By Tor Willy Austerslått
MS Internet Information Server v4 is plastered with security holes out of the box. The amount of patching you need to do after a new install is staggering. Where to begin?
Every week, a new security hole, bug or misfeature is discovered in all kinds of software and operating systems. A few of these systems are of such a high profile that the discovery not only yields a quick(ish) fix by the vendor, but also various degrees of press coverage. A system like Hotmail with all their millions of users will obviously attract a lot more press than - say - the discovery of a buffer overflow in a shareware text editor for MS-DOS 5.0.
So, does your system have security holes? If you run any kind of Microsoft software, you probably have. Trouble is, there is no way of knowing about ALL the holes. For instance, Microsoft released Internet Information Server 4.0 in 1996. I bet they thought it was both stable and safe the day they unleashed it onto an unsuspecting public. Well, it wasn't.
Up to this day, Microsoft has released 35 individual patches for IIS 4.0 alone! Considering that IIS4 has been in the marketplace for less than four years, this must be close to an industry all time record. Add to this, the underlying OS that IIS4 needs to run on have their own patches, fixes and plugs. IIS4 and NT Server 4.0 in tandem is an inherently unsafe sort of thing.
From a security standpoint, IIS is a very very naughty piece of server software. You might think so too. But you might be in a situation where the decision on which web-server to use isn't yours to make. It could be that you inherited a setup with IIS which is impractical, expensive or too time-consuming to alter. Or maybe all three. Philosophy and principles aside, you indeed need to get up to date on your patches.
What do I have?
Ask yourself, what patches are installed on the machine running IIS4? Finding out what kind of service pack you have is easy enough. Run 'winver' from a command prompt and it's right in your face. The individual IIS-patches on the other hand, have all kinds of more or less meaningful names. Often they get named after the Knowledge Base article in which the security hole were originally discussed, but sometimes they aren't.
Luckily, Microsoft, together with Shavlik Technologies, has come up with a tool that can check this for you. It's called "Network Security Hotfix Checker". You can find all the details in KB article Q303215. One warning though; if you happen to run NT 4.0 Server in another language than English, you are out of luck. The hotfix checker only works on English systems. On the other hand, there can only be very so many reasons to run localized server software.
Where do I go next?
OK, now you know what kind of patches you need for your IIS. Depending on how many patches you need, be prepared for lengthy downloads. Be advised that the patches you eventually download, aren't all concerned with security. Read all text files that comes with the patches. You really would want to know if reapplying the latest service pack cancels any of the patches.
If you have NT 4.0 Server with SP5 or higher, you can get the IIS Cumulative Patch. What's that?, you say. Simply put, it is a file containing all the IIS4 and IIS5 patches released since Service Pack 5 for NT 4.0. Point your favourite browser to security bulletin MS01-044 and check out all the details. To be fairly safe, you need to read and understand most of the stuff printed in Security Bulletin MS01-044.
Applying the good stuff.
Now that you have all the necessary files to actually do some patching, double check what order the patching should be done. Do it chronologically, because some of the later IIS patches replaces some of the earlier ones. If you do this in the wrong order, you get yourself nowhere. If you downloaded a large heap of individual patches, as opposed to the cumulative patch which is one large nice file, remember that you need to boot the server in between each patch you apply. You might not want to do this at a time of day where web traffic is peaking. Microsoft has finally understood that booting a production server is something every webmaster or systems administrator would want to avoid altogether. To remedy the problem of booting between every hotfix that is applied, they came up with a tool to chain the patching. Check out Q296861 for QChain.exe.
By now you'd think you are on the safe side. After all, every known security hole in my IIS server is plugged. Right? Right. All KNOWN holes. Inevitably, a new hole will be discovered, and after a while Microsoft will publish some sort of remedy to this.
How will you know these things? You could opt for the manual polling method. Checking in on Microsoft's web site every now and then to see if any new patches and published vulnerabilities have shown up. A better method is to sign up for the Security Notification Service and receive e-mail whenever a new bulletin regarding security is put up at Microsoft's web site.
A third method is described in IIS4.0 Security Checklist. It involves making the security section of Microsoft Technet available offline, and placing the icon from the favourites folder on your desktop. Whenever there's new security information on the security web page, the icon on your desktop will change.
This is not enough however. Microsoft has over the past few years had notoriously bad security in their products. Add to this, many security warnings and patches get released way after holes have been discovered. There's quite a few web sites dedicated to Internet security, and you should definitely hang out on these as much as you can. Try sans.org and securityfocus.com for starters. They have no affiliation with any product or company, and has big library sections and forums where you can read up on things and ask questions. As you might have guessed: there are no stupid questions, only defaced web sites :-)
Stay on top of things.
Is it enough to tighten security by patching all known holes in IIS4? No. If you expose the IIS4/NT4 combo to the Internet, it will only be a question of time before someone takes over or vandalizes your server. Therefore, you should take steps to not only secure IIS4, but also NT itself and the traffic that flows to and from it. The aforementioned security checklist is a long list of things to do to harden your NT server against most kinds of attacks and intrusions. Not only does it greatly reduce the risk of someone getting into the server, but it also makes it hard for the bad guys to get anything done once they manage to get in. To qualify as "paranoid enough", you should always assume that the bad guys at some point in time will manage to crack your defences and somehow get in.
Once you made NT4 as rock hard as it's possible to make it and patched every hole in IIS4, next you should get yourself some sort of firewall and an IDS. I'm not however - going to go into details on that here.
Copyright © 2001, Tor Willy Austerslått