Penetration Testing mailing list archives
Re: Auditing microsoft IIS 5/6.0
From: "rajat swarup" <rajats () gmail com>
Date: Wed, 29 Aug 2007 09:46:04 -0700
On 8/28/07, Nikhil Wagholikar <visitnikhil () gmail com> wrote:
Following are few things that needs to be checked when auditing Microsoft IIS 5.0/6.0: 1. Use of NTFS file-system. 2. Review IIS and related Directory Permissions - By default Microsoft OS gives Everyone full control. 3. Review access control for the 'IUSR_computername' account. 4. NTFS permissions on network connected drives (if any). 5. Users in Administrator's group. Review important and critical accounts regularly. Delete unused accounts immediately. 6. Review correct set of Auditing and logging are enabled or not. 7. Assigning least level of permissions to browse internet. 8. Backing up critical files/folders/registry settings regularly. 9. Review security checks on base OS like Virus/ Trojans etc regularly. 10. Using most secured form of Authentication as possible. 11. Check for physical security of the Web server, like logical access, biometric authentication etc. 12. Review password protection of screen saver. Define appropriate lockout time. 13. Check whether all the logs are reviewed regularly, preferably with powerful log analyzers like Microsoft Log Parser (or any other suitably). More Information about auditing IIS, kindly refer: 1. IIS 5.0 Checklist: http://www.google.co.in/url?sa=t&ct=res&cd=1&url=http%3A%2F%2Fskrasavi.ds.uiuc.edu%2FInfo%2FIIS%25205.0%2520checklist.pdf&ei=z-TURrkeorizAtqY0ZMM&usg=AFQjCNF55KdOvcxWaEJ9gB4fhGy2lrmCrQ&sig2=e14zk0XWUErdtzT1WzdLFw 2. IIS Security Checklist: http://www.google.co.in/url?sa=t&ct=res&cd=3&url=http%3A%2F%2Fwww.microsoft.com%2Fwindows%2Fwindows2000%2Fen%2Fserver%2Fiis%2Fhtm%2Fcore%2Fiisckl.htm&ei=z-TURrkeorizAtqY0ZMM&usg=AFQjCNFhUW9s2QxMNW4w5OD4QcdhNf5_AQ&sig2=SSKRAn-rqCasUTCfZQLaWA 3. IIS Security Checklist: http://www.google.co.in/url?sa=t&ct=res&cd=5&url=http%3A%2F%2Fwww.washington.edu%2Fcomputing%2Fsupport%2Fwindows%2FUWdomains%2FIISsecchecklist.html&ei=z-TURrkeorizAtqY0ZMM&usg=AFQjCNFn4znBB2z-6sRYuYqsXTzTl_QUeg&sig2=mreulkLwaKDCdLN5h9mF3g 4. Checklist Securing Web Server: http://www.google.co.in/url?sa=t&ct=res&cd=7&url=http%3A%2F%2Fmsdn2.microsoft.com%2Fen-us%2Flibrary%2Faa302351.aspx&ei=z-TURrkeorizAtqY0ZMM&usg=AFQjCNEypyGH2h70wOuvvv1Ibe5mPbo1rQ&sig2=OJKBmeTS_MUB2chHwFvC7A
I also prefer to run locally or remotely Microsoft Baseline Security Analyzer with the latest catalog file from http://go.microsoft.com/fwlink/?LinkId=76054 using the following options (that I got from MS Exchange blog): mbsacli.exe /nd /nai /nvc /wi /catalog <path>\wsusscn2.cab /listfile <path>\servers.txt /nd: To avoid any download from the Internet /nai: To avoid WUA updates on the workstation that run MBSA, but also on remote servers. /nvc: To avoid check for new version of MBSA /wi: Permit to display all updates, even ones rejected by the WSUS server. Particularly useful for Exchange admin not allowed binding against SUS server. /catalog:<path>\wsusscn2.cab /listfile <path>\servers.txt : The servers.txt file contains NetBIOS name or FQDN name list in column of all servers to be scanned. This can find a whole bunch of patch related issues + the use of restricted browsing etc on remote hosts. HTH, -- Rajat Swarup http://rajatswarup.blogspot.com/ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Auditing microsoft IIS 5/6.0 Nikolaj (Aug 28)
- Re: Auditing microsoft IIS 5/6.0 Nikhil Wagholikar (Aug 28)
- Penetration tester or Ethical hacker future? IRM (Aug 29)
- Re: Penetration tester or Ethical hacker future? David Jacoby (Aug 30)
- RE: Penetration tester or Ethical hacker future? Paul Melson (Aug 30)
- Re: Penetration tester or Ethical hacker future? Nikos Tsagarakis (Aug 31)
- RE: Penetration tester or Ethical hacker future? Paul Melson (Aug 31)
- Penetration tester or Ethical hacker future? IRM (Aug 29)
- Re: Auditing microsoft IIS 5/6.0 Nikhil Wagholikar (Aug 28)
- Re: Auditing microsoft IIS 5/6.0 rajat swarup (Aug 29)
- Re: Auditing microsoft IIS 5/6.0 Ivan . (Aug 30)
- Re: MS Access injection Gichuki. John (Aug 30)