293_CYA_IIS6_FM.qxd 4/28/04 12:51 PM Page i Register for Free Membership to s o l u t i o n s @ s y n g r e s s . c o m Over the last few years, Syngress has published many best­ selling and critically acclaimed books, including Tom Shinder’s Configuring ISA Server 2000, Brian Caswell and Jay Beale’s Snort 2.0 Intrusion Detection, and Angela Orebaugh and Gilbert Ramirez’s Ethereal Packet Sniffing. One of the reasons for the success of these books has been our unique [email protected] program. Through this site, we’ve been able to provide readers a real time extension to the printed book. As a registered owner of this book, you will qualify for free access to our members-only [email protected] program. Once you have registered, you will enjoy several benefits, including: ■ Four downloadable e-booklets on topics related to the book. Each booklet is approximately 20-30 pages in Adobe PDF format. They have been selected by our editors from other best-selling Syngress books as providing topic cov­ erage that is directly related to the coverage in this book. ■ A comprehensive FAQ page that consolidates all of the key points of this book into an easy to search web page, pro­ viding you with the concise, easy to access data you need to perform your job. ■ A “From the Author” Forum that allows the authors of this book to post timely updates links to related sites, or addi­ tional topic coverage that may have been requested by readers. Just visit us at www.syngress.com/solutions and follow the simple registration process. You will need to have this book with you when you register. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there is anything else we can do to make your job easier. 293_CYA_IIS6_FM.qxd 4/28/04 12:51 PM Page ii 293_CYA_IIS6_FM.qxd 4/28/04 12:51 PM Page iii SSeeccuurriinngg IIIISS 66..00 COVER YOUR A** BY GETTING IT RIGHT THE FIRST TIME Chun Hai (Bernard) Cheah Ken Schaefer Chris Peiris Technical Editor 293_CYA_IIS6_FM.qxd 4/28/04 12:51 PM Page iv Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or produc­ tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc. “Syngress:The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 PO9873D5FG 002 829KMGG89G 003 88NJH2GHBN 004 2987GKGHNM 005 CVPL334522 006 VBP5T545BN 007 HJJJ997WD3 008 9J8N3F3MNB 009 629MPT8977 010 I5T6TFF497 PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 CYA Securing IIS 6.0 Copyright © 2004 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be repro­ duced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-931836-25-6 Acquisitions Editor: Christine Kloiber Cover Designer: Michael Kavish Technical Editor: Chris Peiris Copy Editor: Amy Thomson Page Layout and Art: Patricia Lupien Indexer: Rich Carlson Distributed by O’Reilly & Associates in the United States and Canada. 293_CYA_IIS6_FM.qxd 4/28/04 12:51 PM Page v Acknowledgments We would like to acknowledge the following people for their kindness and support in making this book possible. Syngress books are now distributed in the United States by O’Reilly & Associates, Inc.The enthusiasm and work ethic at ORA is incredible and we would like to thank everyone there for their time and efforts to bring Syngress books to market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Lynn Schwartz, Steve Hazelwood, Mark Wilson, Rick Brown, Leslie Becker, Jill Lothrop,Tim Hinton, Kyle Hart, Sara Winge, C. J. Rayhill, Peter Pardo, Leslie Crandell, Valerie Dow, Regina Aggio, Pascal Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen, Betsy Waliszewski, Dawn Mann, Kathryn Barrett, John Chodacki, and Rob Bullington. The incredibly hard working team at Elsevier Science, including Jonathan Bunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, Emma Wyatt, Rosie Moss, Chris Hossack, and Krista Leppiko, for making certain that our vision remains worldwide in scope. David Buckland, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang Ai Hua, and Joseph Chan of STP Distributors for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. David Scott,Tricia Wilden, Marilla Burgess, Annette Scott, Geoff Ebbs, Hedley Partis, Bec Lowe, and Mark Langley of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands. Winston Lim of Global Publishing for his help and support with distribution of Syngress books in the Philippines. v 293_CYA_IIS6_FM.qxd 4/28/04 12:51 PM Page vi 293_CYA_IIS6_FM.qxd 4/28/04 12:51 PM Page vii Authors Chun Hai (Bernard) Cheah (MCP+I, MCSE, MCDBA, CCSE) is a Microsoft Most Valuable Professional (MVP) specializing in IIS Server. He is currently a contract solu­ tion consultant working on Internet solutions analysis, design, and consultancy as well as implementation. His pri­ mary focus includes online e-commerce system security and high availability features. He is pursuing his masters in IT business strategy at the University of Portsmouth, UK. Ken Schaefer is an experienced systems administrator who has worked with IIS for over six years. He currently works for the University of New South Wales in Sydney, Australia. He has experience with WinNT 4/2000 server, SQL Server (6.5, 7, 2000), IIS (3, 4, 5) and MacOS (6+), as well as development experience with ASP, ASP.Net, ADO, ADO.Net, VB, SQL Server, and Access. Ken participates in numerous support forums, and provides a broad assembly of troubleshooting resources on his website, www.adopen- static.com. He was recently honored with a Microsoft MVP distinction in the Windows Server (IIS) category. Ken received a bachelor’s degree in commerce at the University of New South Wales, where he is currently pursuing a master’s degree in business technology. vii 293_CYA_IIS6_FM.qxd 4/28/04 12:51 PM Page viii Technical Editor Chris Peiris (MVP, MIT) works as an independent consultant for .NET and EAI implementations. He is cur­ rently working with the Commonwealth Bank of Australia. He also lectures on distributed component architectures (.NET, J2EE, and CORBA) at Monash University, Caulfield, Victoria, Australia. Chris was awarded the Microsoft Most Valuable Professional (MVP) for his contributions to .NET technologies by Microsoft, Redmond. Chris has been designing and developing Microsoft solutions since 1995. His expertise lies in developing scalable, high-performance solu­ tions for financial institutions, G2G, B2B, and media groups. Chris has written many articles, reviews, and columns for various online publications including 15Seconds, Developer Exchange (www.devx.com), and Wrox Press. He is co­ author of C# Web Service with .NET Remoting and ASP.NET and C# for Java Programmers (Syngress Publishing, ISBN: 1- 931836-54-X), and study guides on MCSA/MCSE Exams 70-290 and Exam 70-298, also from Syngress. Chris fre­ quently presents at professional developer conferences on Microsoft technologies. His core skills are C++, Java, .NET, C#, VB.NET, Service Oriented Architecture, DNA, MTS, Data Warehousing, WAP, and SQL Server. Chris has a bachelor’s in computing, a bachelor of business (accounting), and a masters in information technology. He is currently under taking a PhD on web service management framework. He lives with his family in ACT, Australia. Chris dedicates this book to his mentors: Dianne Hagan, Brian Simpson, Christine Mingins, Keith Howie, Robert Morgan, Greg Stone and Charles Sterling. In his own words “this is a token of my gratitude for all your guidance, assis­ tance and your vision.You all contributed to my career in a very significant way… Thank you for the opportunities.” viii 293_CYA_IIS6_TOC.qxd 4/28/04 1:15 PM Page ix Contents About the Book . . . . . . . . . . . . . . . . . . . . . . .xvii Chapter 1 Introducing IIS 6.0 . . . . . . . . . . . . . .1 In this Chapter . . . . . . . . . . . . . . . . . . . . . . . . .1 IIS 6.0 Enhancements . . . . . . . . . . . . . . . . . . . . . . .2 Increased Reliability and Availability . . . . . . . . . . .2 Manageability Improvements . . . . . . . . . . . . . . . .3 Scalability and Performance Improvements . . . . . .5 Increased Security . . . . . . . . . . . . . . . . . . . . . . .7 Understanding IIS 6.0 Architecture . . . . . . . . . . . . .10 Services Provided by IIS 6.0 . . . . . . . . . . . . . . .10 HTTP.SYS Kernel Mode Driver . . . . . . . . . . . .12 Inetinfo.exe Process and the IISAdmin Service . .12 The World Wide Web (WWW) Publishing Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Application Processing Modes . . . . . . . . . . . . . .14 IIS 6.0 Worker Process Isolation Mode . . . . .14 IIS 5.0 Isolation Mode . . . . . . . . . . . . . . . . .17 Your A** is Covered if You… . . . . . . . . . . . . . . . . .19 Chapter 2 Hardening Windows Server 2003 . .21 In this Chapter . . . . . . . . . . . . . . . . . . . . . . . . .21 Get Secure and Stay Secure . . . . . . . . . . . . . . . . . .22 Networking Environment . . . . . . . . . . . . . . . . .23 Patches and Updates . . . . . . . . . . . . . . . . . . . . .25 Windows Services . . . . . . . . . . . . . . . . . . . . . .28 User Accounts and Groups . . . . . . . . . . . . . . . .29 File System . . . . . . . . . . . . . . . . . . . . . . . . . . .30 Auditing and Logging . . . . . . . . . . . . . . . . . . . .32 ix