.mspx.
Run MBSA and correct any of the high and medium risk items. All items
with red or yellow Xs must be corrected. Red indicates a missing
security update while yellow indicates missing update rollups or service
You can click the How to Correct This link to obtain more information on
what has to be done to solve this issue.
3. Security Configuration Wizard (SCW). With this tool, you can
quickly and easily disable unnecessary services, remove unwanted IIS
virtual folders, block unused ports configure audit settings and lock
down access to critical system files. The only condition is that the
server running SCW must be Windows 2003 SP1. Install SCW by going to the
Control Panel and selecting add/remove programs. Then within Add or
Remove Programs select Add/Remove Window Components.
Scroll down until you see the security configuration wizard and select
it. Click Next to install it. You will need your windows server 2003 R
disc two to complete the installation.
You can access the SCW by going to the Administrative Tools menu found
in the Start Menu. Upon start up you should note the message that is
highlighted with the yellow yield sign. The message indicates that the
wizard will detect inbound ports that are being used by this server.
This requires that all applications that use inbound ports be running
before you run the Wizard and create the security policy. Click Next to
Select Create a New Security Policy and click Next to continue.
Next, you must select the server that the wizard will use to create the
security policy. This is an important step because the wizard will use
the server's configurations to create the security policy. By default,
the wizard will enter the server you are running the tool one. If this
is correct click Next to continue if not change the server name to
The remaining portion of this wizard will be specific to each server.
The wizard will scan the serverís current settings and configurations to
be used as default selections when creating the security policy. These
selections can be changed during the questioning.
The questions will cover role based services, network security, registry
setting, audit policy, and IIS. After completing the wizard, you will be
prompted to save the security policy and have the option to install the
policy now or later. Select to Apply the Policy Now.
4. Edit Groups. The Everyone group should be removed from Local
Users and Groups. This account acts as a catch all for all users and
should be removed to prevent potential attackers from taking advantage
of its permissions.
This can be done through the Computer Management window, which can be
accessed by clicking the Start Menu and right clicking My Computer and
5. Edit Local Users and Groups. There are a number of default
Users and Groups that are installed, which can be helpful for an
attacker. This accounts need to be removed or disabled. As you install
products on your server there is the possibility of that piece of
software creating another User. This account will be a vendor account,
which can also be used to compromise your server. It should be
determined at that time if the account should remain active.
To access the Local Users and Groups click the Start Menu and go to
Administrative Tools. There you will find Computer Management that will
allow you to edit settings on your computer.
In the Computer Management expand Local Users and Groups, which is under
Click on the Users folder and disable the Guest account and any other
account you do not wish to use. This can be done by right clicking the
Guest account and selecting Properties. Select the General tab under the
properties window and select Account is Disabled. Click OK to continue.
Then click on the Groups folder and remove the Everyone group and any
other groups that are not required. The Guests group is required because
it is used for to IIS the ability to allow anonymous access. The account
can be deleted by right clicking it and selecting Delete. This is a
permanent action. You will receive a warning message stating that even
if you recreated the group you will not restore access to resources.
Click Yes to delete the group.
6. NTFS. All secure files should be grouped together in a
directory and strict security permissions should be applied. To do this
right click the folder you wish to edit the NTFS permissions and select
Properties. Select the Security tab and remove or add groups or users.