Enable intrusion detection on IIS with these quick tips

If your organization has a company Web server that serves anonymous requests to either the Internet or your intranet, then you essentially have a target. And it's only a matter of time before some black hat hits it.

Microsoft Internet Information Services (IIS) Web server is a popular server on a popular platform, and it has many published vulnerabilities. These servers are valuable targets, and organizations spend a lot of admin time and a lot of company money hardening, detecting, and protecting these assets from black hats and script kiddies.

However, it's not necessary to spend thousands of dollars on intrusion detection for these types of machines. Attacks to these public servers use a variety of exploits, but in the end, they all focus on accessing a small handful of programs. You just have to know what to look for.

The programs

The most common exploits culminate in accessing the following programs. These are the main programs that black hats generally need access to perform their mischief.

• Ftp.exe: This is the command-line FTP client on every Windows platform. Black hats can use this executable to move files onto the server from their remote server.
• Tftp.exe: This is a different form of FTP that black hats use to move files to a server.
• Ping.exe: This is the program used to join a server in a distributed denial of service (DDoS) attack against another network.
• Cmd.exe: Intruders can use this command-line emulation program to remotely administer a server.
• Net.exe: Black hats use this program to start and stop services, create unauthorized users and groups, and access other machines on a network.

Now, let's look at how you can stop intruders from accessing these programs as well as log their attempts.

The protection

The first step is to search your hard drive for these files. (You'll find multiple locations for each one.) Then, follow these steps:

1. Right-click the file, and select Properties.
2. On the Security tab, click Add to add a user or group.
3. Click Advanced, and click Find Now.
4. Locate the Internet Guest account (IUSR_MachineName), and click OK twice.
5. Deny Full Control for this account.
6. Click Advanced.
7. On the Audit tab, select the same user (or type it in), and click OK.
8. Select Full Control for Success and Failure.
9. Click OK three times.

Repeat these actions for every instance of each program.

There is one exception. During a buffer overflow attack, it's the system account that actually accesses Cmd.exe. So, you'll also need to audit the system account for object access to complete your detection and protection scheme.

If the Web server is a stand-alone server, you'll need to enable object auditing. Follow these steps:

1. Go to Start | Programs | Administrative Tools | Local Security Policy.
2. Navigate to Local Policies | Audit Policy.
3. Double-click Audit Object Access, select the Success and Failure check boxes, and click OK.

If the Web server is part of the domain, you must enable object auditing within a Domain Group Policy Object (GPO).

Final thoughts

Intruders must have access to programs on your network to work their magic. By denying them this access and logging their occurrences, you can increase the security level of your organization's Web server and your network at no cost to the company.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.