Windows web server checklist
Solution 1:
What we do:
- Put web server in DMZ
- Put web server in a workgroup (not allowed to be on a domain)
- Ensure all security patches are applied
- Minimize services which are running
- Use URLScan. Remove server fingerprint (RemoveServerHeader=1).
- Harden TCP/IP stack
- Apply IPSEC policy to only permit the traffic we want (whitelisting)
- Rename default accounts so they can be targeted by typical scripts/tools.
- Move default directories (InetPub, WWWRoot, etc.)
- Minimize local user accounts.
- All NetBIOS is removed or disabled.
Solution 2:
- Add user accounts for each person that will be administering the computer
- Configure terminal services to allow each user only one concurrent sign on
- Add alternate administration accounts that are only used if runas doesn't serve the purpose for a given user
-Adam
Solution 3:
You may wish to;
- Disable SSL 2 (fix depreciated SSL protocol usage)
- Perform a network vulnerability assessment
If so, I wrote a detailed article on Howto: Disable SSL2 and Weak Ciphers on IIS6 which may be worth taking a look at.
This article takes things from the standpoint of satisfying the security requirements set by the Payment Card Industry but is still relevant to general server hardening.
So now to fix the depreciated SSL protocol usage you should either read said Howto: Disable SSL2 and Weak Ciphers article for step-by-step instructions OR read MS Support Article #187498 and you can use ServerSniff to confirm your modifications have taken effect.
p.s. Indeed you could also use ServerSniff to confirm the modifications mentioned in Scott's reply.
Solution 4:
In addition to the things already mentioned, I disable weak SSL ciphers.
EDIT: I found the step-by-step instructions I wrote a few years ago.
- Click Start, click Run, type regedt32 or type regedit, and then click OK.
- In Registry Editor, locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
- Perform steps 4 thru 8 for the following keys: a. Ciphers\DES 56/56 b. Ciphers\RC2 40/128 c. Ciphers\RC4 40/128 d. Ciphers\RC4 56/128 e. Protocols\SSL 2.0\Client f. Protocols\SSL 2.0\Server
- On the Edit menu, click Add Value.
- In the Data Type list, click DWORD.
- In the Value Name box, type Enabled, and then click OK.
- Type 00000000 in Binary Editor to set the value of the new key equal to “0”.
- Click OK.
- When you have finished modifying the registry, restart the computer.