IIS Security Implementation: Class Lab - Hsanokklis/2023-2024-Tech-journal GitHub Wiki
Follow-up Lab to IIS Security Assignment
Using your IIS server VM from last session, implement 4 of the security controls you researched in your IIS homework assignment.
As I was going through this lab, I realized that this version of IIS is v8.5. That means a lot of the security hardening implementations I tried didn't work, because they were for version 10. It was really hard finding some of the hardening methods for v8.5. You will see below I have a section for successful hardening methods and a section for unsuccessful hardening methods.
- Go to Server manager and install IP and Domain Restrictions
- I put a restriction on my workstation computer and not my VM to see if I could get it work.
- Attempt to connect with workstation and it does not work!!!
- Connect with VM and it works!
- In Request Filtering on the IIS Manager you can filter out certain request headers via the URL tab.
- In the image below I set it so that the if the string
<script>was found in the URL header, access to the site would be blocked!
- Here is rule working!
Having more services then you need is an easy was to make your service vulnerable. One service in particular that you want to disable is FTP (File Transfer Protocol). FTP lacks encryption. That means that it transfers files in plaintext. It is best practice to set up your server without FTP. You can see below that FTP come disabled by default when installing IIS, but it's always important to check just in case.
web.config is your configuration file for the website. Malicious actors might try to access this file and change it or use it to exploit your site. It's best to disable access to it via directory browsing and also make it so that only authorized users have access to it.
- Within the
web.configsecurity tab in properties, I set it to deny all control to users. This is mostly for demonstration purposes, as if I had made an authorized user I could have specified that they should be able to access it. But I only have access to only account for this assignment so I can no longer access the config file in any capacity.
- You can see when I try to open the file, I can an Access Denied Message
- Enable URL Authorization via Server Manager roles and features
- The default allows all users
- Via the CMD I found that my user is
net255so I allowed only that user access
- I got rid of the
Allow all usersrule
THIS DOES NOT WORK
In this context allowing just one user does not work since there is no authentication method like inputting credentials, so the system cannot tell who is connecting to the website and just blocks everyone. We have to keep anonymous authentication on because of this. A better way to verify users would be IP address filtering, because then the system can actually tell which machine is connecting to the site.
- Here you can see when you load the website you are told what server you are using and the version. This can make it easier for malicious actors to exploit your server if they know what you are using. It is a good practice to disable this.
- You can get it from the microsoft store --> https://www.iis.net/downloads/microsoft/url-rewrite
- Once you install and run it, you should see an option for it pop up in the IIS Manager
I attempted using URL rewrite for this and I made an outbound rule that would overwrite the Server value in the response header
- For this section I attempted to make the Server value that you can see in the HTTP response header to be blank when loaded.
- In the
headtag of yoursec260.htmlfile I added some javascript to make a cookie whenever I loaded the website.
cookies.html
<html>
<head>
<script>
document.cookie = "username=Ur mom";
</script>
</head>
<body>
</body>
</html>
Link: https://www.w3schools.com/js/js_cookies.asp
I added a line of code in the configuration file to have it so that the browser only stores cookies when the user is browsing on HTTPS. Adding this line didn't work. Mostly because I think its for IIS version 10 and mine is version 8.5. When I added the line to the config file, I was not able to access the website with an error message saying "Config file is not correctly configured".