Appendix D: Security Settings
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server Update Services
This appendix lists the recommended security settings for WSUS. The recommendations are categorized into settings for Windows Server 2003, IIS 6.0, and SQL Server 2000.
Windows Server 2003
The following are security recommendations for Windows Server 2003 with WSUS.
Audit Policy
Enable audit events to ensure that adequate logs are collected for system activities.
Audit Policy Settings
Option | Security Setting | Setting Rationale |
---|---|---|
Audit account logon events |
Success, Failure |
Auditing for successful and failed logon events provides useful data regarding password brute-forcing attempts. |
Audit account management |
Success, Failure |
Auditing for successful and failed account management events tracks management activities. |
Audit directory service access |
No Auditing |
This is only important for domain controllers running the Active Directory service. |
Audit logon events |
Success, Failure |
Auditing for successful and failed logon events provides useful data regarding password brute-forcing attempts. |
Audit object access |
No Auditing |
Auditing object access is unnecessary and creates many unnecessary logs for WSUS activity. |
Audit policy change |
Success, Failure |
Auditing for successful and failed policy changes tracks management activities. |
Audit privilege use |
Success, Failure |
Auditing for successful and failed privilege use tracks administrator activities. |
Audit process tracking |
No Auditing |
Process-tracking events are unnecessary for WSUS implementations. |
Audit system events |
Success, Failure |
Auditing for successful and failed system events tracks system activities. |
Security Options
Configure Windows Server 2003 security settings to help ensure optional security and functionality.
Security Options Settings
Option | Security Setting | Setting Rationale |
---|---|---|
Accounts: Administrator account status |
Enabled |
Because it is necessary to have an administrator, the administrator account should be enabled for authorized users. |
Accounts: Guest account Status |
Disabled |
Because it is risky to have guest accounts, the guest account should be disabled unless specifically required. |
Accounts: Limit local account use of blank passwords to console logon only |
Enabled |
Accounts with blank passwords significantly increase the likelihood of network-based attacks. |
Accounts: Rename administrator account |
Not Defined |
Renaming the administrator account forces a malicious individual to guess both the account name and password. Note that even though the account can be renamed, it still uses the same well known SID, and there are tools available to quickly identify this and provide the name. |
Accounts: Rename Guest account |
Not Defined |
Because the guest account is disabled by default, and should never be enabled, renaming the account is not important. However, if an organization decides to enable the Guest account and use it, it should be renamed beforehand. |
Audit: Audit the access of global system objects |
Enabled |
This setting needs to be enabled for auditing to take place in the Event Viewer. The auditing setting can be set to Not Defined, Success or Failure in the Event View. |
Audit: audit the use of Backup and Restore privilege |
Enabled |
For security reasons, this option should be enabled so that auditors will be aware of users creating backups of potentially sensitive data. |
Audit: Shut down system immediately if unable to log security audits |
Disabled |
Enabling this option shuts down the system if it is unable to log audits. This can help prevent missed audit events. Enabling very large log files on a separate partition helps mitigate this. |
Devices: Allow undock without having to log on |
Disabled |
Disabling this option ensures that only authenticated users can dock and undock computers. |
Devices: Allowed to format and eject removable media |
Administrators |
This option is not typically useful for desktop images. |
Devices: Prevent users from installing printer drivers |
Enabled |
Because the Windows GDI system runs in kernel space, allowing a user to install a printer driver could lead to elevated privileges. |
Devices: Restrict CD-ROM access to locally logged-on user only |
Enabled |
Enabling this option prevents remote users from accessing the local CD-ROM, which may contain sensitive information. |
Devices: Restrict floppy access to locally logged-on user only |
Enabled |
In situations where the server is physically secured and password authentication is required by the Recover Console, this option can be enabled to facilitate system recovery. |
Devices: Unsigned driver installation behavior |
Warn but allow installation |
Most driver software is signed. Administrators should not install unsigned drivers unless the origin and authenticity can be verified and the software has been thoroughly tested in a lab environment first. Since only senior administrators will be working on these systems, it is safe to leave this to their discretion. |
Domain controller: Allow server operators to schedule tasks |
Disabled |
The ability to schedule tasks should be limited to administrators only. |
Domain controller: LDAP server signing requirements |
Not Defined |
This option applies only to domain controllers. |
Domain controller: Refuse machine account password changes |
Disabled |
Enabling this option allows machine accounts to automatically change their passwords. |
Domain member: Digitally encrypt or sign secure channel data (always) |
Disabled |
If the domain controller is known to support encryption of the secure channel, this option can be enabled to protect against local network attacks. |
Domain member: Digitally encrypt secure channel data (when possible) |
Enabled |
Enabling this option provides the most flexibility while enabling the highest security when the server supports it. |
Domain member: Digitally sign secure channel data (when possible) |
Enabled |
Enabling this option provides the most flexibility while enabling the highest security when the server supports it. |
Domain member: Disable machine account password changes |
Disabled |
Disabling this option allows machine accounts to automatically change their passwords. |
Domain member: Maximum machine account password age |
30 days |
Less-frequently changed passwords are easier to break than passwords that are changed more frequently. |
Domain member: Require strong (Windows 2000 or later) session key |
Enabled |
Enabling this option sets strong session keys for all computers running Windows 2000 or later. |
Interactive logon: Do not display last user name |
Enabled |
Hiding the last user name should be enabled, especially when the administrator user account is renamed. This helps prevent a passerby from determining account names. |
Interactive logon: Do not require CTRL+ALT+DEL |
Disabled |
The CTRL+ALT+DEL sequence is intercepted at a level lower than user-mode programs are allowed to hook. Requiring this sequence at logon is a security feature designed to prevent a Trojan Horse program masquerading as the Windows logon from capturing users' passwords. |
Interactive logon: Message text for users attempting to log on |
[provide legal text] |
An appropriate legal and warning message should be displayed according to the Corporate Security Policy. |
interactive logon: Message title for users attempting to log on |
[provide legal title text] |
An appropriate legal and warning message should be displayed according to the Corporate Security Policy. |
Interactive logon: Number of previous logons to cache (in case domain controller is not available) |
10 logons |
This option is usually only appropriate for laptops that might be disconnected from their domain. It also presents a security risk for some types of servers, such as application servers. If a server is compromised, and domain logons are cached, the attacker may be able to use this locally stored information to gain domain-level credentials. |
Interactive logon: Prompt user to change password before expiration |
14 days |
Password prompts should be aligned according to the Corporate Security Policy. |
Interactive logon: Require Domain Controller authentication to unlock workstation |
Enabled |
Enabling this option allows a domain controller account to unlock any workstation. This should only be allowed for the local Administrator account on the computer. |
Interactive logon: Require smart card |
Not Defined |
If this system will not be using smart cards, this option is not necessary. |
Interactive logon: Smart card removal behavior |
Not Defined |
If this system will not be using smart cards, this option is not necessary. |
Microsoft network client: Digitally sign communications (always) |
Disabled |
For systems communicating to servers that do not support SMB signing, this option should be disabled. However, if packet authenticity is required, this can be enabled. |
Microsoft network client: Digitally sign communications (if server agrees) |
Enabled |
For systems communicating to servers that do support SMB signing, this option should be enabled. |
Microsoft network client: Send unencrypted password to third-party SMB servers |
Disabled |
If this option is enabled, then a third-party SMB server could negotiate a dialect that does not support cryptographic functions. Authentication would be performed using plain-text passwords. |
Microsoft network server: Amount of idle time required before suspending session |
15 minutes |
This should be set appropriately for the end-user system such that idle connections do not linger, consuming resources. |
Microsoft network server: Digitally sign communications (always) |
Disabled |
For systems communicating to servers that do not support SMB signing, this option should be disabled. However, if packet authenticity is required, this can be enabled. |
Microsoft network server: Digitally sign communications (if client agrees) |
Enabled |
For systems communicating to servers that do not support SMB signing, this option should be disabled. However, if packet authenticity is required, this can be enabled. |
Microsoft network server: Disconnect clients when logon hours expire |
Enabled |
Enabling this option prevents users from logging on after authorized hours. |
Network access: Allow anonymous SID/Name translation |
Disabled |
This option is highly important for securing Windows networking. Disabling it severely restricts the abilities granted to a user connecting with a Null session. |
Network access: Do not allow anonymous enumeration of SAM accounts |
Enabled |
This option is highly important for securing Windows networking. Enabling it severely restricts the abilities granted to a user connecting with a Null session. Because “Everyone” is no longer in the anonymous user’s token, access to IPC$ is disallowed. Pipes that are explicitly set to allow anonymous are inaccessible because the SMB tree connection to this share fails. |
Network access: Do not allow anonymous enumeration of SAM accounts and shares |
Enabled |
This option is highly important for securing Windows networking. Enabling it severely restricts the abilities granted to a user connecting with a Null session. Because “Everyone” is no longer in the anonymous user’s token, access to IPC$ is disallowed. Pipes that are explicitly set to allow anonymous are inaccessible because the SMB tree connection to this share fails. |
Network access: Do not allow storage of credentials or .NET passports for network authentication |
Enabled |
Enabling this option prevents the storage of sensitive passwords in the computers’ cache. |
Network access: Let Everyone permissions apply to anonymous users |
Disabled |
Anonymous users should have no access to computers. |
Network access: Named Pipes that can be accessed anonymously |
Not Defined |
Named pipes should be restricted anonymously. Restricting named pipes breaks some inter-system processes, such as network printing. |
Network access: Remotely accessible registry paths |
Not Defined |
Registry paths should be restricted from remote access unless for monitoring circumstances. |
Network access: Shares that can be access anonymously |
None |
No shares should be accessed anonymously. |
Network access: Sharing and security model for local accounts |
Guest only – local users authenticate as Guest |
Limit all local accounts to Guest privileges. |
Network security: do not store LAN Manager hash value on next password change |
Enabled |
Enabling this feature deletes the weaker LAN Manager hashes, reducing the likelihood of password attacks from sniffing the weak hash over the name or from the local SAM database file. |
Network security: Force logoff when logon hours expire |
Enabled |
This option should be enabled as part of the acceptable policy. |
Network security: LAN Manager authentication level |
Send NTLMv2 response only |
Sending LM is less secure than NTLM, and should only be enabled if the system will communicate with computers running Windows 95 or Windows 98. Additionally, use NTLMv2 only; however, computers running Windows 95, Windows 98, or un-patched Windows NT4.0 will not be able to communicate with servers running NTLMv2. |
Network security: LDAP client signing requirements |
Negotiate signing |
Require signing when authenticating to third party LDAP servers. This prevents attacks against rogue LDAP servers and clear-text submission of passwords over the network. |
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients |
Require NTLMv2 session security |
The NTLM hashes contain weakness that attacks may exploit. Enabled, these requirements strengthen the authentication algorithms for Windows. |
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers |
Require NTLMv2 session security |
The NTLM hashes contain weakness that attacks may exploit. Enabled, these requirements will strengthen the authentication algorithms for Windows. |
Recovery console: Allow automatic administrative logon |
Disabled |
If automatic administrative logon is enabled, then a malicious user that has console access could simply restart the computer and gain administrative privileges. However, an organization may enable this feature if the computer is a physically secure server, allowing access to the system if the administrator password is forgotten. |
Recovery console: Allow floppy copy and access to all drives and all folders |
Disabled |
The recover console can be used as an attack method to gain access to SAM database files offline; therefore, this option should be enabled to prevent those files from being copied to a floppy disk. |
Shutdown: Allow system to be shut down without having to log on |
Disabled |
This option is used to prevent users without valid accounts from shutting down the system, and is a good precautionary measure. |
Shutdown: Clear virtual memory pagefile |
Disabled |
Clearing the memory pagefile at shutdown can help prevent offline analysis of the file, which might contain sensitive information from system memory, such as passwords. However, in situations where the computer is physically secured, this can be enabled to reduce time required for system restarts. |
System cryptography: Force strong key protection for user keys stored on the computer |
User is prompted when the key is first used |
Protecting local cryptographic secrets helps prevent privilege escalation across the network, once access to one system is obtained. |
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing |
Not Defined |
Require stronger, standard, and compliant algorithms for encryption, hashing, and signing. |
System Objects: Default owner for objects created by members of the Administrators group |
Administrators group |
Administrators should only have access to the created file. |
System objects: Require case insensitivity for non-Windows subsystems |
Disabled |
Require case-sensitivity for non-Windows subsystems, such as UNIX passwords. |
System settings: Optional subsystems |
Enter POSIX here only if expressly required |
The POSIX execution layer has had multiple local exploits in the past, and should be disabled unless required by third-party software. It is extremely rare for POSIX to be required by commercial software packages. |
System settings: Use Certificate Rules on Windows executables for Software Restriction policies |
Not Defined |
When certificate rules are created, enabling this option enforces software restriction policies that check a CRL to make sure the software's certificate and signature are valid. |
Event Log Settings
Configure Event Log settings to help ensure an adequate level of activity monitoring.
Event Log Settings
Option | Security Setting | Setting Rationale |
---|---|---|
Maximum application log Size |
100489 kilobytes |
A large event log allows administrators to store and search for problematic and suspicious events. |
Maximum security log size |
100489 kilobytes |
A large event log allows administrators to store and search for problematic and suspicious events. |
Maximum system log size |
100489 kilobytes |
A large event log allows administrators to store and search for problematic and suspicious events. |
Prevent local guests group from accessing application log |
Enabled |
Guest accounts should not be able to access sensitive information in the event log. |
Prevent local guests group from accessing security log |
Enabled |
Guest accounts should not be able to access sensitive information in the event log. |
Prevent local guests group from accessing system log |
Enabled |
Guest accounts should not be able to access sensitive information in the event log. |
Retain application log |
7 Days |
After a week, logs should be stored on a centralized log server. |
Retain security log |
7 Days |
After a week, logs should be stored on a centralized log server. |
Retain system log |
7 Days |
After a week, logs should be stored on a centralized log server. |
Retention method for application log |
As Needed |
Overwrite audit logs as needed when log files have filled up. |
Retention method for security log |
As Needed |
Overwrite audit logs as needed when log files have filled up. |
Retention method for system log |
As Needed |
Overwrite audit logs as needed when log files have filled up. |
System Services
Enable only services that are required for WSUS.
Enabled Operating System Services
Option | Security Setting | Setting Rationale |
---|---|---|
Alerter |
Disabled |
The alerter service is of most use when an administrator is logged into the network and wants to be notified of events. For computers running WSUS, the service is not necessary. |
Application Management |
Manual |
This service is only necessary when installing new applications to the environment with Active Directory. |
Automatic Updates |
Automatic |
This service is required in order to support a fully patched operating environment. |
Clipbook |
Disabled |
This service is unnecessary to the WSUS environment. |
COM+ Event System |
Manual |
The COM+ event system might be used in the Web-based application. |
Computer Browser |
Automatic |
The computer browser service is required on interactive workstations. |
DHCP Client |
Automatic |
DHCP is necessary to have an IP address on the WSUS server. |
Distributed File System |
Disabled |
DFS is used for file sharing across multiple servers, which is not needed for WSUS. |
Distributed Link Tracking Client |
Disabled |
This service is only appropriate if a domain has distributed link tracking configured. |
Distributed Link Tracking Server |
Disabled |
This service is only appropriate if a domain has distributed link tracking configured. |
Distributed Transaction Coordinator |
Disabled |
This service is only appropriate if a domain has distributed link tracking configured. |
DNS Client |
Automatic |
DNS is necessary for IP-address-to-name resolution. |
Event Log |
Automatic |
The Event Log service is important for logging events on the system and provides critical auditing information. |
File Replication |
Disabled |
This service is used for file replication and synchronization, which is not necessary for WSUS. |
IIS ADMIN service |
Automatic |
This service is required for WSUS administration. |
Indexing Service |
Manual |
This service is used by IIS. |
Intersite Messaging |
Disabled |
This service only needs to be enabled on domain controllers. |
Internet Connection Firewall / Internet Connection Sharing |
Manual |
This service is required if the local ICF firewall is being used. |
IPSEC Services |
Automatic |
This service is required if IPsec has been utilized. |
Kerberos Key Distribution Center |
Disabled unless functioning as a domain controller |
This service is enabled by default in order to join and authenticate to Windows Server 2003 domain controllers. |
License Logging Service |
Disabled |
This service is used on systems where application licensing must be tracked. |
Logical Disk Manager |
Automatic |
This service is used in logical disk management. |
Logical Disk Manager Administrative Service |
Manual |
This service is used in logical disk management. |
Messenger |
Disabled |
This service is only necessary if NetBIOS messaging is being used. |
Net Logon |
Automatic |
This service is necessary to belong to a domain. |
NetMeeting Remote Desktop Sharing |
Disabled |
NetMeeting is an application that allows collaboration over a network. It is used on interactive workstations, and should be disabled for servers as it presents a security risk. |
Network Connections |
Manual |
This service allows network connections to be managed centrally. |
Network DDE |
Disabled |
Network DDE is a form of interprocess communication (IPC) across networks. Because it opens network shares and allows remote access to local resources, it should be disabled unless explicitly needed. |
Network DDE DSDM |
Disabled |
Network DDE is a form of interprocess communication (IPC) across networks. Because it opens network shares and allows remote access to local resources, it should be disabled unless explicitly needed. |
NTLM Security Support Provider |
Manual |
The NTLM Security Support Provider is necessary to authenticate users of remote procedure call (RPC) services that use transports such as TCP and UDP. |
Performance Logs and Alerts |
Manual |
This service is only necessary when logs and alerts are used. |
Plug and Play |
Automatic |
Plug and Play is needed if the system uses Plug-and-Play hardware devices. |
Print Spooler |
Disabled |
This service is necessary if the system is used for printing. |
Protected Storage |
Automatic |
This service must be enabled because the IIS Admin service depends on it. |
Remote Access Auto Connection Manager |
Disabled |
Enable this service only for RAS servers. |
Remote Access Connection Manager |
Disabled |
Enable this service only for RAS servers. |
Remote Procedure Call (RPC) |
Automatic |
This service is required for RPC communications. |
Remote Procedure Call (RPC) Locator |
Manual |
This service is required for RPC communications. |
Remote Registry |
Manual |
Remote Registry is a key target for attackers, viruses, and worms, and should be set to manual unless otherwise needed, where the server can enable it. |
Removable Storage |
Manual |
For a dynamic server, this service is necessary. |
Routing and Remote Access |
Disabled |
Enable this service only for RAS servers. |
Security Accounts Manager |
Automatic |
This service should be enabled, as it manages local accounts. |
Server |
Automatic |
This service should be enabled or disabled as necessary. The service supports file, print, and named-pipe sharing over the network for this computer. |
Smart Card |
Manual |
Because users will not be using smart cards for two-factor logon authentication, this service is unnecessary and should be disabled or set to manual. |
System Event Notification |
Automatic |
This service is needed for COM+ events. |
Task Scheduler |
Manual |
This service should be enabled/disabled as necessary. The service enables a user to configure and schedule automated tasks on this computer. |
TCP/IP NetBIOS Helper |
Automatic |
This service is used in Windows networking for computers running an operating system earlier than Windows Server 2003. |
Telephony |
Disabled |
This service is not necessary in this environment because telephony devices are not used. |
Telnet |
Disabled |
The telnet service should be disabled and its use strongly discouraged. |
Terminal Services |
Manual |
Terminal services should be enabled or disabled as necessary. |
Uninterruptible Power Supply |
Manual |
This service is necessary if a UPS is used. |
Windows Installer |
Manual |
Users may choose to use Windows Installer to install .msi packages on the system, and therefore this service should be set to manual. |
Windows Management Instrumentation |
Manual |
WMI provides extended management capabilities. |
Windows Management Instrumentation Driver Extensions |
Manual |
WMI Driver Extensions allow monitoring of NIC connection state in the taskbar. |
Windows Time |
Automatic |
External time synchronization is required for Kerberos key exchange in Active Directory environments. |
Workstation |
Automatic |
The workstation service is necessary for Windows networking. |
TCP/IP Hardening
Microsoft recommends that you harden the TCP/IP interface for WSUS servers.
Warning
If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
SynAttackProtect
Security Setting | Setting Rationale |
---|---|
REG_DWORD = 2 |
Causes TCP to adjust retransmission of SYN-ACKS. |
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
TcpMaxPortsExhausted
Security Setting | Setting Rationale |
---|---|
REG_DWORD = 1 |
Helps protect against SYN attacks. |
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
TCPMAxHALFOPEN
Security Setting | Setting Rationale |
---|---|
REG_DWORD = 500 |
Helps protect against SYN attacks. |
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
TCPmaxhalfopenretired
Security Setting | Setting Rationale |
---|---|
REG_DWORD = 400 |
Helps protect against SYN attacks. |
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\AFd\parameters\
enabledICMPredirect
Security Setting | Setting Rationale |
---|---|
REG_DWORD = 0 |
Prevents the creation of expensive host routes when an ICMP redirect packet is received. |
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\tcpip\parameters\
enableddeadgwdetect
Security Setting | Setting Rationale |
---|---|
REG_DWORD = 0 |
Prevents the forcing of switching to a secondary gateway. |
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\tcpip\parameters\
disableipsourcerouting
Security Setting | Setting Rationale |
---|---|
REG_DWORD = 1 |
Disables IP source routing. |
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\tcpip\parameters\
ipenabledrouter
Security Setting | Setting Rationale |
---|---|
REG_DWORD = 0 |
Disables forwarding of packets between network interfaces. |
IIS 6.0 Security Settings
The following are security recommendations for IIS 6.0 with WSUS.
URLScan
Use the following settings in URLScan to help protect the administrative Web page for WSUS. The complete Urlscan.ini file is located at the end of this topic.
Option | ISEC Setting | Setting Rationale |
---|---|---|
UseAllowVerbs |
1 |
Uses the [AllowVerbs] section of Urlscan.ini, which only allows GET, HEAD, and POST. |
UseAllowExtensions |
0 |
Uses the [DenyExtensions] section of Urlscan.ini. Allow the following: ASP Request: .asp, .cer, .cdx, .asa Executables: .bat, .cmd, .com - Note that .exe must be enabled for WSUS. Scripts: .htw, .ida, .idq, .htr, .idc, .shtm, .shtml, .stm, .printer Static Files: .ini, .log, .pol, .dat |
NormalizeUrlBeforeScan |
1 |
Canonicalizes URL before processing. |
VerifyNormalization |
1 |
Canonicalizes URL twice and reject request if a change occurs. |
AllowHighBitCharacters |
0 |
Does not allow high bit characters. |
Allow Dot in Paths |
0 |
Does not allow any periods in paths. |
Remove Server Header |
1 |
Removes server information from header response. |
Per Process Logging |
1 |
Enables the PID in Urlscan.log. This allows extra logging information for URLScan. |
AllowLateScanning |
0 |
Ensures that URLScan is a high priority. |
PerDayLogging |
1 |
Specifies that URLScan produces a new log each day with activity in the form 'Urlscan.010101.log'. |
UseFastPathReject |
0 |
Specifies that URLScan uses the RejectResponseUrl or allows IIS to log the request. |
LogLongUrls |
0 |
Specifies that only 1K can be logged per request. |
IIS Security Configuration
Consider enabling the following three security settings on the IIS Web server to help ensure secure WSUS administration.
Enable general error messages
By default, IIS gives detailed error messages to remote Web clients. We recommend enabling IIS general (less detailed) error messages. This prevents an unauthorized user from probing the IIS environment with IIS error messages.
To enable general IIS error messages
On the Start menu, point to Programs, point to Administrator Tools, and then click Internet Information Services Manager.
Expand the local computer node.
Right-click WebSites, and then click Properties.
On the Home Directory tab, clickConfiguration.
On the Debugging tab, click Send the following text error message to client.
Enable additional logging options
By default, IIS enables logging for a number of options. However, we recommend logging several additional key options.
To add key IIS logging parameters
On the Start menu, point to Programs, point to Administrator Tools, and then click Internet Information Services Manager.
Expand the local computer node.
Right-click WebSites, and then click Properties.
On the Web Site tab, click Properties.
On the Advanced tab, select the check boxes for the following logging options:
Server name
Time taken
Host
Cookie
Referer
Remove header extensions
By default, IIS enables header extensions for HTTP requests. We recommend removing any header extensions for IIS.
To remover headers extensions for HTTP requests
On the Start menu, point to Programs, point to Administrator Tools, and then click Internet Information Services Manager.
Expand the local computer node.
Right-click WebSites, and then click Properties.
On the HTTP Headers tab, select X-Powered-By: ASP.NET, and then click Remove.
SQL Server 2000
The following are security recommendations for SQL Server 2000 with WSUS.
SQL Registry Permissions
Use access control permissions to secure the SQL Server 2000 registry keys.
HKLM\SOFTWARE\MICROSOFT\MSSQLSERVER
ISEC Setting | Rationale |
---|---|
Administrators: Full Control SQL Service Account: Full Control System: Full Control |
These settings help ensure limited access to the application’s registry key to authorized administrators or system accounts. |
Stored Procedures
Remove all stored procedures that are unnecessary and that have the ability to control the database server remotely.
Unnecessary SQL Server 2000 Stored Procedures
Description | Stored Procedures | Rationale |
---|---|---|
Delete the following stored procedure by using the following command: use master exec sp_dropextendedproc stored procedure where stored procedure is the name of the stored procedure to be deleted. |
|
Remove all stored procedures that are not necessary for WSUS and could possibly give unauthorized users the ability to perform command-line actions on the database. |
|
|
|
Urlscan.ini file
The following is a facsimile of the complete Urlscan.ini file.
[options]
UseAllowVerbs=1 ; If 1, use [AllowVerbs] section, else use the
; [DenyVerbs] section.
UseAllowExtensions=0 ; If 1, use [AllowExtensions] section, else use
; the [DenyExtensions] section.
NormalizeUrlBeforeScan=1 ; If 1, canonicalize URL before processing.
VerifyNormalization=1 ; If 1, canonicalize URL twice and reject request
; if a change occurs.
AllowHighBitCharacters=0 ; If 1, allow high bit (ie. UTF8 or MBCS)
; characters in URL.
AllowDotInPath=0 ; If 1, allow dots that are not file extensions.
RemoveServerHeader=1 ; If 1, remove the 'Server' header from response.
EnableLogging=1 ; If 1, log UrlScan activity.
PerProcessLogging=1 ; If 1, the UrlScan.log filename will contain a PID
; (ie. UrlScan.123.log).
AllowLateScanning=0 ; If 1, then UrlScan will load as a low priority
; filter.
PerDayLogging=1 ; If 1, UrlScan will produce a new log each day with
; activity in the form 'UrlScan.010101.log'.
UseFastPathReject=0 ; If 1, then UrlScan will not use the
; RejectResponseUrl or allow IIS to log the request.
LogLongUrls=0 ; If 1, then up to 128K per request can be logged.
; If 0, then only 1k is allowed.
;
; If UseFastPathReject is 0, then UrlScan will send
; rejected requests to the URL specified by RejectResponseUrl.
; If not specified, '/<Rejected-by-UrlScan>' will be used.
;
RejectResponseUrl=
;
; LoggingDirectory can be used to specify the directory where the
; log file will be created. This value should be the absolute path
; (ie. c:\some\path). If not specified, then UrlScan will create
; the log in the same directory where the UrlScan.dll file is located.
;
LoggingDirectory=C:\WINDOWS\system32\inetsrv\urlscan\logs
;
; If RemoveServerHeader is 0, then AlternateServerName can be
; used to specify a replacement for IIS's built in 'Server' header
;
AlternateServerName=
[RequestLimits]
;
; The entries in this section impose limits on the length
; of allowed parts of requests reaching the server.
;
; It is possible to impose a limit on the length of the
; value of a specific request header by prepending "Max-" to the
; name of the header. For example, the following entry would
; impose a limit of 100 bytes to the value of the
; 'Content-Type' header:
;
; Max-Content-Type=100
;
; To list a header and not specify a maximum value, use 0
; (ie. 'Max-User-Agent=0'). Also, any headers not listed
; in this section will not be checked for length limits.
;
; There are 3 special case limits:
;
; - MaxAllowedContentLength specifies the maximum allowed
; numeric value of the Content-Length request header. For
; example, setting this to 1000 would cause any request
; with a content length that exceeds 1000 to be rejected.
; The default is 30000000.
;
; - MaxUrl specifies the maximum length of the request URL,
; not including the query string. The default is 260 (which
; is equivalent to MAX_PATH).
;
; - MaxQueryString specifies the maximum length of the query
; string. The default is 2048.
;
MaxAllowedContentLength=30000000
MaxUrl=260
MaxQueryString=2048
[AllowVerbs]
;
; The verbs (aka HTTP methods) listed here are those commonly
; processed by a typical IIS server.
;
; Note that these entries are effective if "UseAllowVerbs=1"
; is set in the [Options] section above.
;
GET
HEAD
POST
[DenyVerbs]
;
; The verbs (aka HTTP methods) listed here are used for publishing
; content to an IIS server via WebDAV.
;
; Note that these entries are effective if "UseAllowVerbs=0"
; is set in the [Options] section above.
;
PROPFIND
PROPPATCH
MKCOL
DELETE
PUT
COPY
MOVE
LOCK
UNLOCK
OPTIONS
SEARCH
[DenyHeaders]
;
; The following request headers alter processing of a
; request by causing the server to process the request
; as if it were intended to be a WebDAV request, instead
; of a request to retrieve a resource.
;
Translate:
If:
Lock-Token:
Transfer-Encoding:
[AllowExtensions]
;
; Extensions listed here are commonly used on a typical IIS server.
;
; Note that these entries are effective if "UseAllowExtensions=1"
; is set in the [Options] section above.
;
.htm
.html
.txt
.jpg
.jpeg
.gif
[DenyExtensions]
;
; Extensions listed here either run code directly on the server,
; are processed as scripts, or are static files that are
; generally not intended to be served out.
;
; Note that these entries are effective if "UseAllowExtensions=0"
; is set in the [Options] section above.
;
; Also note that ASP scripts are denied with the below
; settings. If you wish to enable ASP, remove the
; following extensions from this list:
; .asp
; .cer
; .cdx
; .asa
;
; Deny ASP requests
.asp
.cer
.cdx
.asa
; Deny executables that could run on the server
;.exe
.bat
.cmd
.com
; Deny infrequently used scripts
.htw ; Maps to webhits.dll, part of Indexing Service
.ida ; Maps to idq.dll, part of Indexing Service
.idq ; Maps to idq.dll, part of Indexing Service
.htr ; Maps to ism.dll, a legacy administrative tool
.idc ; Maps to httpodbc.dll, a legacy database access tool
.shtm ; Maps to ssinc.dll, for Server Side Includes
.shtml ; Maps to ssinc.dll, for Server Side Includes
.stm ; Maps to ssinc.dll, for Server Side Includes
.printer ; Maps to msw3prt.dll, for Internet Printing Services
; Deny various static files
.ini ; Configuration files
.log ; Log files
.pol ; Policy files
.dat ; Configuration files
[DenyUrlSequences]
.. ; Don't allow directory traversals
./ ; Don't allow trailing dot on a directory name
\ ; Don't allow backslashes in URL
: ; Don't allow alternate stream access
% ; Don't allow escaping after normalization
& ; Don't allow multiple CGI processes to run on a single request