How to Secure a Default IIS Site & Enable Windows Authentication

How to Secure a Default IIS Site & Enable Windows Authentication

A lot of the applications I work with, even the ones I help design here at STEALTHbits Technologies, leverage native MS IIS for the purpose of publishing reports. By default, when you create a new IIS website it’s typically open to everyone with anonymous access enabled – meaning anyone can access and view the data being hosted by that site. Obviously, this is a security concern for most people and I’m often asked by clients and colleagues how does one lockdown and secure an IIS site so only the desired people can access it. The answer is pretty simple, in order to secure this site all one needs to do is change the native permissions on the IIS site and enable Windows Auth, & disable Anonymous access. Below is an example from my machine.Step 1: (Select your site, probably “Default Web Site”, and select “Authentication”) In my case you can see I have many IIS Sites, these instructions are valid for just about any IIS site.IIS Secure PortalStep 2: (Disable Anonymous and Enable Windows Auth.) If you don’t have Windows Authentication as an option you will have to add this feature from Server manager under “Roles / Services” for IIS”EX. IIS Win Authentication Feature of IISIIS Server Manager

If you already had Windows Authentication installed for IIS then this is how you should configure your Authentication option for that site.

IIS Authentication Secure

Step 3: You have to change the permissions of the web site. I would break inheritance first and remove “Users” from having any access. Thus leaving behind any default Admin security principals that have access. For one-off users, you can simply add them back into the permission stack here with basic read-only access. Note – I did this for “Frank” so that he can have read access to my reports. Normally most people would grant a specific Group Read access to the site.

Right-click site select “Edit Permissions.”

IIS Secure Portal Permission

Next, click “Advanced.”

IIS Secure Portal Properties

Then, select “Change Permissions.”

IIS Secure Portal Change Permissions

Now, UNCHECK, “Include inheritable permissions from this objects parent”

When prompted with a WARNING, select ADD. This simply copies the existing permissions back without inheritance, this is very important as to not break the website for yourself and the system at large.

IIS Advanced Settings

Next, delete the permission for Users. This will disable the ability for any domain users to simply authenticate to your site to view the reports. Also, this default set of permissions will now allow local admins, and members of IIS_IUSRS to log in and view reports. This set of base permissions can vary from OS to OS. At this stage, you should also double check that no other well-known security principals have any access such as “Everyone”, or “Authenticated Users”.

IIS Secure Portal Permissions Windows

Last, you can now use the basic “Edit” button to add simple Read Only access for select Users and Groups, in my case I gave Frank Read access to my reports. For basic Site usage nothing more then Read access is really needed. Don’t give people modify or full control access unless there is some special need.

IIS Secure Portal Security Settings

Tips & Notes:

This was tested on Windows 2008 and Win 7, I did not need to bounce IIS for any of these changes to start working.

Depending on your environment and domain, your IIS install may leverage either Kerberos or NTLM for Windows Authentication. Forcing the stronger protocol Kerberos is a topic for a separate blog and may not even be possible depending on the configuration of your domain. Hopefully, at a minimum, if both the server and client are part of well-configured domain Kerberos will be negotiated first, but be advised NTLM is still present almost everywhere as a fallback.

Learn about how STEALTHbits addresses Windows security with StealthAUDIT for Windows.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.