none
Secure IIS 6.0

    질문

  • Hi,

    I have Windows Server 2003 Sp2 R2 x64, installed IIS 6, for running client access role (Exchange 2007 Sp1). This web service is public to internet (Web mail). Recently, I have found that the hacker had been uploaded lots of hack tools to my server using user NT AUTHORITY\SYSTEM (Path C:\windows\system32\inetsrv\).

    As the guide before, I tried to secure my server. However, when i downloaded and installed Software Restriction Policies in Windows Server 2003, I so confused how to restrict the application that "hacker" use as the tool they had uploaded. So it seems that Software Restriction Policies can't work well. Furthermore, I could not trace the source (IP) that the hacker uploaded tools to the folder "C:\windows\system32\inetsrv" even though we had syslog server using Splunk that monitor our Server.

    Please tell me how to fix problems.

    Thank you very much.

    2012년 5월 29일 화요일 오전 8:53

답변

  • Hi,


    For Software Restriction Policies, I'd like to suggest to use Hash Rule:

    Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies

    Create new software restriction policies, right click Additional Rules, Create Hash Rule, Click the Browse, Navigate to the Executable/Program you want to stop users using, Click OK, Set the Security Level to “Disallowed”

    For something reference:
    Restricting Software Access and Protecting Computers
    http://technet.microsoft.com/en-us/library/cc784363(WS.10).aspx


    In addition, I'd like to suggest to audit the folder to monitor:


    How to audit user access of files, folders, and printers in Windows XP
    http://support.microsoft.com/kb/310399


    If the issue persist, please provide related event log for our further analysis.


    Hope this helps!


    Best Regards
    Elytis Cheng


    Elytis Cheng

    TechNet Community Support


    2012년 5월 30일 수요일 오전 7:11
  • Use ISA 2006 or ForeFront Threat Management Gateway (TMG) as a reverse proxy in front of Exchange servers (thus your Exchange server(s) aren't accessible directly from the Internet).  This is the de facto standard.  It will help guard against these types of attacks.  You still want to lock down your servers that sit behind ISA/TMG too.

    Also, have a look at the following URLs.

    IIS 6 Security Best Practices:

    http://technet.microsoft.com/en-us/library/cc782762(v=ws.10).aspx

    Here is a dated but still relevant article on the SANS site about securing IIS 6 from the O/S layer and up:

    http://www.sans.org/reading_room/whitepapers/windows/securing-iis6-os_1238

    Hope that helps!

    Brian

    2012년 5월 30일 수요일 오전 7:13

모든 응답