When you install a new operating system, your security settings are all set to their default values. The same goes for installing a new web server or a browser. These settings need to be changed to harden the system against attacks or unauthorized access.
When you install Windows, all versions have one thing in common: weak security. The obvious example is that after logging in, all users have full control (all permissions) at the root of every drive and at most of the drives' subdirectories and files. NT4 was the first Windows operating system to introduce a distinction between rights and permissions. A
right allows the user to access the resources of the operating system itself, such as shutting down the system. A
permission allows the user to access the file system's resources, such as reading and writing files. NT4 was also the first Windows product with DAC, which is discussed in more detail later in this chapter.
The Windows default for permissions is for the Everyone group to have full control from the root of each drive down. For a single user station, this is okay, but for a web server or file server, this is not acceptable. If you do not change the permissions, any user who logs in, no matter how, has full control. The easiest way to adjust these permissions is by using Windows Explorer as follows:
Step 1. | Right-click the folder for which you want to change the permission. The pull-down choices are displayed in Figure 7-1. Figure 7-1. Windows Explorer |
Step 2. | Select Properties from the pull-down choices. The screen shown in Figure 7-2 displays this option. Figure 7-2. Properties Page |
Step 3. | Click the Security tab. The screen shown in Figure 7-3 displays this tab. Figure 7-3. Security Tab |
In Figure 7-3, you can see the default for Windows security. Every user logged in to the system has Full Control. This leaves the system wide open to any kind of unauthorized access. Therefore, you need to change those permissions. The case study in this chapter gives you an example of how to change these permissions.
There is much more to securing a web server than hardening the file system. Other things you need to do are
Set account policies
On the Microsoft website, you can find sample information on security. Here is a good starting point if you need additional information: http://www.microsoft.com/technet/Security/tools/default.mspx.
The first four items in the list of tasks for securing the web server will not be discussed in detail in this book.
NOTE
For more information about policies and group rights, you can look at
Web Security Field Guide by Steve Kalman from Cisco Press.
The last item in the list of tasks for securing the web server is removing or disabling unnecessary services. When you start your PC, many services run in the background. Disable all services that you do not need. Table 7-1 lists the services that you can disable. This is not a complete list, so be careful when disabling these services. Some services might be needed for operation.
Service Name | Description |
|---|---|
ClipBook Viewer[1] | Enables the ClipBook Viewer to create and share pages of data to be viewed by remote computers |
Computer Browser | Maintains an up-to-date list of computers on your network and supplies the list to programs that request it |
DHCP Client | Manages network configuration by registering and updating IP addresses and Domain Name Server (DNS) names for this computer |
DHCP Server | Allocates IP addresses and allows the advanced configuration of network settings |
DNS Server | Enables DNS name resolution |
Fax Service | Enables you to send and receive faxes |
File Server for Macintosh | Enables Macintosh users to store and access files on this Windows server machine |
Gateway Service for Netware | Provides access to file and print resources on NetWare networks |
Internet Connection Sharing | Provides NAT, addressing, and name resolution services for all computers on your home network |
NetMeeting Remote Desktop Sharing | Allows authorized users to remotely access your Windows desktop |
Print Server for Macintosh | Enables Macintosh clients to route printing to a print spooler located on a computer running Windows 2000 server |
Print Spooler | Queues and manages print jobs |
Remote Access Auto Connection Manager | Brings up a dialog box that offers to make a dialup connection to a remote computer when no network access exists |
RPC Locator | Provides the name service for RPC clients |
Remote Registry Service | Allows remote Registry manipulation |
Routing and Remote Access | Offers routing services in local area and WAN environments |
RunAs Service | Allows you to run specific tools and programs with different permissions than your current logon provides |
SAP Agent | Advertises network services on an IPX network |
SMTP | Transports e-mail across the network |
Simple TCP/IP Services | Implements support for Echo, Discard, Character Generator (CharGen), Daytime, and Quote of the day (QOTD) |
Smart Card | Manages and controls access to a smart card |
TCP/IP Print Server | Enables TCP/IP-based printing |
Telephony | Provides Telephone API (TAPI) support for programs that control telephony devices |
Telnet | Allows a remote user to log on to the system and run console programs using the command line |
Windows Time Service | Sets the computer clock |
[1] Using ClipBook Viewer, you can cut or copy information from another program and store it in a page that you can name, save, use again, and share with others.
DAC is a means of restricting access to information based on the identity of users and membership in certain groups. Access decisions are typically based on the authorizations granted to a user based on the credentials presented at the time of authentication (username, password, hardware/software token, and so on). In most typical DAC models, owners of information or resources can change permissions at their discretion (thus the name). DAC's drawback is that administrators cannot centrally manage these permissions on files and information stored on the web server. A DAC access control model often exhibits one or more of the following attributes:
Data owners can transfer ownership of information to other users.
Data owners can determine the type of access given to other users (read, write, copy, and so on).
Repetitive authorization fails to access the same resource, or an object generates an alarm and restricts the user's access if auditing is turned on.
Special add-on or plug-in software must be applied to an HTTP client to prevent indiscriminant copying by users (cutting and pasting of information).
Users who do not have access to information should not be able to determine its characteristics (file size, filename, directory path, and so on).
A freshly installed web server is a completely defenseless platform. Before you can start using it as a web server, you need to secure it. This section shows you how. After the web server is installed, you can take several steps to secure it: You can prevent access to the server, and you can enable logging to monitor events on your web server.
Logging is an essential part of maintaining a secure web environment. To enable logging, open
Internet Information Services in the Administrative tools menu, expand the tree, right-click
Default Web Site, and choose
Properties . Then click the
Web Site tab to see the screen shown in Figure 7-4.
Near the bottom of the page, make sure that the Enable Logging check box is enabled. Internet Information Services (IIS) supports four log file formats, each with varying types and quantities of data collected. The default, W3C Extended Log File Format, is the most detailed. Now you can click
Properties to bring up the screen in Figure 7-5.
In Figure 7-5, you can see that, by default, a new log file will be created every day. The default log file directory is %WinDir%\System32\LogFiles; however, you should change this to point to somewhere elsepreferably to another server. Log files should preferably be archived offline. Intruders usually hide their tracks by altering or deleting the log file. If intruders take control of your PC, a log in this location is vulnerable.
You can restrict access to a website or to a specific folder of a website on a user-by-user basis or based on IP addresses. To configure access for user authentication, start the Internet Service Manager. Right-click the folder you want to use for basic authentication, which brings up a screen similar to Figure 7-6.
On that screen, select the
Directory Security tab. This brings you to a screen like the one in Figure 7-7, where you can edit the authentication method, IP address, or domain name restrictions.
Click
Edit for the anonymous access and authentication control to select the authentication method you want to use for that folder, as shown in Figure 7-8.
On the Authentication Methods screen, you can check boxes to indicate that anonymous access is allowed or to select basic authentication, for which the password is sent in clear text. You can also select to have integrated Windows authentication. To use integrated Windows authentication, add all the different users in Windows because IIS uses integrated Windows authentication to grant access to the website.
Access can also be controlled based on a PC's IP addresses. You can set specific addresses, address ranges, or DNS names from which access is either allowed or denied. After you click
Edit IP addresses and
domain name restrictions , you see a page, as shown in Figure 7-9.
This dialog box needs careful reading. It either grants (the default) or denies access to all addresses except those you add manually. When you click
Add , you see a screen as shown in Figure 7-10.
If you want to deny only one particular address, select
Single computer ; however, you can also restrict access to a group of computers or to a domain name. You can repeat these steps to exclude more than one domain or range.
NOTE
For more information on hardening IIS, you can always visit the following website: http://www.microsoft.com/technet/security/tools/locktool.mspx.
We all use browsers these days, and most of us run third-party plug-ins. This is not necessarily dangerous, but it is always better to keep in mind that malicious people can write plug-ins, too. The most popular scripting languages used for writing plug-ins today are the following:
Java
JavaScript
VBScript
ActiveX
Be very careful when installing plug-ins, just as you should be when downloading any software program from the Internet.
Because most people using the Internet today use Microsoft Internet Explorer to browse web pages, this chapter covers only that program. Internet Explorer has four zones of security. When you access a resource on another machine, the other machine's zone relative to yours is determined, and the restrictions placed on that zone control the interaction with that resource. Users can set the security policy on their computer. The four zones are as follows:
Internet Contains all websites that are not placed in another zone.
Local Internet Contains all the websites that are on your company's intranet. Here, you find all sites that have the same domain name as the one your PC is using.
Trusted sites Contains websites that you trust not to damage your data. If you want to have trusted sites, you need to add them manually.
Restricted This zone contains websites that you do not trust because they could potentially damage your data. This is also a list created manually.
NOTE
For understanding and maintaining security with Internet Explorer, visit the following URL: http://www.microsoft.com/windows/ie/security/default.asp.
To change the settings for these four zones in Internet Explorer, choose
Tools >
Internet Options . On the page that appears, select the
Security tab, and you see a page as shown in Figure 7-11.
As you can see in Figure 7-11, there are four predefined security levels. In addition, you have the ability to customize the settings for any or all the zones. Of the web content zones shown in Figure 7-11, the Internet zone is the one you need handle most carefully. The default setting here is Medium, which is not so secure for the World Wide Web. Table 7-2 lists all the security levels with a brief explanation of their purposes.
Level | Description |
|---|---|
| |
Medium |
|
Medium-low |
|
Low |
|
Because you cannot set the security level for the Internet zone to High, you must change the custom level. After you click the
Custom Level button, you see a screen similar to that in Figure 7-12.
The window that appears has several items you can change, such as the following:
ActiveX controls and plug-ins
Cookies
Downloads
Microsoft VM
Miscellaneous
Scripting
User authentication
Figure 7-12 shows
Scripting . On this screen, you first change the custom settings on the bottom of the screen from Medium to High. At this point, you receive a warning asking if you are sure that you want to make this change. After you click
Yes , you can take another look at the scripting options, as shown in Figure 7-13.
As you can see, some settings have changed. All the scripting items have been disabled. Be sure to check your browser every time you install a new version to ensure that these settings are correct. By disabling some features, such as ActiveX, you can occasionally cause a web page to generate an error. Most of the time, it is better to have that error than to let ActiveX run, but in some cases, you know the ActiveX controls can be trusted, and you need to let them work. You can do this by making the site a trusted site and by setting trusted site security so that ActiveX can run. To do that, you need to go back to the Security page of the Internet Options. After you click
Trusted sites , you see a page as shown in Figure 7-14.
The default security for a trusted site is Low. You can set security to Medium-low or Medium to increase security. On that same page, you also need to add the site you trust. To do that, click
Sites , which brings you to a screen as shown in Figure 7-15.
On that screen, you need to clear the check box requiring HTTPS, type in the domain of the site you trust, and then click
Add. At this point, if you try to reload the page with the ActiveX content, it works and the content is visible.
As you might already know, HTTP is a stateless protocol. Every time you visit a website, it looks as if that visit to the website is your first because HTTP does not keep track of your web history. To simulate a stateful environment, the HTTP protocol includes features such as cookies. There are two types of cookies:
Session cookie This cookie is created to keep track of what you buy when, for example, you visit an e-commerce website where you use a shopping cart. After you check out from that website, the session cookie is deleted from your browser memory.
Persistent cookie When you go to a website and see a personalized welcome message, you know that a persistent cookie is on your PC. These cookies contain information about you and your account. Often, that information is a key that is related only to a database with your profile.
You can manage cookies in several ways. You can delete all your cookies, or you can configure your browser to not accept cookies at any time. This would make browsing the Internet rather difficult because many sites need cookies to function properly. A better solution would be to force all your cookies to be session cookies. You can do this by making the folder where the cookies are stored read-only. Your browser will accept them but will be unable to save them to disk.
![[View full size image]](/image/library/english/13756_07fig01_alt.jpg;380136){kind=link}