Security is the cornerstone of any successful computer system. Placing a system on the Internet or a corporate intranet can make system resources available to illegitimate as well as legitimate users. System security is always a balancing act of
providing ease of access and usefulness to the legitimate users, while preventing access by the illegitimate users, which always involves a compromise. The most secure computer system is one that functions in isolation; placing a system on an
Internet/intranet involves by definition placing the system on a network of hundreds or, in the case of the Internet, millions of other computer systems and users. Hackers are continually learning about potential security holes that exist in Internet sites
and ways to exploit them. It’s almost impossible to completely secure an Internet/intranet server, but there are a number of measures that can be taken to decreases the risks involved. The most important steps that can be taken to ensure the most
effective security for a Internet/intranet site are taking the necessary steps from the start of implementation and continually staying informed regarding potential risks.
Because businesses are setting up Internet and intranet sites in record numbers, ensuring the security of corporate systems is becoming increasingly important. An Internet Web server can provide access to corporate information to Internet users
worldwide, whereas an intranet Web Server provides access to corporate data within a corporation. Although the security implications in the setup of an Internet server are slightly different from an intranet server, they are based on a few basic concepts:
proper placement of the Web server, simplifying operations, and proper administration.
The Internet Information Server (IIS) and Windows NT provide a number of mechanisms to help ensure security:
When a computer system is connected to the Internet, it is open to numerous routes for potential attack by hackers, viruses, unauthorized internal users, and competitors, just to name a few. A server connected to the Internet can be accessible to
millions of potential users, many of which may not have your best interests at heart. An intranet server can be just as vulnerable to attack from authorized users attempting to access unauthorized information. It may be even easier for an authorized user
to exploit backdoors (undocumented methods used to access a host system) or unnoticed security holes.
Hackers who gain unauthorized access to the Windows NT administration account can cause a great deal of damage. They can execute programs, move, copy, or delete files, or access sensitive corporate data without ever leaving a trace. A hacker can attempt
to crack an administrator's password by running applications that repeatedly generate login attempts by guessing random passwords until successful, or simply guess the administrator’s password because it is too common (for example, ADMIN). For this
reason, it is extremely important to change the administrator’s password often, and to keep it complex so that it cannot be guessed at easily. A password is the first line in defense of a system, and since the administrator, and any other user with
administrative privileges has the greatest system rights, it is of utmost importance to protect these accounts.
Here are some recommendations to follow when choosing a password:
Even proper passwords and user privileges may not be enough to prevent unauthorized access to sensitive information by a internal intranet user. An internal user may be able to gain access to restricted data by accessing an unsecured network workstation
with administrative capabilities. From that workstation, users could access unauthorized data or change their own system privileges. It is important to educate users to practice due diligence in protecting their workstations from attack. Users logged into
the network should not leave their workstations unattended, especially if that user has administrative privileges. All servers should be located in a secure area with only authorized personal granted access.
There are a number of high-tech mechanisms to help ensure system security. It is important to remember, though, that an effective security strategy begins internally. A system that takes all the appropriate measures to ensure proper file and directory
protections, sets up a firewall and proxy server, and employs packet filtering can still be vulnerable to a low-tech attack of to someone guessing the administrator’s password or gaining access to an unsecured workstation.
When planning security for the IIS and Windows NT Server, there are some major considerations to account for:
The IIS applies security using the following process:
The most secure server is one that is locked up in isolation. Unfortunately, an isolated server is virtually unusable. A system that offers unrestricted access to its information can be the easiest to use, but obviously is totally insecure. A continual
balance between security and usability must be maintained. Physical and communications barriers can be constructed to help prevent unauthorized system access.
A physical barrier is easy to construct. A server should be placed in a environment where only authorized personnel have access. A communications barrier can be erected by utilizing firewalls, proxy servers, and packet filtering.
A firewall is a computer system that bridges a trusted and untrusted network by examining incoming and outgoing packets and filtering out unwanted data. A firewall can prevent unauthorized external users from accessing the local area network (LAN) and
can restrict how internal users access the Internet. A firewall can also be utilized to keep internal users from accessing internal servers to which they have no rights. A firewall can filter data based on an IP address so that only certain IP addresses
can pass through the firewall. A firewall can also filter traffic based on a port number. Web servers usually use port 80; to prevent internal users from accessing external Web sites, a firewall could block access to port 80.
When a request is made to a remote system and packets are exchanged, these packets can disseminate unwanted information about your server and network configuration, such as its IP addresses. A firewall alone cannot prevent this information from being
released. A proxy server runs on the firewall host. It operates on a store-and-forward mechanism. Instead of each individual user connecting directly to outside Internet resources, a proxy server directs all requests and responses through itself. When a
request is made to an external Internet resource, the proxy server examines the request and communicates with the remote system to satisfy the request. The only system the outside world "sees" is the proxy server.
Some proxy servers can cache often accessed external information to help speed up future requests. A proxy server can also log client requests, which can be useful to track and detect attacks against your server. The downside of running a proxy server
is that it can degrade system performance, especially database queries.
A packet filter examines all packets that pass in and out of the network, and can prevent packets from passing through that do not conform to the configurable rules that are defined. A packet filter can filter packets based upon several criteria:
Service | Port Number |
HTTP | 80 |
DNS (Domain Name Service) | 53 |
Telnet | 23 |
FTP | 20 and 21 |
RIP (Routing Information Protocol) | 520 |
SMTP (Simple Mail Transfer Protocol) | 25 |
The IIS can provide packet filtering of a specific IP address. To set up IP address filtering in the IIS, open the Service Manager applications and double-click on the server to configure. Click on the Granted Access button or the Denied Access
button. If the Granted Access button is selected, you can specify which IP addresses you want to restrict. If you choose Denied Access, you can specify the IP addresses you want to allow. Click on the Add button to specify these exceptions. Click on Single
Computer and specify the IP address you want to create an exception for, or click on Group Of Computers and enter the IP address and subnet mask to create an exception for a group of computers.
There are a number of measures that must be taken to help ensure the security of your IIS.
During the setup of the IIS, the user account IUSR_computername is created for anonymous access. If the computer name is IDCSERVER, the anonymous access account is IUSR_IDCSERVR. By default, all client requests to the IIS use this account. IIS clients
are logged into the server using the IUSR_computername account. The IUSR_computername is only allowed to log on locally. The IUSR_computername is also added to the Guest group, if any changes have been made to the guest group, they will also apply to the
IUSR_computername account. The Guest group privileges should be reviewed to assure their appropriateness to the IUSR_computername account. If remote access is allowed only through the IUSR_computername account, remote users will have the only
permissions assigned to that account, which can help prevent hackers from gaining access to the server.
The IIS can also allow authenticated client access, which requires a valid Windows NT username and password to access system resources. The basic authentication mechanism provided by the IIS does not encrypt the username and password; they are simply
encoded using UUEncode. They can easily be decoded by anyone who can intercept packets transferred over your network.
The WWW Service of the IIS supports the Windows NT Challenge/Response encrypted password transmission mechanism. The Challenge/Response mode can be configured by double-clicking on a specific service in the Service Manager application. On the Service
tab, the Password Authentication mode can be selected. The only Web browser client that supports Windows NT authentication is the Microsoft Internet Explorer for Windows 95.
Both authentication mechanisms, basic and Windows NT-authenticated, allow access only when a valid username and password is supplied. Both IUSR_computername and authenticated access can be enabled at the same time.
A thorough review of all services being run on the IIS system should be conducted to ensure the highest level of security. With a fewer number of services running on the system, the risk of an administration problem causing an exploitable hole is
reduced. Using the Service applet in the Control Panel, review all the services that are currently enabled and running.
Using the Bindings option on the Network applet in the Control Panel, verify the services bound to the adapter connected to the Internet. The FTP Server services included with Windows NT Server should also be disabled. The FTP services in the IIS should
be used instead.
There are a number of different ways the IIS system can be connected to the LAN and the Internet. Isolating the IIS system from the LAN offers the most security. Multiple adapters in a single IIS system running different protocols offers a high degree
of security. A router with packet filtering can offer various levels of security depending on the model. Multiple adapters in a single IIS system, where each adapter is connected to a separate network can also offer a high degree of security, when routing
is disabled. Each of the IIS system connection strategies offers different levels of security and usability. You need to choose the model that works best in your organization.
In the Isolated configuration of the IIS system (see Figure 18.1), the IIS system is connected to a network separate from the LAN. To achieve the highest level of security, users connected to the LAN can be connected to the Internet through a firewall.
The disadvantage of this configuration is that users who need to access the IIS system servers to update files or Web pages need to connect to one of the workstations connected to the IIS system network.
FIGURE 18.1. Isolated IIS system configuration.
With multiple adapters in a single IIS system running different protocols (see Figure 18.2), each adapter in the IIS system runs a different network protocol isolating the LAN and Internet traffic from each other. The LAN can run any networking protocol
supported by NT Server (except for TCP/IP); the Internet is connected using the standard TCP/IP protocol. This configuration addresses the main disadvantage of the Isolation configuration, because users who need to update files for access by the IIS can do
so from their own workstations. The disadvantage of this configuration is that LAN users do not have access to the Internet. As long as the adapter cards are not configured for protocol conversion, this configuration offers a high degree of security. When
setting up this configuration, it is important to ensure that the adapter card connected to the Internet is bound only to the TCP/IP protocol, and the adapter connected to the LAN is bound only to that protocol. Check the adapter bindings from the Network
applet in the Control Panel.
FIGURE 18.2. Multiple adapters with different protocols in a single IIS system configuration.
There are a number of commercially available routers that can perform packet filtering (see Figure 18.3). These routers can be configured to filter packets according to predefined specifications. Some of these routers can offer proxy services along with
packet filtering. Packet filtering is not as secure as multiple adapters with different protocols in a single IIS system.
FIGURE 18.3. Router packet filtering configuration.
With the multiple network adapters in an IIS system attached to different networks, each adapter can run the same protocol, but with routing disabled, the network traffic can be isolated (see Figure 18.4). Each adapter card can run the TCP/IP protocol,
with each adapter being assigned its own IP address. The main advantage to this configuration is that LAN clients could use the TCP/IP protocol, allowing access by internal users to IIS resources. To set up this configuration, IP forwarding must be
disabled for each network adapter. This can be done from the TCP/IP configuration dialog box by clicking on the Advanced button and then disabling the Enable IP Routing option.
FIGURE 18.4. Multiple network adapters attached to different networks configuration.
The IIS can be configured to log the activity of the Web Server. This information can be used to monitor the server, along with information provided by the Windows NT Performance Monitor, and Windows NT Auditing. This information can be used to track
who site users are, when peak access times occur, and which services receive the most access.
The IIS can be configured to log activity. Log files can be created as standard text files or as part of SQL/ODBC databases. To configure logging in the IIS, open the Services Manager, then double-click on the server for which you want to enable
logging. The Properties dialog box will be displayed. Click on the Logging tab of the dialog box. Click on the Enable Logging checkbox to turn on logging. Choose the Log to File or the Log to SQL/ODBC Database option. If logging to a file, click on the
Automatically Open New Log checkbox to create a new log file every specified period. A new log file can be created on a daily, weekly, or monthly basis, or when the log file reaches a certain size, by selecting the appropriate radio button. Enter the name
of the log file directory in the corresponding edit box. It's advisable to specify a secure directory in which to create the log file. The log file is named based on the following specifications:
Log Filename | Logging parameters. |
SLOG.LOG | When the Automatically Open New Log option is not enabled. |
Snnn.LOG | When the File Size Reaches option is enabled. The nnn is incremented sequentially each time a new log file is created. |
Mmddyy.LOG | When one of the Daily, Weekly, or Monthly options is selected. Mm specifies the month, dd specifies the day, and yy specifies the year. |
If the Log to SQL/ODBC Database option is selected, you can log information to a SQL database. It works best if Microsoft SQL Server version 6.0 or greater is installed. The Data Source Name (DSN) specifies the name of the database defined with
a device for SQL Server or the filename of the database for Microsoft Access. Table 18.2 specifies the name of the database table the logging information will be appended to. Username and Password specifies the name and password of the user account
required to log into the database.
The information in Table 18.2 is logged by the IIS system. This field definition information should be used to create the database table for logging.
Field Name | Description | Data Type | Length |
ClientHost | Client IP address | Character | 50 |
Username | Client user name If Specified | Character | 50 |
LogDate | Date of access | Character | 12 |
LogTime | Time of access | Character | 12 |
Service | Service accessed | Character | 20 |
Machine | Name of the server accessed | Character | 20 |
ServerIP | IP address of the server a server can have (multiple IP addresses) | Character | 50 |
ProcessingTime | Time to process request in milliseconds | Integer | Not Applicable |
BytesRecvd | Bytes received from the client | Integer | Not Applicable |
BytesSent | Bytes sent to the client | Integer | Not Applicable |
ServiceStatus | Service status code | Integer | Not Applicable |
Win32Status | Windows NT status code | Integer | Not Applicable |
Operation | Name of the operation | Character | 200 |
Target | Target of the operation | Character | 200 |
Parameters | Operation parameters | Character | 200 |
The Service field identifies which service was accessed, W3SVC indicates the Web Service, MSFTPSVC indicates the FTP Service, and the GopherSVC indicates the Gopher Service. The Services Status Codes can be of different levels: 200 level codes
indicate n operations successful, 300 level codes indicate data has been moved to another site, 400 level codes indicate client errors, and 500 level codes indicate server errors.
Text-based log files can be imported into Microsoft Excel or Microsoft Access for further analysis. IIS log files can also be converted to one of two other formats using the convlog utility. The log files can be converted to European Microsoft Windows
NT Academic Centre (EMAC) format, or to Common Log File Format. These formats can be used by a number of different log analysis formats. The convlog utility is located in the \INTERSRV\ADMIN directory, and accepts the following command-line syntax:
convlog -s[f|g|w] -t [emwac|ncsa[:GMTOffset]|none] -o [output directory] [ccc]-f [temp file directory] -n[m[cachesize]|i] -h LogFileName
The -s parameter specifies which services log entries should be converted to: f for FTP, g for Gopher, or w for Web entries. The -t parameter specifies the target conversion format, emwac or ncsa for Common Log File format. The -o parameter
specifies the output directory. The second -t parameter specifies the temporary file directory. The -n parameter specifies whether to convert IP addresses to domain names. The default I option is not to perform this conversion. The m option specifies the
IP conversion, the default cache size is 5000 bytes. The -h parameter displays help. The LogFileName specifies the name of the log file to be converted.
The Windows NT Performance Monitor can track processes and services running on a Windows NT Server. There are a number of different counters that can be used to track the IIS on a dynamic basis. The Performance Monitor can also create alerts, logs, and
reports, which can be effective tools in dynamic security management. The Performance Monitor can track information for HTTPD Services (in Table 18.3) and for the IIS Global Object (in Table 18.4).
Counter | Description |
Bytes Rec/Sec | Rate of bytes received by the HTTP Server |
Bytes Sent/Sec | Rate of bytes sent by the HTTP Server |
Bytes Total/Sec | Total rate of bytes transferred by the HTTP Server |
CGI Requests | Number of Common Gateway Interface (CGI) requests |
Connection Attempts | Number of connection attempts made to the HTTP Server |
Connections/Sec | Rate of connection attempts made to the HTTP Server |
Current Anonymous Users | Number of anonymous users connected to the HTTP Server |
Current CGI Requests | Current number of CGI requests being processed by the HTTP Server |
Current Connections | Current number of simultaneous connections to the HTTP Server |
Current ISAPI Extension Requests | Current number of simultaneous extension requests being processed by the HTTP Server |
Files Received | Number of files received by the HTTP Server |
Files Sent | Number of files sent by the HTTP Server |
Files Total | Total number of files sent and received by the HTTP Server |
Get Requests | Number of HTTP requests using the GET method |
Head Requests | Number of HTTP requests using the HEAD method |
ISAPI Extension Requests | Number of requests made using the ISAPI Extensions |
Logon Attempts | Number of logon attempts to the HTTP Server |
Maximum Anonymous Users | Maximum number of simultaneous anonymous users connected to the HTTP Server |
Maximum CGI Requests | Maximum number of simultaneous CGI requests to the HTTP Server |
Maximum Connections | Maximum number of simultaneous connections to the HTTP Server |
Maximum ISAPI Extension Requests | Maximum number of simultaneous ISAPI extension requests to the HTTP Server |
Maximum Nonanonymous Users | Maximum number of simultaneous nonanonymous connections to the HTTP Server |
Not Found Errors | Number of requests to the HTTP Server that could not be satisfied |
Other Requests Methods | Number of requests that weren’t GET, POST, or HEAD; can include PUT, DELETE, and LINK. |
Post Requests | Number of POST requests to the HTTP Server |
Total Anonymous Users | Total number of anonymous users connected to the HTTP Server |
Total Nonanonymous Users | Total number of nonanonymous users connected to the HTTP Server |
Counter | Description |
Cache Flushes | Number of times the memory cache has been expired because of a file or directory change |
Cache Hits | Number of times a request was found in cache |
Cache Hits % | Ratio of cache hits to misses |
Cache Misses | Number of requests that weren’t found in cache |
Cache Size | Maximum size of the shared HTTPD, Gopher, and FTP cache |
Cache Used | Current size of the cache being used |
Cached File Handles | Number of file handles being cached |
Current Async I/O Requests Blocked | Current number of Async I/O requests that have been blocked |
Directory Listings | Number of directory listings cached by the IIS |
Measure Bandwidth Of Async I/O | Average asynchronous I/O per minute |
Objects | Number of cached objects cached by all of the IIS |
Total Async I/O Requests Allowed | Total number of Async I/O requests allowed |
Total Async I/O Requests Blocked | Total number of Async I/O requests blocked |
Total Async I/O Requests Rejected | Total number of Async I/O requests blocked |
Windows NT Auditing can track events performed by authorized and unauthorized users. The Windows NT Event Viewer can be used to filter and view these audited events. When auditing is enabled, performance will be decreased and large amounts of disk space
can be utilized quickly. Two types of auditing can be tracked:
To configure User Account Auditing, from the User Manager for Domains utility, choose Audit on the policies menu, then click on the Audit These Events button. Selecting the following options to track these events:
These events can then be filtered and viewed using the Windows NT Event Viewer.
To assure the highest level of security for your file system, it should be placed on an NT File System (NTFS) partition. NTFS can control file access on a file-by-file, user-by-user basis. If there is a conflict between NTFS files permissions and IIS
settings, the stricter of the two settings will be utilized.
To configure Windows NTFS auditing, from the File Manager, select the Security menu option, then choose the Auditing option. Add the user or group account you want to enable auditing for by clicking on the Add button. The following success or failure of
the following events can be audited: Read, Write, Execute, Delete, Change Permission, and Take Ownership. These events can then be filtered and viewed using the Windows NT Event Viewer.
The IIS provides Secure Sockets Layer (SSL) to ensure secure communications by using data encryption. An IIS that is enabled with SSL can send and receive data across the Internet to an SSL-enabled client and ensure that it remains private.
SSL operates as a layer between the TCP/IP network protocol and the HTTP applications. Server authentication, encryption, and data integrity are provided through SSL utilization. Data integrity ensures that data that has been transmitted has not been
altered. Encryption ensure the privacy of the data transferred. SSL provides RSA-compliant encryption. Authentication ensures the client side that its data is sent to the correct server, and that the server is secured. SSL is an important component of
protecting financial transactions over the Internet.
To enable SSL on the IIS, follow these steps:
If an IP Address is not specified, the certificate will be applied to all virtual servers supported by the IIS that are configured to utilize the SSL channel.
NetBIOS is the Windows-based file and print sharing protocol, and is used by Windows NT Browser, Messenger, and Net Logon services. The NetBIOS protocol maps unique computer and services names. The NetBIOS protocol can be used over the TCP/IP protocol,
providing NetBIOS client access over a Wide Area Network (WAN). Using the NetBIOS protocol over TCP/IP when a computer is connected to the Internet can be a potential security risk. An unauthorized user could impersonate an authorized user, issue a NET
VIEW command to view resources, and issue the NET USE command to attach to those resources gaining access to the server’s file system. There are some steps that can be taken to reduce the potential security risk of NetBIOS over TCP/IP:
Microsoft’s proprietary Service Message Block (SMB) handles file and printing requests, no matter which network protocol stack is used. SMB fulfills the OSI presentation layer functionality, but it operates in the application layer as a software
module. SMB is a core component of Microsoft Networking and installed by default whenever Microsoft Networking is installed.
By default, a Guest account is created when the NT Server is installed. The Guest account is configured with a blank password. When a server with the Guest account enabled is connected to the Internet, it is possible for anyone to connect to the server, log in as Guest, and cause problems with the shared resources or even the registry, utilizing the SMB functionality. For this reason, it is imperative that any server connected to the Internet disable the Guest account.
With the introduction of the Java programming language to the Internet, a new set of system security concerns has been introduced. Java applets are retrieved from the Internet just like any other Web Page. Once the Java applet has been retrieved, the
Java interpreter in the Web browser executes the applet. In theory, the Java interpreter should enforce security restrictions, limiting an applet's behavior. A number of different security problems have been uncovered in the Netscape Navigator and Internet
Explorer. Although there have not been widespread reports of Java applets that attack a system, there is still reason for concern. It is possible to execute Java applets that send back sensitive data from your system to another server. It is also possible
to execute a Java application that monitors your Web browsing session and sends back details to another server—all without leaving any trace that these applets were run. It is important to educate users on the potential security risks of Java
applications. In Netscape Navigator 2.0, Java can be disabled through the Options, Security Preferences dialog box.
With the release of Microsoft’s Internet Explorer Version 3.0, ActiveX controls were introduced. ActiveX controls can be developed using tools native to the Windows Operating System, producing applets that can run much quicker than Java applets.
Although the Java programming language has built-in security restrictions, the ActiveX specification does not. There are no restrictions on what an ActiveX applet can do. ActiveX is based on Object Linking and Embedding (OLE) technology. Although OLE
linked files to an external application, ActiveX creates an applet within an existing document.
Without any built-in security restriction, the potential for abuse by an ActiveX applet is quite large. To counter these effects, Microsoft has presented a solution based on digital signatures. Using a digital signature, the creator of an ActiveX applet
signs the applet with a private key. When an ActiveX applet is downloaded, the digital signature is checked against a public key to verify its authenticity. If the applet has been tampered with, the authenticity check will fail. Although digital signatures
are new technology, they have been in use for quite some time in e-mail with the Pretty Good Privacy (PGP) shareware application.
A number of concerns must be addressed before digital signature technology can be effective with ActiveX applications: digital signatures need to be more effectively integrated with existing applications, digital signatures do not ensure that the applet
does not contain a virus or malicious code, and end-users must decide whose digital signatures they will trust.
With the release of Windows NT Server Version 4.0, Microsoft will be releasing a new proxy server (which is currently in beta testing) named Catapult. Catapult will become another member of the Microsoft BackOffice family of applications. Catapult
provides the following features:
To set up and configure a Catapult proxy server, two network adapters are required. One adapter is attached to the LAN, and the other is connected to the Internet. The network card attached to the LAN utilizes Remote Procedure Calls (RPC) to transmit
Internet requests and responses over the network. The LAN can utilize the TCP/IP, IPX/SPX, NetBEUI, or other protocols. The Internet-connected adapter must utilize the TCP/IP protocol. Catapult manages communications between the LAN and the Internet.
To configure the Catapult services, IP routing between the LAN and the Internet must be disabled. This prevents Internet packets from reaching the LAN, so unauthorized Internet users cannot gain access to the LAN. Routing can be disabled by accessing
Advanced Options from Network applet in the Control Panel.
Clients on the LAN must also be configured to direct their Internet requests through the Catapult server. The Gateway applet in the control panel enables users to specify which gateway to use for Internet access.
Potential intruders to your systems stay well-informed regarding potential security holes. To maximize the security of your system, it is essential that you stay just as informed. There are a number of Internet Web sites available to keep up-to-date on
current security issues and IIS updates, including the following:
The threat of a security breach from the outside is, in all likelihood, very low. Data is more likely to be lost due to a natural disaster or internal theft by a trusted user. This does not mean that security issues should be overlooked. Internet/intranet security with the IIS should be given its due diligence. It is always best to take the necessary security precautions in a proactive manner. It is impossible to make a networked system completely secure. Increased security almost always comes at the cost of usability. This compromise must continually be evaluated to ensure safety and usability.