Hardening IP for IIS Servers - Original Posted Apr 5, 2005
Aahh, the joys of meeting SOX requirements…
Tonight, I am having fun whipping together a script to apply to servers to meet SOX audit recommendations. This particular task is to harden IP on all IIS 6.0 server per KB 324270. I had been tasked with applying changes to IIS 6.0 servers working with others on a team. I volunteered to create the script to handle many of the registry changes required to meet the audit requirements (yeah, I am stupid that way…). They get the joy of testing and deploying the script in production.
My first step was to create the script itself. Afterwards, I had the joy of creating the .ini files that I will use in conjunction with regini. The commands in the script are pretty simple once the .ini files are created, and they are pretty simple, too.
First the script, a very basic command line script (yes, I sanitized it to protect the innocent, and I also removed many lines and simplified it for ease of understanding):
@echo off
CLS
rem Apply IP Hardening registry info
ECHO Implementing IP Hardening registry entries
regini SynAttackProtect.ini
regini EnablePMTUDiscovery.ini
regini EnableDeadGWDetect.ini
regini KeepAliveTime.ini
regini NoNameReleaseOnDemand.ini
I created this very simple script (damn, it sure looks easy, doesn't it?), and then I created the individual .ini files. They are simple text files as follow (note, the italicized text is the content of each file):
SynAttackProtect.ini
\Registry\Machine
System
CurrentControlSet
Services
Tcpip
Parameters
SynAttackProtect = REG_DWORD 0x1
EnablePMTUDiscovery.ini
\Registry\Machine
System
CurrentControlSet
Services
Tcpip
Parameters
EnablePMTUDiscovery = REG_DWORD 0x0
EnableDeadGWDetect.ini
\Registry\Machine
System
CurrentControlSet
Services
Tcpip
Parameters
EnableDeadGWDetect = REG_DWORD 0x0
KeepAliveTime.ini
\Registry\Machine
System
CurrentControlSet
Services
Tcpip
Parameters
KeepAliveTime = REG_DWORD 0x493e0
NoNameReleaseOnDemand.ini
\Registry\Machine
System
CurrentControlSet
Services
Netbt
Parameters
NoNameReleaseOnDemand = REG_DWORD 0x1
Yeah, I am done. How are the other team members going to deploy the script? I am not sure, but I am out of the office for the rest of the week.
A point that I would like to note; I don't think a script is the best way to deploy these changes. These entries scream for other ways to get them to all of the servers. I gave my recommendation and was out voted. I am practicing a special "I told you so" dance when they realize that I was right. I think I hurt myself, but I should be healed enough to do the dance when I get back in the office. :)