Internet Information Services (IIS) 6 is like the National Security Agency's facility at Fort Meade when compared with IIS 5. Relative to other Web server products it's certainly not the most secure, but it shows that Microsoft is moving in the right direction. What can the software giant do to make its newest Web server solution even more secure in today's environment? Here are a few items to address:
Include an automated patch utility just for IIS patches.
Until Windows Update Services (WUS) is released later this year to directly handle patches for many Microsoft software products, we need a way to sort out alerts for IIS -- preferably in an automated fashion. While IIS 6 has had far fewer security bulletins than IIS 5, companies operating the Windows Web server on the front lines would have a real problem if a critical vulnerability is identified and there is no patch available.
In the next version of IIS, Microsoft should have a site -- let's call it IISUpdate.com -- where all Web server administrators can locate the most up-to-date information and hotfixes for their machines. It might be good to have this site available even after WUS is released so important patches are more likely to be seen in the deluge of patch information that becomes available.
Randomize the default directories.
If you download Windows SharePoint Services (WSS) from Microsoft's Web site and install it, the port number you browse to connect to the administrative interface is randomized. That means each machine has a different assigned port to prevent brute-force attacks on all WSS installations across the Web. Subsequently, an attacker can't target, for example, port 8449 on all IIS servers around the world, since some use port 5797, others use port 9155 and so on.
Here is a simple trick that can be carried over to the file system: Instead of using an identification like "\wwwroot\inetpub," why not use a six, eight or even 10-digit number? Make the administrator work to find the hosting root. This is not difficult to do, and it makes Windows more secure out of the box. It would also protect against vulnerabilities that could allow complete access to the machine's file system.
Get rid of the Web-based remote administration tool.
I hope that no one reading this column is using this tool. If you are, ask yourself why. Does this Web-based administrative interface allow you to do something that can't be done via Windows Management Instrumentation (WMI) or VBScript? Are you using it merely for convenience? The problems with this interface are big: By using it, you are allowing Internet-facing access to your entire Web server, including the underlying software. If (or when) you discover a security vulnerability in the Web manager, you could give away access to your entire machine -- operating system and all. It's just not a smart bet.
A better way to remotely manage your machines is to install an encrypted command-line utility and manage IIS via command-line functions. Chapter 8 in my new book, Learning Windows Server 2003, highlights many common language interface commands.
Kill Internet printing.
Internet printing is another idea that has sound logic but negative consequences in today's Internet environment. Internet printing allows you to print directly to the printer over an intranet or the Internet using the HTTP protocol. You do so by using an Internet-enabled printer, like some of the more expensive printers, or by using the Windows Internet printing service, which of course involves IIS.
Think about the dangers of this technology in practice. Many of us remember junk faxes and fax attacks, when a sheet of paper completely covered in black ink was taped to itself and faxed in order to continually transmit, wasting paper and ink on the receiving end. Think about the wasted paper and toner that could result if a cracker compromised your Internet-attached printer. In addition, some of the most expensive printers retain the last few print jobs in memory in case they need to be repeated (a sort of spooler cache). A cracker who penetrates the Windows Internet printer service could access the printer's memory and make off with copies of sensitive documents.
I think all of us can agree that Microsoft has done a respectable job closing the security holes it created in IIS 5. We can expect to see the next version of IIS in Longhorn server, currently planned for release in late 2006 or early 2007. In the meantime, I hope Microsoft will consider the four options above to provide an even more hardened out-of-the-box product.
What do you think Microsoft can do to improve IIS security in the next version? Sound Off to let us know.
About the author
Jonathan Hassell is author of Hardening Windows, published by Apress. He is a systems administrator and IT consultant from Raleigh, N.C., and has extensive experience in networking technologies and Internet connectivity. He also runs his own Web-hosting business, Enable Hosting, in Raleigh and Charlotte. Hassell's previous published work includes RADIUS, published by O'Reilly and Associates, which serves as a guide to the RADIUS authentication protocol and offers suggestions for implementing RADIUS and overall network security. You can e-mail him at email@example.com.
More Information from Jonathan Hassell on SearchWindowsSecurity.com