I'm setting up a public web server: Windows Server 2008 R2, IIS7.5. Does anyone have a tutorial / walkthrough / tips on properly securing a public web server? I've seen a few tutorials but mostly focused on Windows Server 2003.
What I've done so far:
- Created a specific user account for the website / app pool,
- Renamed Admin account,
- Installed FTPS,
- Configured firewall to block any non-public service (web / https),
- Configured firewall to allow access to management interfaces only from specific IP addresses (rdp, IIS management, ftp)
Maybe a few other things but can't remember at the moment…
ICMP is allowed… Should I disable all except ping?
Port scan reveals only web and https ports.
Any other suggestions?
Thanks
Best Answer
As far as ICMP, I don't disable it. Certain ICMP messages control TCP window scaling and path MTU discovery. Disabling ICMP can lead to connection problems.
refs:
http://www.znep.com/~marcs/mtu/ <- Path MTU issue
http://www.daemon.be/maarten/icmpfilter.html <- ICMP filtering policy