Running IIS and Massager on Windows Servers



latorew
07-09-2005, 10:53 PM
I want to find out about running IIS and Massager on Window Servers, what is
the risk in security? I am also afraid that by running these items on a
secured system that it will cause problems someday. Are there any articles I
can read or any advice would be great.

Steven L Umbach
07-09-2005, 10:53 PM
The Massager service sounds very interesting but I don't know anything about
it. Roger Abell would be the one to ask about that one. If you mean the
messenger service perhaps then the risk is primarily abuse of network users
for net send messages and access from internet users if you do not have a
properly configured firewall protecting your network from the internet not
allowing access to file and print sharing and netbios ports specifically.

IIS would be an area of concern for security and would take planning before
implementing. FYI IIS is installed and enabled on every default installation
of Windows 2000 but NOT on Windows 2003. The version of IIS in Windows 2000
[IIS 5.0] is also pretty insecure with a default installation and you at
minimum would want to make sure your IIS server is up to date with critical
security updates and run the IIS Lockdown/URLScan [ for Windows 2000] tool
on it. The free Microsoft Baseline Security Analyzer should be run on any
installation of IIS before it is connected to the network. It will check for
vulnerabilities including missing security updates.

IIS has several components and you only want to enable those that you need
to offer. For instance if you want to offer a website to users make sure FTP
and SMTP are disabled if not used. It is also best to install the IIS
website on a drive other than the system partition and not to install it on
a domain controller if at all possible as IIS servers are often targets of
attack. You will also need to decide if you want to allow anonymous access
to users and if not what type of authentication for your website that will
allow authenticated access and maintain security for users and the server.
Basic authentication for instance sends credentials in clear text but if SSL
is used that will not be a problem. A stateful firewall should also be
protecting your internet facing web server using one ideally that can also
control outbound access and starts with default bloack all rules. The link
to Technet Security below is an excellent place to find info on how to
secure IIS and the version of the operating system it is installed on. ---
Steve

http://www.microsoft.com/technet/security/default.mspx -- TechNet Security
home page.
http://www.microsoft.com/technet/security/prodtech/IIS.mspx -- TechNet
Security IIS page.
http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA


"latorew" <latorew@discussions.microsoft.com> wrote in message
news:152EF805-079F-4948-8869-DF52A87AAB58@microsoft.com...
>I want to find out about running IIS and Massager on Window Servers, what
>is
> the risk in security? I am also afraid that by running these items on a
> secured system that it will cause problems someday. Are there any articles
> I
> can read or any advice would be great.

Dan
07-09-2005, 10:54 PM
The IIS default install only occured on early releases of W2K. Later
releases did not install the IIS components since MS took so much heat for it
being insecure...so, if you had media from a late production run you'll have
to install the IIS components.

A good resource for secure configuration of IIS (and many other MS products)
is the NSA'a web site. http://www.nsa.gov/snac/index.cfm?MenuID=scg10.3.1

"Steven L Umbach" wrote:

> The Massager service sounds very interesting but I don't know anything about
> it. Roger Abell would be the one to ask about that one. If you mean the
> messenger service perhaps then the risk is primarily abuse of network users
> for net send messages and access from internet users if you do not have a
> properly configured firewall protecting your network from the internet not
> allowing access to file and print sharing and netbios ports specifically.
>
> IIS would be an area of concern for security and would take planning before
> implementing. FYI IIS is installed and enabled on every default installation
> of Windows 2000 but NOT on Windows 2003. The version of IIS in Windows 2000
> [IIS 5.0] is also pretty insecure with a default installation and you at
> minimum would want to make sure your IIS server is up to date with critical
> security updates and run the IIS Lockdown/URLScan [ for Windows 2000] tool
> on it. The free Microsoft Baseline Security Analyzer should be run on any
> installation of IIS before it is connected to the network. It will check for
> vulnerabilities including missing security updates.
>
> IIS has several components and you only want to enable those that you need
> to offer. For instance if you want to offer a website to users make sure FTP
> and SMTP are disabled if not used. It is also best to install the IIS
> website on a drive other than the system partition and not to install it on
> a domain controller if at all possible as IIS servers are often targets of
> attack. You will also need to decide if you want to allow anonymous access
> to users and if not what type of authentication for your website that will
> allow authenticated access and maintain security for users and the server.
> Basic authentication for instance sends credentials in clear text but if SSL
> is used that will not be a problem. A stateful firewall should also be
> protecting your internet facing web server using one ideally that can also
> control outbound access and starts with default bloack all rules. The link
> to Technet Security below is an excellent place to find info on how to
> secure IIS and the version of the operating system it is installed on. ---
> Steve
>
> http://www.microsoft.com/technet/security/default.mspx -- TechNet Security
> home page.
> http://www.microsoft.com/technet/security/prodtech/IIS.mspx -- TechNet
> Security IIS page.
> http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA
>
>
> "latorew" <latorew@discussions.microsoft.com> wrote in message
> news:152EF805-079F-4948-8869-DF52A87AAB58@microsoft.com...
> >I want to find out about running IIS and Massager on Window Servers, what
> >is
> > the risk in security? I am also afraid that by running these items on a
> > secured system that it will cause problems someday. Are there any articles
> > I
> > can read or any advice would be great.
>
>
>


Running IIS and Massager on Windows Servers