Thursday, May 13, 2010

Hardening guide for IIS 7.5 on Windows 2008 R2 server core platform

Blog Has Moved

Link to the same post in the new blog: Hardening guide for IIS 7.5 on Windows 2008 R2 server core platform

OS installation phase
1. Boot the server using Windows 2008 R2 bootable DVD.
2. Specify the product ID -> click Next.
3. From the installation option, choose "Windows Server 2008 R2 (Server Core Installation)" -> click Next.
4. Accept the license agreement -> click Next.
5. Choose "Custom (Advanced)" installation type -> specify the hard drive to install the operating system -> click Next.
6. Allow the installation phase to continue and restart the server automatically.
7. To login to the server for the first time, press CTRL+ALT+DELETE
8. Choose "Administrator" account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
9. From the command prompt window, run the command bellow:
sconfig.cmd
10. Press "2" to replace the computer name -> specify new computer name -> click "Yes" to restart the server.
11. To login to the server, press CTRL+ALT+DELETE -> specify the "Administrator" account credentials.
12. From the command prompt window, run the command bellow:
sconfig.cmd
13. Press "5" to configure "Windows Update Settings" -> select "A" for automatic -> click OK.
14. Press "6" to download and install Windows Updates -> choose "A" to search for all updates -> Choose "A" to download and install all updates -> click "Yes" to restart the server.
15. To login to the server, press CTRL+ALT+DELETE -> specify the "Administrator" account credentials.
16. From the command prompt window, run the command bellow:
sconfig.cmd
17. In-case you need to use RDP to access and manage the server, press "7" to enable "Remote Desktop" -> choose "E" to enable -> choose either "1" or "2" according to your client settings -> Press OK.
18. Press "8" to configure "Network settings" -> select the network adapter by its Index number -> press "1" to configure the IP settings -> choose "S" for static IP address -> specify the IP address, subnet mask and default gateway -> press "2" to configure the DNS servers -> click OK -> press "4" to return to the main menu.
19. Press "9" to configure "Date and Time" -> choose the correct "date/time" and "time zone" -> click OK
20. Press "11" to restart the server to make sure all settings take effect -> click "Yes" to restart the server.

Web server installation phase
1. To login to the server, press CTRL+ALT+DELETE -> specify the "Administrator" account credentials.
2. For minimal installation of IIS7.5 features, run the command bellow from command prompt:
start /w pkgmgr /l:log.etw /iu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel;WAS-NetFxEnvironment;WAS-ConfigurationAPI
3. For full installation of IIS7.5 (not recommended on production environments), run the command bellow from command prompt:
start /w PKGMGR.EXE /l:log.etw /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementScriptingTools;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;WAS-WindowsActivationService;WAS-ProcessModel;IIS-FTPServer;IIS-FTPSvc;IIS-FTPExtensibility;IIS-WebDAV;IIS-ASPNET;IIS-NetFxExtensibility;WAS-NetFxEnvironment;WAS-ConfigurationAPI;IIS-ManagementService;MicrosoftWindowsPowerShell
4. For full installation of IIS7.5, including .NET framework (not recommended on production environments), run the command bellow from command prompt:
start /w PKGMGR.EXE /l:log.etw /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementScriptingTools;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;WAS-WindowsActivationService;WAS-ProcessModel;IIS-FTPServer;IIS-FTPSvc;IIS-FTPExtensibility;IIS-WebDAV;IIS-ASPNET;IIS-NetFxExtensibility;WAS-NetFxEnvironment;WAS-ConfigurationAPI;IIS-ManagementService;MicrosoftWindowsPowerShell;NetFx2-ServerCore;NetFx2-ServerCore-WOW64
5. Create a new folder for the WWW content, in a different partition then the operating system, for example:
md D:\WWW
6. Copy the content of the web site to the newly created folder.
7. Use the Cacls.exe command to configure the required NTFS permissions for the new WWW folder (according to the principle of least privilege).
8. Run the command bellow to configure IIS metadata to use the new folder:
%windir%\system32\inetsrv\appcmd set vdir "Default Web Site/" -physicalPath:D:\WWW
9. Create a new folder for the LogFiles content, in a different partition then the operating system, for example:
md D:\LogFiles
10. Use the Cacls.exe command to configure the required NTFS permissions for the new LogFiles folder (according to the principle of least privilege).
11. Run the commands bellow to configure IIS metadata to use the new folder:
%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/sites -siteDefaults.logfile.directory:"D:\LogFiles"

%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log -centralBinaryLogFile.directory:"D:\LogFiles"

%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log -centralW3CLogFile.directory:"D:\LogFiles"
12. Run the command bellow to configure the newly created WWW folder for service packs and other installers:
reg add HKLM\Software\Microsoft\inetstp /v PathWWWRoot /t REG_SZ /d D:\WWW

Labels: , ,

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home