Re: Auditing microsoft IIS 5/6.0

["rajat swarup" <rajats () gmail com>]

On 8/28/07, Nikhil Wagholikar <visitnikhil () gmail com> wrote:
> Following are few things that needs to be checked when auditing
> Microsoft IIS 5.0/6.0:
>
> 1. Use of NTFS file-system.
> 2. Review IIS and related Directory Permissions - By default Microsoft
> OS gives Everyone full control.
> 3. Review access control for the 'IUSR_computername' account.
> 4. NTFS permissions on network connected drives (if any).
> 5. Users in Administrator's group. Review important and critical
> accounts regularly. Delete unused accounts immediately.
> 6. Review correct set of Auditing and logging are enabled or not.
> 7. Assigning least level of permissions to browse internet.
> 8. Backing up critical files/folders/registry settings regularly.
> 9. Review security checks on base OS like Virus/ Trojans etc regularly.
> 10. Using most secured form of Authentication as possible.
> 11. Check for physical security of the Web server, like logical
> access, biometric authentication etc.
> 12. Review password protection of screen saver. Define appropriate lockout time.
> 13. Check whether all the logs are reviewed regularly, preferably with
> powerful log analyzers like Microsoft Log Parser (or any other
> suitably).
>
> More Information about auditing IIS, kindly refer:
>
> 1. IIS 5.0 Checklist:
> http://www.google.co.in/url?sa=t&ct=res&cd=1&url=http%3A%2F%2Fskrasavi.ds.uiuc.edu%2FInfo%2FIIS%25205.0%2520checklist.pdf&ei=z-TURrkeorizAtqY0ZMM&usg=AFQjCNF55KdOvcxWaEJ9gB4fhGy2lrmCrQ&sig2=e14zk0XWUErdtzT1WzdLFw
> 2. IIS Security Checklist:
> http://www.google.co.in/url?sa=t&ct=res&cd=3&url=http%3A%2F%2Fwww.microsoft.com%2Fwindows%2Fwindows2000%2Fen%2Fserver%2Fiis%2Fhtm%2Fcore%2Fiisckl.htm&ei=z-TURrkeorizAtqY0ZMM&usg=AFQjCNFhUW9s2QxMNW4w5OD4QcdhNf5_AQ&sig2=SSKRAn-rqCasUTCfZQLaWA
> 3. IIS Security Checklist:
> http://www.google.co.in/url?sa=t&ct=res&cd=5&url=http%3A%2F%2Fwww.washington.edu%2Fcomputing%2Fsupport%2Fwindows%2FUWdomains%2FIISsecchecklist.html&ei=z-TURrkeorizAtqY0ZMM&usg=AFQjCNFn4znBB2z-6sRYuYqsXTzTl_QUeg&sig2=mreulkLwaKDCdLN5h9mF3g
> 4. Checklist Securing Web Server:
> http://www.google.co.in/url?sa=t&ct=res&cd=7&url=http%3A%2F%2Fmsdn2.microsoft.com%2Fen-us%2Flibrary%2Faa302351.aspx&ei=z-TURrkeorizAtqY0ZMM&usg=AFQjCNEypyGH2h70wOuvvv1Ibe5mPbo1rQ&sig2=OJKBmeTS_MUB2chHwFvC7A

I also prefer to run locally or remotely Microsoft Baseline Security
Analyzer with the latest catalog file from
http://go.microsoft.com/fwlink/?LinkId=76054 using the following
options (that I got from MS Exchange blog):

mbsacli.exe /nd /nai /nvc /wi /catalog <path>\wsusscn2.cab /listfile
<path>\servers.txt
    /nd: To avoid any download from the Internet
    /nai: To avoid WUA updates on the workstation that run MBSA, but
also on remote servers.
    /nvc: To avoid check for new version of MBSA
    /wi: Permit to display all updates, even ones rejected by the WSUS
server. Particularly useful for Exchange admin not allowed binding
against SUS server.
    /catalog:<path>\wsusscn2.cab
    /listfile <path>\servers.txt : The servers.txt file contains
NetBIOS name or FQDN name list in column of all servers to be scanned.

This can find a whole bunch of patch related issues + the use of
restricted browsing etc on remote hosts.

HTH,
-- 
Rajat Swarup

http://rajatswarup.blogspot.com/

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------