Start here: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/default.asp
Then: Use URLscan **Be careful & read the documentation, there are ways to make it work with Frontpage -- just read the documentation!! http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/URLscan.asp Lockdown Win2K using baseline server security checklist http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/w2ksvrcl.asp Lockdown IIS 5.0 using both baseline & secure internet information services checklist http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/iis5cl.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/iis5chk.asp **Be careful with the security templates. I found it best to review the templates, use the configure & analysis tool, review the analysis logs & create your own template from scratch to be certain nothing happens that you don't specify Use the IIS lockdown tool in advanced mode http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/locktool.asp **Again, read the documentation thoroughly to understand everything you are disabling & be careful not to disable anything you need Familiarize yourself with Win2K access control methodologies http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/windows2000serv/reskit/distsys/part2/dsgch12.asp Read security bulletins and apply all recommended patches http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/current.asp Use hfnetchk.exe to verify all hotfixes are applied http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;q303215 Subscribe to mailing lists related to Win2K & IIS security: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/notify.asp http://www.securityfocus.com/cgi-bin/subscribe.pl ***ALWAYS install IIS to a non-default location. The only way to do this is to perform an unattended Windows component installation: 1) Create an answer file on c:\ named iis.txt EX: [Components] iis_www = on iis_common = on [InternetServer] PathWWWRoot=I:\Inetpub\Wwwroot 2) Execute the following command sysocmgr /i:%windir%\inf\sysoc.inf /u:c:\iis.txt Additional reading on Security, IIS & Win2K http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/acs/reskit/acrkch12.asp **Security for Admins & developers http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/iis/reskit/iis50rg/iischp9.asp **Security resource guide for IIS 5.0 http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/iis/deploy/depovg/securiis.asp **Guide to Securing IIS 5.0 http://66.129.1.101/top20.htm **San's top 20 security holes www.cisecurity.org **Center for Internet Security www.sans.org **SANS Institute http://nsal.www.conxion.com **National security agency security recommendation guides www.microsoft.com/windows2000/downloads/critical **Current critical hotfixes On top of all this I recommend inserting a firewall between IIS & the Internet. The best firewall is Checkpoint FW1, an inexpensive alternative is IPTables or IPChains (which are also very good but require more expertise to configure correctly). Better alternatives to IIS: Apache IPlanet John Spencer, CCSA, SCSA, RHCE Systems Administrator Model Technology --A Mentor Graphics Company [EMAIL PROTECTED] **Opinions expressed here do not necessarily express the opinions of Mentor Graphics or its subsidiaries.
