Configuring Security Settings

  • Article

General security settings apply to all types of server appliances. Additional requirements for specific types of appliances are listed under each appliance type.

General Requirements

Remove all sample IIS applications. Samples are not installed by default and should never be installed on a production server. Note that some samples install so they can only be accessed from https://localhost:8099, or 127.0.0.1; however, they should still be removed.

Remove the samples from IIS

  1. From Internet Services Manager under the default Web site, delete IISSample and MSADC.

  2. In Windows Explorer, delete file directories.

    The following table shows the default locations for samples that should be removed.

    Sample Virtual directory Location
    IIS samples \IISSamples c:\inetpub\iissamples
    Data access \MSADC c:\program files\common files\system\msadc

Custom Server Appliance

There are no additional security configuration requirements for creating a custom server appliance.

Network Attached Storage

There are no additional security configuration requirements for creating a NAS.

Web Server Appliance

Deploy Security Template

The hisecweb.inf security template has been provided as a baseline. It applies to most secure Web sites. The template configures basic Windows 2000 system-wide policy. Review, update, and deploy this template.

To use the template

  1. Copy the template to the \winnt\security\templates directory.
  2. From the Start menu, choose Run.
  3. Type MMC in the text field, and then choose OK.
  4. Choose Console, and then point to Add/Remove Snap-in, and then choose Add.
  5. Select Security Configuration and Analysis and then point to Security Templates, and then choose Add.
  6. Open the Security Templates tool and review the settings.
  7. Open the Security Configuration and Analysis tool and load the template.
  8. Choose Close, and then choose OK.
  9. Right-click Security Configuration and Analysis tool, and then choose Analyze Computer Now.
  10. Wait for the analysis to finish.
  11. Optional: Review the findings and update the template as necessary.
  12. Once you are satisfied with the template, right-click Security Configuration and Analysis tool, and then choose Configure Computer Now.

Enable Logging

Logging is paramount when you want to see whether your server is being attacked. You should use the World Wide Web Consortium (W3C) extended logging format.

To enable logging

  1. To open the IIS Microsoft Management Console (MMC), choose the Start menu, and then point to Settings, and then choose Control Panel.
  2. Open Administrative Tools, and then open Internet Services Manager.
  3. Right-click Default Web site, and then point to Properties, and then point to Web site, and then choose Enable Logging (W3C Extended Log).
  4. Choose Properties, and then select the Extended Properties tab, and then set the following properties:
    • Client IP Address
    • User Name
    • Method
    • URI Stem
    • 40Protocol Status
    • Win32 Status
    • User Agent