Website Directory Security


I'm new to the web servers and have a question regarding NTFS security on the C drive on my server.  The server is purely a webserver, so anonymous connections from the Internet require read access etc   No other access for anyone else on our network etc is required.

Basically my C drive NTFS settings which contain our website under the c:\inetpub, are not using the default permissions.  The everyone group is the only user\group that has access, modify but not full control.

C:\inetpub - locked down to my account & domain admins

C:\intetpub\wwwroot - servername\administrators & "System" account have FULL control, Everyone - Read, List, Read & execute

C:\inetpub\wwwroot\websitename - Including website sub directories & files etc

servername\administrators & "System" account have FULL control, Everyone - Read, List, Read & execute

I'm basically looking to prevent the website from being hacked & de-faced.  Does anyone have any recommendations to tighten my security further or improve it ?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

> I'm basically looking to prevent the website from being hacked & de-faced
then the file permisions are not the first place for security, but a good thing to do as second line of defence

first enshure that your firewall drops anything except to your webserver
then check if you have dynamic applications (CGI, asp, whatever), if not disable anything which is related to that
Don't expose IIS to the internet, run an apache reverse proxy in front of it.
Make sure the system is fully patched.
carefully audit and code on your site.
It is relatively easy to keep IIS properly secure.  Don't open any extra ports, set the admin site to only operate on loopback IP, keep fully patched (weekly), do not allow anonymous FTP connections or HTTP directory browsing, only enable the minimum script/execute permissions necessary, and consider using one account per website so that if an account is comprimised it only affects a single site (or directory if you do it that far down).
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

>  It is relatively easy to keep IIS properly secure.
are you jokeing? or what is *your* definition of IIS?
probably someone checks the well known list like and before giving such statements (beside another definition of IIS;-)
My statement is based on facts and experience.  I have been running over 200 IIS servers connected to the net for clients and in the last 7 years I have not had one that has been hacked.  I also have had a few linux servers in that same time period and ALL of them have gotten hacked at least once.  I'm sure the reason that the linux servers have been hacked is because of how difficult linux can be to manage and keep patched.  

I certainly will not argue that there are lots of hacked IIS servers out there because there certainly are, but EVERY time I have seen a hacked Microsoft server I have traced the hacking back to either poor firewall implementation, unpatched servers, or loose permissions.  If you practice good management techniques you can take reduce your chances of being hacked to almost zero.  On the other hand, if you are sloppy it doesn't matter what OS you use, you will get hacked.
you would have said:
   s/based on facts and experience/based on facts of my very personal experience/
would you ;-)
> if you are sloppy it doesn't matter what OS you use, you will get hacked
agreed. But I was asking about IIS not the OS (well which is inherently the same depending on the definition of IIS:).
stevendunneAuthor Commented:
Only ports 80 & 21 are open on my firewall to the server.  I've also got Intrusion prevention on my firewall to help protect me against malicious attacks over port 80 & 21 etc.  My OS which is 2000 is fully patched, I've run MSBA and no critical patches for the OS or IIS are missing.  My default website (home directory) is setup to read and not write in IIS.

Other than this the actual NTFS permissions on my C drive I'm not fully 100% about.  If I've done all the above can I can be hacked with poor NTFS permissions.  If so, looking at my config I posted early, what improvements can I make ?

>  I've also got Intrusion prevention on my firewall to help protect me against malicious attacks over port 80 & 21 etc.
i.g. this will not help much. Or do have a true web application firewall installed?

>  I can be hacked with poor NTFS permissions.
what do you mean about that?
if there is only access through IIS (21, 80), then an attacker needs to compromise your application IIS first, then IIS. If you only serve static pages then IIS is the application itself and you have to enshure that nothing gets through (XSS, SQL-Injection, NULL.printer exploit, ?wsdl etc. etc. etc. etc.)
A full patched IIS does not protect you anyhow against these attacks.
Probably you also install and run URLScan and LOCKdown, see

If someone gets through IIS down to your filesystem then NTFS permissions apply, that's what I already said in my first comment.

BTW, get rid of ftp, it's insecure and hence obsolete. Use ssh/scp/sftp instead.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
stevendunneAuthor Commented:
Sorry I meant to say if I've done all the above can I still be exploited with poorly configured NTFS permissions my C drive & inetpub & website folders ?  At the moment the inetpub & website directories are only allowing the everyone group "read" access.

The Intrusion prevention service does help, although I'm not saying it's 100% bullet proof, nothing is.  It helps protect against some 1900 different attacks (worms, trojans etc) overall, ranging from IIS, FTP, SQL etc
> .. protect against some 1900 different attacks ..
does it protect against for example:
or some of the countless XSS- or SQL-attacks (you can't stop them with a blacklist, believe me)
does it protect POST requests?
I'd switch off ftp.

Tim HolmanCommented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.