Home / server / Questions / 1954
Accepted
Luke Quinane
Asked: 2009-05-01 16:37:09 +0800 CST

Windows web server checklist

  • 772

When you are deploying a new web server box what are the standard things you install on it and do to set it up?

What things do you do to ensure the box is locked down and not going to get compromised?

So far:

General

Network

IIS

Related Articles

windows iis

5 Answers

  1. Best Answer

    What we do:

    • Put web server in DMZ
    • Put web server in a workgroup (not allowed to be on a domain)
    • Ensure all security patches are applied
    • Minimize services which are running
    • Use URLScan. Remove server fingerprint (RemoveServerHeader=1).
    • Harden TCP/IP stack
    • Apply IPSEC policy to only permit the traffic we want (whitelisting)
    • Rename default accounts so they can be targeted by typical scripts/tools.
    • Move default directories (InetPub, WWWRoot, etc.)
    • Minimize local user accounts.
    • All NetBIOS is removed or disabled.
    • 6
    • Add user accounts for each person that will be administering the computer
    • Configure terminal services to allow each user only one concurrent sign on
    • Add alternate administration accounts that are only used if runas doesn't serve the purpose for a given user

    -Adam

    • 3

  3. You may wish to;

    • Disable SSL 2 (fix depreciated SSL protocol usage)
    • Perform a network vulnerability assessment

    If so, I wrote a detailed article on Howto: Disable SSL2 and Weak Ciphers on IIS6 which may be worth taking a look at.

    This article takes things from the standpoint of satisfying the security requirements set by the Payment Card Industry but is still relevant to general server hardening.

    So now to fix the depreciated SSL protocol usage you should either read said Howto: Disable SSL2 and Weak Ciphers article for step-by-step instructions OR read MS Support Article #187498 and you can use ServerSniff to confirm your modifications have taken effect.

    p.s. Indeed you could also use ServerSniff to confirm the modifications mentioned in Scott's reply.

    • 2

  4. In addition to the things already mentioned, I disable weak SSL ciphers.

    EDIT: I found the step-by-step instructions I wrote a few years ago.

    1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
    2. In Registry Editor, locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
    3. Perform steps 4 thru 8 for the following keys: a. Ciphers\DES 56/56 b. Ciphers\RC2 40/128 c. Ciphers\RC4 40/128 d. Ciphers\RC4 56/128 e. Protocols\SSL 2.0\Client f. Protocols\SSL 2.0\Server
    4. On the Edit menu, click Add Value.
    5. In the Data Type list, click DWORD.
    6. In the Value Name box, type Enabled, and then click OK.
    7. Type 00000000 in Binary Editor to set the value of the new key equal to “0”.
    8. Click OK.
    9. When you have finished modifying the registry, restart the computer.
    • 1

  5. If possible start with Windows 2003 SP1 Server and make sure the built in firewall is turned on unless you have a network firewall to protect it.

    Make sure the following ports are open if you do setup the firewall: - 3389 : Remote Desktop (RDP) - 80 : HTTP

    Optional: - 443 : HTTPS (optional) - 25 : SMTP - 110 : Pop3

    Utilities:

    • Notepad++ (all around great editor) - free
    • 7-Zip (handles zip,arc, and other compressed files) - free
    • Beyond Compare v3 (file comparison and FTP) - $ but not much
    • Database management
    • -3