Reducing the Attack Surface of the Web Server
Applies To: Windows Server 2003, Windows Server 2003 with SP1
Immediately after installing Windows Server 2003 and IIS 6.0 with the default settings, the Web server is configured to serve only static content. If your Web sites consist of static content and you do not need any of the other IIS components, then the default configuration of IIS minimizes the attack surface of the server. When your Web sites and applications contain dynamic content, or you require one or more of the additional IIS components, you will need to enable additional features. However, you still want to ensure that you minimize the attack surface of the Web server. The attack surface of the Web server is the extent to which the server is exposed to a potential attacker.
However, if you reduce the attack surface of the Web server too much, you can eliminate functionality that is required by the Web sites and applications that the server hosts. You need to ensure that only the functionality that is necessary to support your Web sites and applications is enabled on the server. This ensures that the Web sites and applications will run properly on your Web server, but that the attack surface is minimized.
Tip
In addition to new installations, you can use the information in this section to reduce the attack surface of existing Web servers.
Figure 3.2 illustrates the process for reducing the attack surface of the Web server.
Figure 3.2 Reducing the Attack Surface of the Web Server
Each additional Windows Server 2003 and IIS 6.0 component is configured with the most restrictive possible security that will allow the component to still function. However, in providing any functionality, there is still an opportunity for potential attackers to exploit any weakness of the component.
For example, enabling the Domain Name System (DNS) component in Windows Server 2003 with the default configuration settings would make the server susceptible to any of the standard attacks common to DNS on Windows, UNIX, Linux, or other operating systems. Additional configuration would be required to further secure DNS, such as requiring zones that are integrated with Microsoft Active Directory® directory service.
In addition, if your primary focus is Web server administration, you might not be familiar with DNS-related security attacks. So reducing the attack surface of the server helps eliminate potential attacks that you cannot predict because of your familiarity with other Windows Server 2003 and IIS 6.0 components.
Important
In addition to enabling only essential Windows Server 2003 and IIS6.0 components, ensure that you configure the components to the highest possible security settings. By enabling nonessential components and services, you can increase the attack surface of your server because you have enabled these components and services without further configuring them to the most restrictive security settings.