Windows Server Security Checklist

IIS Web Server Security Checklist

  1. Do not connect to the Internet in any way as a server that has not been completely hardened.
  2. Secure the server safely, physical security is one of the first things to be done in the security domain.
  3. Do not install any IIS web server on the Domain Controller at all.
  4. Never install a printer on an IIS web server.
  5. Put two network cards on the server, one for server management and one for users
  6. Be sure to install Service Packs, Patches and, of course, Hotfixes on the server operating system.
  7. Run the IIS Lockdown utility on the web server (in the old IIS and the old server windows)
  8. Install and run and configure the URLScan security tool on the web server.
  9. Be sure to use the appropriate Encryption for Remote Desktop.
  10. Make sure Remote Desktop has Account Lockout and Session Timeout capabilities.
  11. Disable any unused service on the Windows operating system.
  12. Ensure that all services are run with minimal user access.
  13. If you do not need FTP, SMTP, and NNTP services, disable or delete them.
  14. Telnet service must be disabled and removed from the operating system.
  15. If the ASP.NET or ASP.NET State Service status service is not used by your applications, disable it.
  16. If you do not use WebDAV or if your applications do not use it, disable it.
  17. If you use WebDAV, be sure to observe its security parameters.
  18. Install the Data Access Components section only if necessary, otherwise delete it.
  19. Install MS Part Server only if needed, and if you do not need to install it.
  20. Do not activate or install the HTML Version of the Internet Service Manager.
  21. Install the MS FrontPage Server extensions only if necessary, otherwise delete it
  22. Perform the Hardening process for the TCP / IP Stack.
  23. Restart the Recycle Bin and Paging File System policies to fit the server
  24. Make CMOS security settings.
  25. Provide physical security for CD-ROMs, USB drives, and more.

Check list of security accounts or user accounts

  1. Remove any unused and unused accounts on the server.
  2. Disable Guest account.
  3. Change the user name of Administrator and select a strong password for it.
  4. Disable the IUSR_MACHINE account if the application does not use it.
  5. Create an account with limited access to anonymous accounts, of course, if you need this service.
  6. Do not give anonymous user any write access to the contents of the directories and execute commands on the server.
  7. If there are multiple Web applications on your server, for each one define an anonymous user.
  8. Assign account access to ASP.NET processes with the lowest possible access level.
  9. An earlier option is a function that you do not use from the default account defined for the ASP.NET service.
  10. Use a strong Password Policy for all existing accounts on the server.
  11. Make the remote access as small as possible, remove Everyone from the Access this computer from network section.
  12. For each Server Administrator, define a separate account and do not create a shared account.
  13. Turn off Null Session or otherwise turn off Anonymous Logon.
  14. To differentiate their accounts and applications, they must be retrieved (each person can not access another person)
  15. In the Administrators group, do not have more than two defined users.
  16. Just let Logon be Local, or use Encryption for Remote Desktop.

Security Checklist for files and folders

  1. Always create several partitions on a hard disk
  2. Never place the web server’s Home Directory in the OS partition.
  3. Put your files and folders on partitions that have the NTFS file system.
  4. Put the contents of each website in a folder other than the Home Directory web server, which is also NTFS.
  5. Always create a new website and disable the default website or default site.
  6. Log on from the web server alternately and check the logs regularly.
  7. Provide the log files of the web server in a partition other than the partition containing the contents of the website (NTFS)
  8. Restrict the access of Anonymous and Everyone to system32 folders and website folders.
  9. Make sure the root directory or root directory of the web server has not accessed anonymous users in any way.
  10. Make sure the directories that contain the web server information contents do not reach the users of the Anonymous group.
  11. In both of the past cases, preferably use the Deny option for Access Control Entry Permissions.
  12. Disable or remove Remote IIS Administration or Remote WWW Administration with its service.
  13. Delete all Resource Kit tools along with SDKs from the web server.
  14. Delete all Sample Applications or Default Programs like the default IIS website (including the Help pages)
  15. Delete the IP address from the header (to prevent location detection or Content Location)

Network Share Checklist

  1. Eliminate all unused shares, including administrative shares.
  2. Be sure to grant access to people and never put the everyone group in the access list.
  3. Note that monitoring systems such as SCOM and SCCM work with the System Center series with Administrative Share.
  4. Only open the ports used in File and Printer Sharing in the firewall.
  5. Allow Internet access only through ports 80 and 443 if required.
  6. Restrict the use of the Internet and only use secure protocols such as SSL to access the Internet.
  7. If the number of users of the Share is known, leave Concurrent Connections Limit on Share.

Check Registry Security Checklist

  1. Disable or restrict access to the Remote Registry service.
  2. For the Standalone servers, be sure to secure the SAM file and enable NoLMHash in the registry settings.
  3. Be sure to enable Auditing and Logging capabilities on servers.
  4. Be sure to audit Failed Logon Attempts.
  5. Change the log location of the IIS files.
  6. How often do you archive and analyze logs (minimize the security of logs)
  7. Define the maximum file log size.
  8. Always audit the access to the Metabase.bin file.
  9. Make the IIS settings so that the W3C Extended Log File format is also audited or audited.
  10. Alternatively, make backups of your registry.

Site Security Checklist and Virtual Directories Directory

  1. Do not create websites on system partitions anyway.
  2. Disable Parent Path settings.
  3. Delete the Vulnerable Virtual Directory, such as IISSamples, IISAdmin, IISHelp, and Scripts.
  4. Delete the MSDC Virtual Directory.
  5. Delete the Virtual Directory named IIS Internet Printing.
  6. Make sure the server certificates are valid and up-to-date.
  7. Use any certificate only for what it is defined for.
  8. Make sure the public key for the certificate you received is valid.
  9. Make sure your used certificate has not been revoked.
  10. Delete ISAPI Unused Filters from the server

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top