Hardening IP for IIS Servers – Original Posted Apr 5, 2005

Aahh, the joys of meeting SOX requirements…


 


Tonight, I am having fun whipping together a script to apply to servers to meet SOX audit recommendations. This particular task is to harden IP on all IIS 6.0 server per KB 324270.  I had been tasked with applying changes to IIS 6.0 servers working with others on a team. I volunteered to create the script to handle many of the registry changes required to meet the audit requirements (yeah, I am stupid that way…). They get the joy of testing and deploying the script in production.


 


My first step was to create the script itself. Afterwards, I had the joy of creating the .ini files that I will use in conjunction with regini. The commands in the script are pretty simple once the .ini files are created, and they are pretty simple, too.


 


First the script, a very basic command line script (yes, I sanitized it to protect the innocent, and I also removed many lines and simplified it for ease of understanding):


 


@echo off


CLS


 


rem Apply IP Hardening registry info


ECHO Implementing IP Hardening registry entries


regini SynAttackProtect.ini


regini EnablePMTUDiscovery.ini


regini EnableDeadGWDetect.ini


regini KeepAliveTime.ini


regini NoNameReleaseOnDemand.ini


 


I created this very simple script (damn, it sure looks easy, doesn’t it?), and then I created the individual .ini files. They are simple text files as follow (note, the italicized text is the content of each file):


 


SynAttackProtect.ini


\Registry\Machine


             System


                  CurrentControlSet


                       Services


                         Tcpip


                              Parameters


                                     SynAttackProtect = REG_DWORD 0x1


 


EnablePMTUDiscovery.ini


\Registry\Machine


              System


                   CurrentControlSet


                       Services


                           Tcpip


                                 Parameters


                                     EnablePMTUDiscovery = REG_DWORD 0x0


 


EnableDeadGWDetect.ini


\Registry\Machine


              System


                   CurrentControlSet


                       Services


                           Tcpip


                                 Parameters


                                     EnableDeadGWDetect = REG_DWORD 0x0


 


KeepAliveTime.ini


\Registry\Machine


              System


                   CurrentControlSet


                       Services


                           Tcpip


                                 Parameters


                                     KeepAliveTime = REG_DWORD 0x493e0


 


NoNameReleaseOnDemand.ini


\Registry\Machine


              System


                    CurrentControlSet


                        Services


                            Netbt


                                 Parameters


                                     NoNameReleaseOnDemand = REG_DWORD 0x1


Yeah, I am done. How are the other team members going to deploy the script?  I am not sure, but I am out of the office for the rest of the week.


A point that I would like to note; I don’t think a script is the best way to deploy these changes. These entries scream for other ways to get them to all of the servers. I gave my recommendation and was out voted. I am practicing a special “I told you so” dance when they realize that I was right. I think I hurt myself, but I should be healed enough to do the dance when I get back in the office.  :)

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>