Contact:[email protected]
What service packs have been applied to this machine? Does the logon box display the last username? [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "DontDisplayLastUserName"="1" Does the machine have a Warning Banner? [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "LegalNoticeCaption"="Warning caption" "LegalNoticeText"="Warning banner" Where are the password to these machines kept? Consider applying a security policy to the server http://download.microsoft.com/download/win2000srv/SCM/1.0/NT5/EN-US/hisecweb .exe Has IIS been secured? If so, how? IIS 5.0 specific Remove all sample apps - remove virtual dir and then delete files. IIS Samples Virtual dir \IISSamples location c:\inetpub\iissamples IIS Documentation Virtual dir \IISHelp location c:\winnt\help\iishelp Data Access Virtual dir \MSADC location c:\program files\common files\system\msadc Remove Unused Script Mappings IIS is preconfigured to support common filename extensions such as .asp and .shtm files. When IIS receives a request for a file of one of these types, the call is handled by a DLL. If you don't use some of these extensions or functionality, you should remove the mappings by following this procedure: Open Internet Services Manager. Right-click the Web server, and choose Properties from the context menu. Master Properties Select WWW Service | Edit | HomeDirectory | Configuration Web-based password reset .htr Internet Database Connector (all IIS 5 Web sites should use ADO or similar technology) .idc Server-side Includes .stm, .shtm and .shtml Internet Printing .printer Index Server .htw, .ida and .idq Disable Parent Paths The Parent Paths option allows you to use ".." in calls to functions such as MapPath. By default, this option is enabled, and you should disable it. Follow this procedure to disable the option: Right-click the root of the Web site, and choose Properties from the context menu. Click the Home Directory tab. Click Configuration. Click the App Options tab. Uncheck the Enable Parent Paths check box. Enable Logging Logging is paramount when you want to dtermine whether your server is being attacked. You should use W3C Extended Logging format by following this procedure: Load the Internet Information Services tool. Right-click site in question, and choose Properties from the context menu. Click the Web Site tab. Check the Enable Logging check box. Choose W3C Extended Log File Format from the Active Log Format drop-down list. Click Properties. Click the Extended Properties tab, and set the following properties: Client IP Address User Name Method URI Stem HTTP Status Win32 Status User Agent Server IP Address Server Port The latter two properties are useful only if you host multiple Web servers on a single computer. The Win32 Status property is useful for debugging purposes. When you examine the log, look out for error 5, which means access denied. You can find out what other Win32 errors mean by entering net helpmsg err on the command line, where err is the error number you are interested in. Back to the Index