DOCUMENT:Q325864 02-AUG-2002 [iis] TITLE :HOW TO: Install and Use the IIS Lockdown Wizard PRODUCT :Internet Information Server PROD/VER::4.0,5.0 OPER/SYS: KEYWORDS:kbHOWTOmaster ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Internet Information Services version 5.0 - Microsoft Internet Information Services version 5.1 - Microsoft Internet Information Server version 4.0 ------------------------------------------------------------------------------- IN THIS TASK ------------ - SUMMARY - Prepare to Run the IIS Lockdown Wizard - Download and Install the IIS Lockdown Wizard - Configure URLScan - Troubleshoot Problems After You Run the IIS Lockdown Wizard - REFERENCES SUMMARY ======= This step-by-step article explains how to secure a Web server by using the Internet Information Services (IIS) Lockdown Wizard. It also includes information about how to troubleshoot problems that occur after you run the wizard. Prepare to Run the IIS Lockdown Wizard -------------------------------------- With the IIS Lockdown Wizard, you can disable several optional features of IIS to secure your IIS server against attack. Before you run the wizard, read the Help file to familiarize yourself with the options that the wizard presents. To access the help file: 1. Download the IIS Lockdown Wizard. To download the wizard, visit the following Microsoft Web site: http://www.microsoft. com/Downloads/Release.asp?ReleaseID=33961 2. Extract the Lockdown Wizard files from the executable file. For additional information, click the article number below to view the article in the Microsoft Knowledge Base: Q315522 HOW TO: Extract the URLScan Tool and Lockdown Template Files from the IIS Lockdown Tool 3. Find the folder that you specified when you extracted the files, and then double-click the Iislockd.chm file. Note that the Lockdown Wizard permits you to disable certain optional features of IIS that are required for the correct operation of other applications, such as Exchange and FrontPage. If you do not select the correct options when you run the Lockdown Wizard, you may break the functionality of these applications. To minimize problems, carefully review the Microsoft Knowledge Base articles that are appropriate to your system configuration before you run the Lockdown Wizard: - Exchange and Outlook Web Access (OWA): Q309508 XCCC: IIS Lockdown and URLscan Configurations in an Exchange Environment - Microsoft Mobile Information Server: Q311595 XCCC: How to Install and Configure Microsoft Security Tool Kit On a Microsoft Mobile Information Server - Microsoft Small Business Server: Q311862 How to Use The IIS Lockdown Tool with Small Business Server - Microsoft Project, Project Server, and Project Web Access: Q321357 PSRV2002: Error Messages When You View a Microsoft Project Web Access Page That Contains Grids Q316398 PRJ2000: Configuring the IIS Lockdown Tool and URLScan Security Tool with Microsoft Project Central - Microsoft SharePoint Portal Server: Q309675 SPS: IIS Lockdown Tool Affects SharePoint Portal Server Q319633 SPS: 'Script Execution Error: Error Executing INVOKE' Error Message After You Install IIS Lockdown Wizard - Microsoft Visual Studio .NET: Q310588 PRB: Security Toolkit Breaks ASP.NET Debugging in Visual Studio .NET Q315904 BUG: 'ExternalException: Cannot Execute a Program' Error Message When You Call WebServices from .aspx Page - Microsoft FrontPage: Q317390 FP2002: 'HTTP/1.1 404 Object Not Found' Error Message Occurs When a User of Your Web Page Performs a Search Q307976 FP: Error Message When You Use FrontPage with URLScan - Microsoft Proxy Server: Q311675 Cannot Search Proxy Server 2.0 Online Help After the IIS Lockdown Wizard Is Installed Download and Install the IIS Lockdown Wizard -------------------------------------------- 1. Double-click the executable file that you downloaded in the Prepare to Run the IIS Lockdown Wizard section to start the wizard. 2. On the Welcome page, read the explanatory text, and then click Next. 3. On the License Agreement page, read the license agreement, click I Agree, and then click Next. 4. On the Select Server Template page, select the template that most closely matches the role of this server, and then click to select View Template Settings. The pages that follow this have options already selected based on the role of the server that you selected earlier in the previous page, so you can use all of the default selections. If the server has multiple roles (for example, a dynamic Web server that is also a proxy server), click to select Other (Server that does not match any of the listed roles), and make sure that you carefully consider all the options that are presented on the following pages, because the default selections may not be appropriate for your server. When you have selected the appropriate settings, click Next. 5. On the Internet Services page, select the services that you want your server to provide. Most servers require the Web service. If you do not want your server to provide File Transfer Protocol (FTP) or Simple Mail Transfer Protocol (SMTP) services (that is, file transfer or e-mail services), you can click to clear these options. Note that you must leave SMTP selected if you are running Exchange or Small Business Server. The services that you select on this page are set to Disabled and cannot start. If you are running the Lockdown Wizard on IIS 5.0, you can also click to select Remove unselected services, which completely removes the services that you did not select from your system. When you have selected the appropriate settings, click Next. 6. On the Script Maps page, click to clear the check box next to any file type or file types that you want your server to provide. If you are not sure what to disable, you can search your content directories to find out if those file name extensions exist. Note that most servers require Active Server Pages (.asp), so you must click to clear that check box unless you are sure that your server does not serve ASP pages. Click Next. 7. On the Additional Security page, select the virtual directories that you want to remove from this server. By default, these virtual directories are installed by default with IIS, so they are well-known targets for attackers and you might want to remove these virtual directories or rename them on production computers. Removing these virtual directories from IIS does not remove the corresponding physical directories on the disk, so you do not lose any data by selecting this option. 8. Click to select Running system utilities if you want to deny rights on executable files in the Windows directory to the Internet guest account (IUSR_computername by default). This option should be selected on most systems. 9. Click to select Writing to content directories if you want to deny Write rights to the Internet guest account on the directories that contain your Web content. Make sure that you leave this option unselected if you are using FrontPage Server Extensions on this server or if this server functions as a proxy server. 10. Click to select Disable Web Distributed Authoring and Versioning (WebDAV) if you are not using WebDAV to create and deploy Web content on this server. If this server runs Outlook Web Access (OWA) for Exchange 2000, make sure that you leave this option unselected. NOTE: If you select this option, the Lockdown Wizard sets the rights on the DLL that implements WebDAV functionality (Httpext.dll) to deny execute permission. This may still permit certain WebDAV requests to execute. For additional information, click the article number below to view the article in the Microsoft Knowledge Base: Q307934 Locking Down WebDAV Through ACL Still Allows PUT and DELETE Requests 11. Click Next. 12. On the URLScan page, select the option to install URLScan if you want to use URLScan to filter out incoming requests based on a set of rules. If a client tries to make a request that is not valid based on the URLScan rules, IIS replies with a 404 File Not Found error, and logs the request in the URLScan log file. By default, this file is located in %WINDIR%\System32\Inetsrv\Urlscan\Urlscan.log. NOTE: If you leave WebDAV enabled on the Additional Security page but you decide to install URLScan, note that URLScan blocks WebDAV requests by default. You must modify the Urlscan.ini file if you want to use WebDAV with URLScan. 13. On the Ready to Apply Settings page, review the changes that will be made, and then click Next. 14. The Lockdown Wizard backs up your metabase and makes the selected changes. When this process has completed, click View Report to see a report that describes the changes that the wizard has made. Click Next to continue. NOTE: You can see the installation report by opening %WINDIR%\System32\Inetsrv\Oblt-rep.log in Notepad. 15. Click Finish to close the IIS Lockdown Wizard. 16. Fully test all functionality of your server. This step is very important. If you discover that you have accidentally disabled required functionality of your server, immediately roll back the changes that the Lockdown Wizard made, and then rerun the wizard to select the correct options. For additional information, click the article number below to view the article in the Microsoft Knowledge Base: Q317052 HOW TO: Undo Changes Made by the IIS Lockdown Wizard Configure URLScan ----------------- When you run the IIS Lockdown Wizard, you can install URLScan. URLScan is an ISAPI filter that blocks HTTP requests based on a configurable set of rules. For example, you can configure URLScan to block all requests for a certain file name extension, to block certain HTTP verbs (such as GET or POST), or to block requests that contain characters that are frequently included in attacks on Web servers. To configure URLScan, use a text editor such as Notepad to edit the %WINDIR%\System32\Inetsrv\Urlscan\Urlscan.ini file. This file contains extensive comments that explain each configuration option. When you have finished editing the .ini file, save it and restart IIS. For additional information about how to configure URLScan, click the article number below to view the article in the Microsoft Knowledge Base: Q312376 HOW TO: Configure URLScan to Allow Requests with a Null Extension in IIS Troubleshoot Problems After You Run the IIS Lockdown Wizard ----------------------------------------------------------- The most common problem after you run the IIS Lockdown Wizard is receiving unexpected 404 File Not Found error messages when you open the locked-down site. You may receive these error messages even for files that exist. This occurs when a client requests a file that has been blocked by the Lockdown Wizard or URLScan. In this case, IIS says that the file does not exist for security purposes. If a malicious user knows that a vulnerable service exists on the server but is being blocked, the user may still find a way to get around the block and exploit the vulnerability; however, if the user thinks that the service is not installed, the user will not try to exploit it. If you receive a 404 error message after you run the IIS Lockdown Wizard, follow these steps to troubleshoot the problem: 1. Verify that the file you are requesting exists on the server. For additional information, click the article number below to view the article in the Microsoft Knowledge Base: Q248033 Typical Causes and Resolution of the 'HTTP 404 - File Not Found' Error Message 2. Examine the URLScan log file to see if URLScan is blocking the requests. This file is located at %WINDIR%\System32\Inetsrv\Urlscan\UrlscanMMDDYY.log (where MMDDYY is the date for the log). If you discover that URLScan is blocking the requests, see the Configure URLScan section to set up URLScan so it permits these requests. 3. If you are requesting a non-HTML file, such as an ASP page or a server side include-enabled file, verify the application mapping for the file type in the Internet Services Manager: a. Right-click your Web site, and then click Properties. b. On the Home Directory tab, click Configuration. c. Click the Apps Mappings tab. d. Click the line that corresponds to the extension of the file that you are trying to access. e. If Executable Path is set to %WINDIR%\System32\Inetsrv\404.dll, click Edit, and then set Executable Path to the default executable path for that file extension. If you are not sure of the default, open the %WINDIR%\System32\Inetsrv\oblt-log.log file, which was created when you ran the Lockdown Wizard. Look for a line that starts with SMAP followed by the file name extension. This line also contains the default executable path for that file type. If you have trouble with a service that depends on IIS, such as Exchange or SharePoint, see the Microsoft Knowledge Base articles that are listed in the Prepare to Run the IIS Lockdown Wizard section. You may also find that FTP or SMTP do not work after you run the IIS Lockdown Wizard. This occurs if you either disable or remove these services. If you disabled the services, follow these steps to re-enable them: 1. Open Control Panel. 2. On Windows NT 4.0, open the Services applet. On Windows 2000 or Windows XP, open the Administrative Tools folder, and then open the Services applet. 3. Double-click FTP Publishing or Simple Mail Transfer Protocol (SMTP). 4. For Startup type, click to select Automatic. 5. Click Start if you want the service to start right away. If you completely removed one or both of these services by selecting Remove unneeded services when you ran the IIS Lockdown Wizard on IIS 5.0, follow these steps to reinstall them: 1. Open Control Panel. 2. Open the Add/Remove Programs applet, and then click Add/Remove Windows Components in the left pane. 3. Select Internet Information Services (IIS), and then click Details. 4. Click to select File Transfer Protocol (FTP) Service or SMTP Service. 5. Click OK, and then click Next. The selected service or services will be installed. You may be prompted to insert your Windows CD-ROM. 6. Make sure that you reapply the latest Windows service pack and any hotfixes that you have installed. If none of these methods works, you can view the IIS Lockdown Wizard report file to see all changes that the tool made. This can help you determine what changes caused the problems that you are experiencing. This report file is saved at %WINDIR\System32\Inetsrv\Oblt-rep.log. For additional information about how to undo the changes that the IIS Lockdown Wizard made, click the article number below to view the article in the Microsoft Knowledge Base: Q317052 HOW TO: Undo Changes Made by the IIS Lockdown Wizard REFERENCES ========== For additional information about the IIS Lockdown Wizard and how to secure your IIS server, click the article numbers below to view the articles in the Microsoft Knowledge Base: Q310725 HOW TO: Run the IIS Lockdown Wizard Unattended in IIS Q311350 HOW TO: Create a Custom Server Type for Use with the IIS Lockdown Wizard Q282060 Resources for Securing Internet Information Services Additional query words: iis lockdown tool wizard urlscan harden 404 security toolkit ====================================================================== Keywords : kbHOWTOmaster Technology : kbiisSearch kbiis500 kbiis400 kbiis510 Version : :4.0,5.0 Issue type : kbhowto ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.