Windows web server checklist

iiswindows

When you are deploying a new web server box what are the standard things you install on it and do to set it up?

What things do you do to ensure the box is locked down and not going to get compromised?

So far:

General

Apply security patches, etc
Run the Microsfot Baseline Security Analyzer (MBSA)
Disable weak encryption algorithms – Scott, also see David Christiansen's article and the serversniff.com site

Network

Harden TCP/IP stack – K. Brian Kelley
White list traffic with an IPSEC policy
All NetBIOS is removed or disabled
Put web server in a workgroup (not allowed to be on a domain)
Use a DMZ

IIS

Install UrlScan
Run IIS lockdown

Related Articles

Best Answer

What we do:

Put web server in DMZ
Put web server in a workgroup (not allowed to be on a domain)
Ensure all security patches are applied
Minimize services which are running
Use URLScan. Remove server fingerprint (RemoveServerHeader=1).
Harden TCP/IP stack
Apply IPSEC policy to only permit the traffic we want (whitelisting)
Rename default accounts so they can be targeted by typical scripts/tools.
Move default directories (InetPub, WWWRoot, etc.)
Minimize local user accounts.
All NetBIOS is removed or disabled.

Related Solutions

Windows – How to find what process is holding a file open in Windows

I've had success with Sysinternals Process Explorer. With this, you can search to find what process(es) have a file open, and you can use it to close the handle(s) if you want. Of course, it is safer to close the whole process. Exercise caution and judgement.

To find a specific file, use the menu option Find->Find Handle or DLL... Type in part of the path to the file. The list of processes will appear below.

If you prefer command line, Sysinternals suite includes command line tool Handle, that lists open handles.

Examples

c:\Program Files\SysinternalsSuite>handle.exe |findstr /i "e:\" (finds all files opened from drive e:\"
c:\Program Files\SysinternalsSuite>handle.exe |findstr /i "file-or-path-in-question"

Windows – Useful Command-line Commands on Windows

A little known one is

getmac

It shows the MAC address(es) of your network adapter(s).

Screenshot of running getmac from a Windows commandline window.

Related Topic