Improving Web Application Security: Threats and - CGISecurity

452 Part IV: Securing Your Network, Host, and Application To audit failed actions across the file system1. Start Windows Explorer and navigate to the root of the file system.2. Right-click and then click Properties.3. Click the Security tab.4. Click Advanced and then click the Auditing tab.5. Click Add and then enter Everyone in the Name field.6. Click OK and then select all of the Failed check boxes to audit all failed events.By default, this applies to the current folder and all subfolders and files.7. Click OK three times to close all open dialog boxes.Failed audit events are logged to the Windows security event log.Relocate and Secure the IIS Log FilesBy moving and renaming the IIS log files, you make it much more difficult for anattacker to cover his tracks. The attacker must locate the log files before he or she canalter them. To make an attacker’s task more difficult still, use NTFS permissions tosecure the log files.Move and rename the IIS log file directory to a different volume than your Web site.Do not use the system volume. Then, apply the following NTFS permissions to thelog files folder and subfolders.● Administrators: Full Control● System: Full Control● Backup Operators: ReadArchive Log Files for Offline AnalysisTo facilitate the offline analysis of IIS log files, you can use a script to automate secureremoval of log files from an IIS server. Log files should be removed at least every 24hours. An automated script can use FTP, SMTP, HTTP, or SMB to transfer log filesfrom a server computer. However, if you enable one of these protocols, do so securelyso that you do not open any additional attack opportunities. Use an IPSec policy tosecure ports and channels.Audit Access to the Metabase.bin FileAudit all failures by the Everyone group to the IIS metabase.bin file located in\WINNT\System32\inetsrv\. Do the same for the \Metabase backup folder for thebackup copies of the metabase.