By : Ehsan Omidvar
ehsan_omidvar@mail.com

Secure Telnet Server
If you plan to use the Telnet server included with Windows 2000, you should consider restricting the users who can access the service. To do this, perform the following steps:
1 . Open the Local Users And Groups tool.
2 . Right-click the Group node, and choose New Group from the context menu.
3 . Enter TelnetClients in the Group name box.
4 . Click Add, and add the users who are to have telnet access to the computer.
5 . Click Create and then Close
When the TelnetClients group exists, the Telnet service will allow only those users defined in the group to have access to the server
Review, Update, and Deploy the Provided Hisecweb.inf Security Template
Microsoft've included a security template, named Hisecweb.inf, as a baseline applicable to most secure Web sites. The template configures basic Windows 2000 systemwide policy.
Hisecweb.inf can be downloaded from:
http://support.microsoft.com/support...asp?id=Q316347
Perform these steps to use the template:
1. Copy the template to the %windir%\security\templates directory.
2. Open the Security Templates tool, and look over the settings.
3. Open the Security Configuration And Analysis tool, and load the template.
4. Right-click the Security Configuration And Analysis tool, and choose Analyze Computer Now from the context menu.
5. Wait for the work to complete.
6. Review the findings, and update the template as necessary.
Once you're happy with the template, right-click the Security Configuration And Analysis tool and choose Configure Computer Now from the context menu.
Disable or Remove All Sample Applications
Samples are just that, samples; they are not installed by default and should never be installed on a production server. Note that some samples install so that they can be accessed only from http://localhost, or 127.0.0.1; however, they should still be removed.
Sample Virtual Directory Location
IIS Samples \IIS Samples c:\inetpub\iissamples
IIS Documentation \IISHelp c:\winnt\help\iishelp
Data Access \MSADC c:\program files\common files\system\msadc

* Be careful that MSADC scripts can be the way for attacker to obtain gain access to your system , so be sure to remove them .
- Disable or Remove Unneeded COM Components
The following command will disable File System Object:
regsvr32 scrrun.dll /u
Remove the IISADMPWD Virtual Directory
This directory allows you to reset Windows NT and Windows 2000 passwords. It's designed primarily for intranet scenarios and is not installed as part of IIS 5, but it is not removed when an IIS 4 server is upgraded to IIS 5. It should be removed if you don't use an intranet or if you connect the server to the Web.
Disable Parent Paths
The Parent Paths option allows you to use ".." in calls to functions such as MapPath. By default, this option is enabled, and you should disable it. Follow this procedure to disable the option:
1. Right-click the root of the Web site, and choose Properties from the context menu.
2. Click the Home Directory tab.
3. Click Configuration.
4. Click the App Options tab.
5. Uncheck the Enable Parent Paths check box.
Set Appropriate IIS Log File ACLs
Make sure the ACLs on the IIS-generated log files (%systemroot%\system32\LogFiles) are
Administrators (Full Control)
System (Full Control)
Everyone (RWC)
This is to help prevent malicious users deleting the files to cover their tracks.

Remove dangerous script mappings
If you don't use the following script types, remove their mappings:

Script Type Mapping
Web-based password reset .htr
Internet Database Connector .idc
Server-Side Includes .stm .shtml .shtm
Internet Printing .printer
Index Server .ida .idq .hta
Microsoft IIS is preconfigured to support common filename extensions, such as .asp and .shtm files. When IIS receives a request for a file of these types, the call is handled by a DLL. If you do not require use any of these extensions or functionality, remove the mappings:

To remove unused file type mappings:
Open Internet Services Manager.
Right-click the Web server and choose Properties from the context menu.
In Master Properties, select WWW Service and click Edit.
In the HomeDirectory tab, click Configuration.
Remove the following mappings for functionality that is not needed:

Web-based password reset: .htr
Internet Database Connector: .idc (all IIS 5 Web sites should use ADO or similar technology)
Server-Side Includes: .stm, .shtm and .shtml
Internet Printing: .printer
Index Server: .htw, .ida and .idq

About .ida Overflow :
As part of its installation process, IIS installs several ISAPI extensions - .dlls that provide extended functionality. Among these is idq.dll, which is a component of Index Server (known in Windows 2000 as Indexing Service) and provides support for administrative scripts (.ida files) and Internet Data Queries (.idq files).
A security vulnerability exists in idq.dll. This DLL contains an unchecked buffer in a section of code that handles input URLs. An attacker who could establish a web session with a server on which idq.dll is installed could conduct a buffer-overrun attack and execute code on the web server. Idq.dll runs in the System context, so exploiting the vulnerability would give the attacker complete control of the server and allow him to take any desired action on it.
The buffer overrun occurs before any indexing functionality is requested. As a result, even though idq.dll is a component of Index Server/Indexing Service, the service would not need to be running in order for an attacker to exploit the vulnerability. As long as the script mapping for .idq or .ida files were present and the attacker were able to establish a web session, he could exploit the vulnerability.
Clearly, this is a serious vulnerability, and Microsoft urges all customers to take action immediately. Customers who cannot install the patch can protect their systems by removing the script mappings for .idq and .ida files via the Internet Services Manager in IIS.
Patch for .ida overflow :
* Windows NT 4.0:
http://www.microsoft.com/Downloads/R...eleaseID=30833
* Windows 2000 Professional, Server and Advanced Server:
http://www.microsoft.com/Downloads/R...eleaseID=30800
About .Printer Overflow :
Windows 2000 Internet printing ISAPI extension contains msw3prt.dll which handles user requests. Due to an unchecked buffer in msw3prt.dll, a maliciously crafted HTTP .printer request containing approx 420 bytes in the 'Host:' field will allow the execution of arbitrary code. Typically a web server would stop responding in a buffer overflow condition; however, once Windows 2000 detects an unresponsive web server it automatically performs a restart. Therefore, the administrator will be unaware of this attack.
Remove .Printer Overflow :
http://download.microsoft.com/downlo...SP2_x86_en.EXE
Patch for .htr Overflow :
Internet Information Server 4.0:
http://www.microsoft.com/Downloads/R...eleaseID=20905
To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q321599.

- Internet Information Server 5.0:
http://www.microsoft.com/Downloads/R...eleaseID=20903
To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Wind ows 2000\SP3\Q321599.
To verify the individual files, use the date/time and version information provided in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Wind ows 2000\SP3\Q321599\Filelist
Set Appropriate ACLs on Virtual Directories
Although this procedure is somewhat application-dependent, some rules of thumb apply, as described in Table F-1.

File Type Access Control Lists
CGI (.exe, .dll, .cmd, .pl) Everyone (X) Administrators (Full Control)
Script files (.asp) Everyone (X) Administrators (Full Control)
Include files (.inc, .shtm, .shtml) Everyone (X) Administrators (Full Control)
Static content (.txt, .gif, .jpg, .html) Everyone (R) Administrators (Full Control)
Recommended default ACLs by file type.
Rather than setting ACLs on each file, you're better off creating new directories for each file type, setting ACLs on the directory, and allowing the ACLs to inherit to the files. For example, a directory structure might look like this:
c:\inetpub\wwwroot\myserver\static (.html)
c:\inetpub\wwwroot\myserver\include (.inc)
c:\inetpub\wwwroot\myserver\script (.asp)
c:\inetpub\wwwroot\myserver\executable (.dll)
c:\inetpub\wwwroot\myserver\images (.gif, .jpeg)
Also, be aware that two directories need special attention:
c:\inetpub\ftproot (FTP server)
c:\inetpub\mailroot (SMTP server)
The ACLs on both these directories are Everyone (Full Control) and should be overridden with something tighter depending on your level of functionality. Place the folder on a different volume than the IIS server if you're going to support Everyone (Write), or use Windows 2000 disk quotas to limit the amount data that can be written to these directories.
Microsoft has released Security tools As IIS LockDown Tool & URLScan
Download URLScan :
http://microsoft.com/downloads/detai...displaylang=en
Download IIS LockDown :
http://www.microsoft.com/downloads/r...eleaseID=43955

Securing Windows 2000 and IIS ( New Vulnerabilities )
-------------------------------------------------------------------
In this tutorial I’m going to explain new vulnerabilities that have been discovered and how to secure our system against these vuls.


http://www.astalavista.com/library/hardening/iis/Securing-Windows-2000-and-IIS.doc

they still using telnet these days?

good post btw..

Yup , if you need more articles , i have , just post here