Securing IIS: It's More than a Web Server
Microsoft's IIS provides a lot more than Web services, and each of these ancillary capabilities need to be examined from a security perspective.
Last time, we talked about several of the different steps you could take to lock down Microsoft's Internet Information Systems (IIS) on Windows Server 2003. But that discussion only covered the Web server parts of IIS and, being the bright IT guru that you are, you've probably realized that's only part of the problem.
Though most people are generally referring to the Web server side of the house when they talk about IIS, many other common Internet-related services are included in that package. File Transfer Protocol (FTP), Network News Transfer Protocol (NNTP), and Simple Mail Transfer Protocol (SMTP) services are all part of the Microsoft bundle and each should be locked down as tightly as possible.
The Basics Revisited
The same basic rules we mentioned in the first part of this article apply to these ancillary IIS services. We should all know them by now, but in case you've already forgotten them ...
The most important thing to remember when dealing with IIS or any other service is "if you don't need it, don't install it." That's even more important when you're talking about services and applications specifically designed to allow access to your servers with other people. By necessity, these services open ports to the outside world, giving hostile outsiders a larger attack surface.
The good news is that you need to enable them yourself rather than deal with them each time you install Windows Server 2003 on a new machine, even if you've already installed the Web portion of IIS. Like IIS in general, Microsoft was smart enough to make sure that they aren't running in a default Windows Server 2003 installation.
Of course, if you do decide you need these services running, you'll be doing so on a machine that's monitored and patched regularly, right? One that's running in a snug little DMZ behind a patched and monitored firewall? I thought so.
So you've decided that you have a legitimate business need to install the IIS FTP services. Great. That's the easy part:
- Open up the Control Panel.
- Open Add or Remove Programs and click the Add/Remove Windows Components button.
- Highlight Application Server and click Details.
- Highlight Internet Information Services (IIS) and click Details.
Once there, you'll see the checkbox next to File Transfer Protocol (FTP) services (as well as checkboxes for NNTP and SMTP). Check it, click "OK," and voila. You have an FTP server.
Before you install FTP services, though, there are a couple of key questions you need to ask yourself. First, do you need to allow anonymous access to your FTP server? Whenever possible, it's best to require at least some sort of authentication and we highly recommend against allowing anonymous FTP access, but there are situations in which someone might need it, and IIS gives you the option.
Administration of all the IIS-related services is performed through the Internet Information Services (IIS) Manager, a Microsoft Management Console snap-in which, like most things in Windows, can be accessed a few different ways:
Click Start, Run, type "inetmgr" in the Open box and click OK, or :
Click Start, Administrative Tools, Internet Information Services (IIS) Manager.
In that MMC, you should see a folder labeled "FTP Sites" under the name of your server in the left window pane.
If you decide to allow anonymous access, right-click on the FTP site, click Properties, then select the Security Accounts tab. There you'll find a conveniently placed checkbox labeled "Allow anonymous connections." Check that, then select the Windows account you'd like to use for those connections. Make sure this account has only the necessary NTFS permissions to the files and directories anonymous users might need to access. Last thing you want to do is have anonymous users connecting to your server with elevated privileges.
While you're here, you'll want to click on the Home directory tab and select the local directory for this FTP site. Under a normal installation, this is the directory in which FTP users will find themselves once they connect to your server. On that same tab you'll be able to select which permissions users should have (Read, Write, or both).
That brings us to the second question: will users need to access shared data, or should each user be isolated from the others? IIS can be set up to isolate an FTP user to a specific directory once they authenticate, but an FTP site needs to be set up that way when it's first created. IIS 6.0 doesn't allow you to change that configuration after the fact, so if you change your mind later you'll need to create a different FTP site.
If you do decide to isolate users, the set up is pretty straight-forward. During the FTP Site Creation Wizard, select either "Isolate users" or "Isolate users using Active Directory" on the FTP User Isolation screen. If you choose the former, the user's home directory will be located underneath the Home directory you created for that site. For example, if the Home directory is D:FTP, then someone with a username "JustinStanley" will be isolated to D:FTPLocalUserJustinStanley after connecting. The Home directory for Active Directory users is entered in the user's profile in Active Directory Users and Computers.
Whichever option you select, you'll need to create the home directories manually through the file system. Be sure to assign appropriate NTFS permissions to the users isolated to those folders, too.
If you know the IP addresses users connecting to your server, consider allowing connections only from those addresses. If you click on the Directory Security tab in the properties for your FTP site, you'll find the option to allow or deny access from specific IP addresses. Use it to your advantage.
Also, make sure that your FTP server is only listening for connections on the necessary IP address and port. On the FTP site tab (as well as during the initial set up) you can specify which of your server's assigned IP addresses it will listen to for those incoming connections. Likewise, consider using a port other than 21, just to make life a little more difficult for potential hackers.
Locking down SMTP can be a little tricky. You want your mail server to be available to deliver messages for the people who are authorized to use it, but at the same time you need to make sure it's locked down well enough to prevent abuse from would-be spammers in addition to the run of the mill hacker.
You'll almost certainly want to require users to authenticate to your SMTP server before you relay their messages. By default, an SMTP virtual server will require authentication, and you can modify the types of authentication required on by clicking the Authentication button on the Access tab of the SMTP virtual server.
As with the FTP service, it sometimes makes sense to allow or deny access to your SMTP server from specific IP addresses. If you click Connections under Connection Control on the Access tab, you'll be able to set which IP addresses can or can't connect to your server.
If the SMTP server is accessible from the Internet, you'll want to be especially careful with the relay settings in IIS. Running an open relay is one of the fastest ways to get your server blacklisted, thereby preventing your legitimate messages from reaching their destinations. By default, the SMTP service won't relay mail through the virtual server but, should you need to modify those settings, you can do so by clicking the Relay button under Relay restrictions on the Access tab.
NNTP is probably the least used portion of IIS, and it's also the easiest to lock down. Most organizations will never use NNTP internally, and those that do will likely find themselves hosting it on servers that aren't accessible from the Internet. Still, a few simple steps will help ensure that the NNTP servers (and the information stored on them) are as secure as possible.
The first step is to set up an authentication scheme for the service. As with SMTP, most options are found by viewing the properties for the NNTP virtual server in the IIS Manager and clicking the Access tab. Authentication methods can be altered by clicking the Authentication button under the Access control heading.
NNTP can, like the other IIS services, be configured to allow or deny access from specific IP addresses. Just like those other services, the options are found by clicking the Connection button on the Access tab.
Finally, make sure you set up proper NTFS permissions for the newsgroup files physically stored on the server. It doesn't make sense to lock down IIS if a user with access to the server can just browse to the proper directory in Windows Explorer and read or modify the data found there.