default scripts and manuals

Hello,
I have a LAN 2003 server running IIS for WSUS and DeskNow WebMessenger
jabber server. No public exposure for the IIS.
On a recent security audit by outside consultant, they recommended the
following:

.... the default scripts and manual pages are installed and should be removed
from IIS.

No being much of an IIS admin, can I get some direction to verify and
cleanup if needed?

Thanks In advance,

Kevin B
--
RHCE, Linux+ and MCP

Re: default scripts and manuals

Start here;

http://www.windowsecurity.com/articles/Installing_Securing_I IS_Servers_Part1.html
http://www.microsoft.com/technet/community/events/iis/tnt1-4 0.mspx

..... and almost all of the server admins you'll come accross, will recommend
disabling the defaults .... it's standard practice to ensure a little more
security - even for internal only servers.

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

"Kevin1aB" wrote in message
news:61E74F5A-9E89-4A8F-BFF5-449F4F45E85B@microsoft.com...
> Hello,
> I have a LAN 2003 server running IIS for WSUS and DeskNow WebMessenger
> jabber server. No public exposure for the IIS.
> On a recent security audit by outside consultant, they recommended the
> following:
>
> ... the default scripts and manual pages are installed and should be
removed
> from IIS.
>
> No being much of an IIS admin, can I get some direction to verify and
> cleanup if needed?
>
> Thanks In advance,
>
> Kevin B
> --
> RHCE, Linux+ and MCP

Re: default scripts and manuals

Thanks for the prompt reply.
I'll take a look this week and reply again asap.
Kevin


"Steven Burn" wrote:

> Start here;
>
> http://www.windowsecurity.com/articles/Installing_Securing_I IS_Servers_Part1.html
> http://www.microsoft.com/technet/community/events/iis/tnt1-4 0.mspx
>
> ..... and almost all of the server admins you'll come accross, will recommend
> disabling the defaults .... it's standard practice to ensure a little more
> security - even for internal only servers.
>
> --
> Regards
>
> Steven Burn
> Ur I.T. Mate Group
> www.it-mate.co.uk
>
> Keeping it FREE!
>
> "Kevin1aB" wrote in message
> news:61E74F5A-9E89-4A8F-BFF5-449F4F45E85B@microsoft.com...
> > Hello,
> > I have a LAN 2003 server running IIS for WSUS and DeskNow WebMessenger
> > jabber server. No public exposure for the IIS.
> > On a recent security audit by outside consultant, they recommended the
> > following:
> >
> > ... the default scripts and manual pages are installed and should be
> removed
> > from IIS.
> >
> > No being much of an IIS admin, can I get some direction to verify and
> > cleanup if needed?
> >
> > Thanks In advance,
> >
> > Kevin B
> > --
> > RHCE, Linux+ and MCP
>
>
>

Re: default scripts and manuals

IIS6 installs in a locked down state to pass such "audits" by default.

Your outside consultant has to tell you more than "do something".

I am talking from the perspective of a clean-installed Windows Server 2003
machine. If you upgraded to Windows Server 2003, most of the cruft from IIS5
will be left behind for "Compat" reasons. People never like Microsoft
deleting things on upgrade.

1. I have no idea what "manual pages" are being referenced. Older IIS
versions had an HTML based manual but that was cut for clean-installed IIS6.
The "pages" we ship by default are the Custom Error pages and a default
"under construction" page, all sanitized.

2. I also have no idea what "default scripts" are being referenced. Older
IIS versions had a Scripts directory as well as several script tools
available.

On IIS6 we cut all those things by default. The only scripts available are
the Admin Script Tools in System32 (which are locked down by System32 and
only function if you are an Administrator) as well as the old AdminScripts
(those are locked down to Administrators only and only work as such).

In other words, your security audit is pretty weak on details to me. I can't
even tell you what is being referenced to clean up because they don't exist
by default on clean IIS6 installs.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"Kevin1aB" wrote in message
news:E09AAA32-8544-43BD-967A-40F0254DF90A@microsoft.com...
> Thanks for the prompt reply.
> I'll take a look this week and reply again asap.
> Kevin
>
>
> "Steven Burn" wrote:
>
>> Start here;
>>
>> http://www.windowsecurity.com/articles/Installing_Securing_I IS_Servers_Part1.html
>> http://www.microsoft.com/technet/community/events/iis/tnt1-4 0.mspx
>>
>> ..... and almost all of the server admins you'll come accross, will
>> recommend
>> disabling the defaults .... it's standard practice to ensure a little
>> more
>> security - even for internal only servers.
>>
>> --
>> Regards
>>
>> Steven Burn
>> Ur I.T. Mate Group
>> www.it-mate.co.uk
>>
>> Keeping it FREE!
>>
>> "Kevin1aB" wrote in message
>> news:61E74F5A-9E89-4A8F-BFF5-449F4F45E85B@microsoft.com...
>> > Hello,
>> > I have a LAN 2003 server running IIS for WSUS and DeskNow WebMessenger
>> > jabber server. No public exposure for the IIS.
>> > On a recent security audit by outside consultant, they recommended the
>> > following:
>> >
>> > ... the default scripts and manual pages are installed and should be
>> removed
>> > from IIS.
>> >
>> > No being much of an IIS admin, can I get some direction to verify and
>> > cleanup if needed?
>> >
>> > Thanks In advance,
>> >
>> > Kevin B
>> > --
>> > RHCE, Linux+ and MCP
>>
>>
>>

Re: default scripts and manuals

Kevin1aB wrote:
> Hello,
> I have a LAN 2003 server running IIS for WSUS and DeskNow WebMessenger
> jabber server. No public exposure for the IIS.
> On a recent security audit by outside consultant, they recommended the
> following:
>
> ... the default scripts and manual pages are installed and should be removed
> from IIS.
>
> No being much of an IIS admin, can I get some direction to verify and
> cleanup if needed?
>
> Thanks In advance,
>
> Kevin B
> --
> RHCE, Linux+ and MCP

I get the impression your auditor wasn't fully upto speed on IIS 6.0.
Previous versions of IIS came with a webadmin toolset, examples and
help. Vulnerabilities were often found in these components so everyone
disabled them or removed them.

On 6 it's nowhere near the issue it used to be. You can still add some
of these components but the default install is nice and clean.

As a comparision, I've done some hardening documentation for IIS
enviroments. On 4 the document was over a 100 pages, on 5 it was 54
pages and on 6 my document is 19 pages.

Jeroen
MCSA
http://wijnands.blogspot.com

Re: default scripts and manuals

I'm actually interested in what sort of things are in your 19 pages for
IIS6...

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

wrote in message
news:1145629629.728099.197530@t31g2000cwb.googlegroups.com.. .
>
> Kevin1aB wrote:
>> Hello,
>> I have a LAN 2003 server running IIS for WSUS and DeskNow WebMessenger
>> jabber server. No public exposure for the IIS.
>> On a recent security audit by outside consultant, they recommended the
>> following:
>>
>> ... the default scripts and manual pages are installed and should be
>> removed
>> from IIS.
>>
>> No being much of an IIS admin, can I get some direction to verify and
>> cleanup if needed?
>>
>> Thanks In advance,
>>
>> Kevin B
>> --
>> RHCE, Linux+ and MCP
>
> I get the impression your auditor wasn't fully upto speed on IIS 6.0.
> Previous versions of IIS came with a webadmin toolset, examples and
> help. Vulnerabilities were often found in these components so everyone
> disabled them or removed them.
>
> On 6 it's nowhere near the issue it used to be. You can still add some
> of these components but the default install is nice and clean.
>
> As a comparision, I've done some hardening documentation for IIS
> enviroments. On 4 the document was over a 100 pages, on 5 it was 54
> pages and on 6 my document is 19 pages.
>
> Jeroen
> MCSA
> http://wijnands.blogspot.com
>

Re: default scripts and manuals

David Wang [Msft] wrote:
> I'm actually interested in what sort of things are in your 19 pages for
> IIS6...
>
To be honest, very little for IIS itself. It's mainly disabling
unneeded services and accounts, restricting some rights for the
accounts that stay in place and adding an ipsec policy to restrict
network traffic. The latter is only done if there's more than one
server in the DMZ. Oh, and another thing we do is place a restricting
robots.txt

I can't post the whole thing since that's classified company
confidential. I got a lot of inspiration from this:
http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/a14eeb71-c583-48b7-9d2c-083e81095d6e.mspx?mfr =true

The tricky bit is always getting the ASP application settings right,
often takes quite a few mails between me and the developers.


Jeroen
http://wijnands.blogspot.com

> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
>
> wrote in message
> news:1145629629.728099.197530@t31g2000cwb.googlegroups.com.. .
> >
> > Kevin1aB wrote:
> >> Hello,
> >> I have a LAN 2003 server running IIS for WSUS and DeskNow WebMessenger
> >> jabber server. No public exposure for the IIS.
> >> On a recent security audit by outside consultant, they recommended the
> >> following:
> >>
> >> ... the default scripts and manual pages are installed and should be
> >> removed
> >> from IIS.
> >>
> >> No being much of an IIS admin, can I get some direction to verify and
> >> cleanup if needed?
> >>
> >> Thanks In advance,
> >>
> >> Kevin B
> >> --
> >> RHCE, Linux+ and MCP
> >
> > I get the impression your auditor wasn't fully upto speed on IIS 6.0.
> > Previous versions of IIS came with a webadmin toolset, examples and
> > help. Vulnerabilities were often found in these components so everyone
> > disabled them or removed them.
> >
> > On 6 it's nowhere near the issue it used to be. You can still add some
> > of these components but the default install is nice and clean.
> >
> > As a comparision, I've done some hardening documentation for IIS
> > enviroments. On 4 the document was over a 100 pages, on 5 it was 54
> > pages and on 6 my document is 19 pages.
> >
> > Jeroen
> > MCSA
> > http://wijnands.blogspot.com
> >