Internet Information Services 5.0 contains a lot of services and features which Exchange doesn't require to function properly. These additional services and features pose as a security risk. Hackers attempt to exploit vulnerabilities by taking advantage of scripting techniques that may lead to unauthorized entry into your system or a Denial of Service attack. IIS Lockdown was designed to shutdown any unnecessary services and scripts that might pose a security risk on the IIS system.
IIS Lockdown comes with built-in templates for IIS-dependant products, allowing you to choose from Exchange 5.5, Exchange 2000, SBS 2000, SharePoint and Commerce Server 2000, amongst others.
As per Microsoft: "IIS Lockdown is intended for IIS version 4.0 and 5.0. The default security-related configuration settings in IIS 6.0 meet or exceed the security configuration settings made by the IIS Lockdown tool. Therefore you will be unable to run IIS Lockdown on a Windows 2003 machine."
It is important to note that IIS Lockdown is not a substitute for your normal security measures such as an Anti-Virus and Firewall solution and keeping your Windows and Exchange server updated with the latest patches and updates from Microsoft. It should be used as an additional tool to help increase security.
Today I will walk you through the process of using the IIS Lockdown tool to tighten the security of an Exchange server running on Windows 2000.
Using IIS Lockdown
The IIS Lockdown tool can be downloaded from:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=DDE9EFC0-BB30-47EB-9A61-FD755D23CDEC
At the time of writing, version 2.1 was available. This version contains some important new features over its predecessors, including support for scripted or unattended installations, the ability to choose server roles (templates) and remove or disable IIS services, as well as a redesigned interface and of course, bug fixes.
When you run iislockd.exe you are greeted with a welcome screen explaining what IIS Lockdown is and then the EULA (End User License Agreement) before being given the option to choose a template to use for the IIS Lockdown process. Choose "Exchange Server 2000 (OWA, PF Management, IM, SMTP, NNTP)" and check the "View template settings" checkbox.
NOTE: If you wish not to use a predefined template select "Other". This will allow you to pick each setting individually. Instead of having the recommended settings in place for a specific server role, you choose explicitly the settings to be applied.
Figure 1 - Selecting a server role
NOTE: If you don't choose "View template settings" the wizard will jump straight to a dialog that asks whether you want to install URLScan (explained later).
You are then given the option to choose which IIS services you want to remove or disable. By selecting the "Remove unselected services" option you are opting to uninstall the service(s) completely from the system, as opposed to just disabling it.
Figure 2 - Selecting services to remove/disable
Since the NNTP service is required for the installation of service packs, do not remove this from your system. In this case disabling the NNTP service is sufficient enough and will also help get rid of some annoying NNTP event logs that may appear every now and then.
NOTE: If any services are not installed on your system (prior to running iislockd.exe) they will be grayed out on this page.
Typically you would disable FTP and NNTP but it depends which services your Exchange server is offering. Once you have chosen the services to remove or disable, click Next to move to the next step. This will allow you to remove additional virtual directories, disable WebDAV and prevent anonymous access to IIS, and stop anonymous users from performing actions such as running system utilities.
NOTE: WebDAV is an extension of the HTTP protocol that allows Administrators to publish, lock and manage web resources. Using WebDAV you can access files on a remote server and move, copy or edit them. OWA (Outlook Web Access) uses WebDAV to send commands to the Exchange Server, so if you make use of OWA on this machine, leave WebDAV enabled.
Figure 3 - Removing Virtual Directories and preventing anonymous access
I would recommend removing all the available virtual directories (including the Microsoft Active Directory Connector (MSADC)) and selecting to prevent anonymous users from performing actions such as running system utilities and writing to a directory (as shown in figure 3).
Select the options to be applied and after clicking Next you will be taken to the page summarizing the actions that are about to take place. Go through this list and if you are happy with it, press "Next" for the IIS Lockdown process to begin. Should you wish to make changes, simply press the "Back" button.
Figure 4 - Summary of settings to be applied
Once the tool is finished you are given the option to view a report. This report is called obl-rep.log and contains the changes and settings that were applied to IIS during the lockdown process. It is stored in the \SYSTEM32\inetsrv folder and can be used to undo changes. It is therefore important that no modifications are made to this file; otherwise you will be unable to reverse changes made by IIS Lockdown.
NOTE: If you ever wished to undo the changes simply run the iislockd.exe file again and it will use obl-rep.log to revert IIS back to the way it was prior to running the tool.
About URLScan
URLScan acts as a filter, screening all incoming requests to the server and processing them based on a set of predefined, customizable rules. It restricts potentially harmful HTTP requests and prevents them from reaching the server.
Urlscan.dll is registered as an ISAPI filter that scans all requests to IIS for harmful content, based on the settings found in URlscan.ini. Any rejected requests are logged in Urlscan.log for review by the Administrator.
Conclusion
If you are running Exchange server on IIS 5.0 then I recommend you use IIS Lockdown and URLScan to further protect against malicious threats and plug the holes that are exposed by IIS 5.0.
References
Microsoft TechNet: IIS Lockdown Tool