Secure your IIS Server including PHP and MySQL

Install Secure Windows Web Server with PHP and MySQLThis document aims to provide a checklist of items that will help you learn how to create a secure windows web server from the most common attacks.

Move the INETPUB folder…

Despite common suggestions throughout the Internet, Microsoft recommends that you do NOT move the inetpub folder: http://support.microsoft.com/kb/2752331

Install SSL Certificate

  1. Launch IIS Admin
  2. Click the server name on the left
  3. Double Click Server Certificates
  4. Click ‘Create Certificate Request’ and complete the form to generate a CSR
  5. Give the CSR to your certificate provider
  6. When they issue your certificate Launch IIS
  7. Click the server name on the left
  8. Double Click Server Certificates
  9. Click ‘Complete Certificate Request’ and complete the wizard
  10. Bind the SSL Certificate to your preferred website on port 443 (https)
  11. If necessary install your certificates intermediary certificates (don’t skip this step!!!)
  12. Lock down your SSL, yes there are insecure SSL types which need to be disabled: https://www.nartac.com/Products/IISCrypto/Default.aspx
  13. If you are planning to use SSL only, create a NON-SSL website Bind port 80 only and impliment HSTS headers on the SSL site bound port 443 only.
  14. Test your certificates:
    – http://www.sslshopper.com/ssl-checker.html
    – https://www.ssllabs.com/ssltest/

Hide Server Information

  1. Delete any phpinfo file(s) you may have created.  It gives away far too many secrets!
  2. Edit php.ini and set expose_php to Off (hides your PHP version)
  3. Hide the Server Headers as per this post: https://www.dionach.com/blog/easily-remove-unwanted-http-headers-in-iis-70-to-85
  4. Test the server is difficult to identify: https://www.htbridge.com/websec/
  5. Test your CMS here: https://whatcms.org/

Uninstall FTP and Use WebDAV or Git instead

FTP is way insecure because it sends all data including usernames and passwords in clear text!  So no matter how much you, and your developers, want it please get with the times and use something else.

I have been using WebDAV as it’s real easy to integrate with Windows, you can even map a drive to it.

  1. Uninstall FTP service, FileZilla FTP Server or whatever else FTP client you installed
  2. Close any firewall holes you opened to get the FTP to work!
  3. Make sure you have an SSL certificate installed (see above)
  4. Create a user for connecting to the WebDAV service and grant permission to the web folders
  5. Follow the Microsoft instructions to install WebDAV http://www.iis.net/learn/install/installing-publishing-technologies/installing-and-configuring-webdav-on-iis#005 summarised as:
    – Install WebDAV Publishing & Security\Windows Authentication (sub-role of Web Server(IIS))
    – Launch IIS Admin
    – Expand Website that you want WebDAV enabled for
    – Click ‘Enable WebDAV’ from the Actions Pane
    – Click ‘Add Authoring Rule’ from the Actions Pane
    – All content, specified users: [username from above], Set permissions as required (Read Source & Write)
    – Expand Website that you want WebDAV enabled for
    – Double Click ‘Authentication’
    – Enable Windows Authentication
  6. Now make sure WebDAV is secure by editing the settings and setting ‘Require SSL Access’ to true

Enable Logging to monitor access to your secure windows web server…

Event Logs

  1. Set your log size in Event Viewer, right click Security Log and set to your preferred size, I set mine to 256Mb (262144)
  2. Also note the log path for your backup software later: %SystemRoot%\System32\Winevt\Logs\Security.evtx
  3. Edit Group Policy (local if workgroup or GPO if not) and change Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policies, Enable whatever logging you want but as a minimum you should:
    – Account logon events (failure)
    – Logon events (failure)
    – Object access (failure)
    – System events (failure)
  4. After a while, refresh the Security Log and confirm that events are being audited

IIS Logs

  1. Launch IIS manager
  2. Click the server name
  3. Double Click logging
  4. Click on ‘Select Fields’ to choose which fields you want to log, default is usually fine
  5. Note the location of the log files for your backup software later: %SystemDrive%\inetpub\logs\LogFiles
  6. Browse to the folder location in 5. above and view the latest file
  7. Browse to your website from a workstation and confirm that there are new entries in the logs

PHP Logs

  1. Launch IIS manager
  2. Click the server name
  3. Double click PHP Manager
  4. Find error_log in the list and set to a known location such as c:\inetpub\logs\LogFiles\PHP
  5. Edit permissions of folder c:\inetpub\logs\LogFiles\PHP as follows:
    – Administrators – Full control
    – System – Full control
    – IUSR – Full control
  6. Create a file called c:\inetpub\wwwroot\phpinfo.php and replace as follows <?php phpinfowrong(); ?>
  7. From a workstation browse to your http://serverip/phpinfo.php and expect a white page
  8. Check the PHP log file and confirm a. it was created b. it has an error in it.
  9. Delete c:\inetpub\wwwroot\phpinfo.php

MySQL Logs

MySQL stores logs in the DATA directory which is most likely located at c:\program files\MySQL\MySQL Server 5.x\data\mysql.  Instructions for accessing the log files are here: http://dev.mysql.com/doc/refman/5.7/en/server-logs.html

Protect your web server from basic Denial of Service attack (DoS)

  1. Install the IP and Domain Security feature…
    Protect IIS from Denial of Service DoS Attacks
  2. Once installed, restart IIS GUI and select the SERVER object
  3. Double click to configure the IP and domain feature
  4. Enable maximum concurrent connections and Deny IP based on requests over time…
    IIS Dynamic Deny IP

Configure backup

  1. Install your preferred backup software, I use an online backup software to be sure that my backups are automated and off-site.
  2. Create at least 3 backup sets:
    Files: c:\inetpub\wwwroot (and any other web folders)
    MySQL: Data (method varies depending on backup software)
    Logs: c:\windows\system32\winevt\logs, c:\inetpub\logs & c:\program files\MySQL\MySQL Server 5.x\data\mysql
  3. Perform a backup of each backup set
  4. Perform a test restore to a completely different computer

Configure monitoring

  1. Monitor Security Log for failures
  2. Monitor CPU usage
  3. Monitor Free Disk Space
  4. Monitor Free Memory

Configure your firewall

Getting to know your firewall is very important for your Secure Windows Web Server.  However all firewalls and rules are laid out differently so this next section is intended as a very basic guide only.  Please be sure that you are happy with your firewall and that you have tested it.

If you are using Windows Firewall, check the following:

  1. Launch ‘Windows Firewall with Advanced Security’
  2. Click ‘Inbound Rules’
  3. Carefully read through all these rules and be sure that you want them all enabled
  4. Now scan your server for open ports using a product like: https://www.grc.com/x/ne.dll?bh0bkyd2 or http://mxtoolbox.com/PortScan.aspx

And finally…

Set yourself a recurring diary appointment to check & update your secure windows web server.  This should be at least weekly, before and after a holiday and whenever a security alert is issued.

And that’s it, by now you should have a very secure windows web server

Want to speak to us on the phone?

Please contact us and we can discuss your requirements!

High Wycombe & South Bucks

Aylesbury & North Bucks

  • Aylesbury
  • Buckingham
  • Milton Keynes
  • Leighton Buzzard

Thame & Oxfordshire

  • Thame
  • Oxford
  • Witney
  • Didcot

London & Home Counties

  • London
  • Watford
  • Uxbridge
  • Rickmansworth