PHP has grown from a set of tools that get web sites up and working fast to one of the most popular languages for web site development. The following are some recommendations for hardening web servers that use or support PHP.
Microsoft Internet Information Services (IIS) is an HTTP server that provides web application infrastructure for most versions of Windows.
In versions of IIS prior to 6.0, the server was not “locked down” by default. This open configuration, although flexible, was not very secure. Many unnecessary services were enabled by default. As threats to the server have increased so to has the need to harden the server. In these older versions of IIS, hardening the server is a manual process and often difficult to get right.
With IIS 6.0 administrators have more control over how, when, and what gets installed when installing the IIS server. Unlike previous versions, an out-of-the-box installation will result in an IIS server that accepts requests only for static files until configured to handle web applications plus sever timeouts, and other security policy settings are configured aggressively.
Microsoft also provides a Security Configuration Wizard (SCW) that helps administrators through the configuration of the web server’s security policy.
Make sure that the system IIS is installed in a secured and hardened Windows environment. Additionally, make sure the server is configured to discourage Internet surfing and email use.
Web site resources, HTML files, images, CSS, and so on should be located on a nonsystem file partition.
The Parent Paths setting should be disabled.
Potentially dangerous virtual directories, including IISSamples, IISAdmin, IISHelp, and Scripts should all be disabled or removed.
The MSADC virtual directory should be secured or removed.
Include directories should not have Read Web permission.
No directories should allow anonymous access.
Only allow Script access when SSL is enabled.
Only allow Write access to a folder when SSL is enabled.
Disable FrontPage extensions (FPSE).
Disable WebDav.
Map all extensions not used by the IIS applications to 404.dll (.idq, .htw, .ida, .shtml, .shtm, .stm, .idc, .htr, .printer, and so on).
Disable all unnecessary ISAPI filters.
Access to IIS metabase (%systemroot%\system32\inetsrv\metabase.bin) should be restricted via NTFS file permissions.
IIS banner information should be restricted. (IP address in content location should be disabled.)
Make sure certificates are valid, up to date, and have not been revoked.
Use certificates appropriately. (For example, do not use web certificates for email.)
Protect resources with HttpForbiddenHandler.
Remove unused HttpModules.
Disable tracing (Machine.conf).
Disable Debug Compilation (Machine.conf).
Enable Code Access security.
Remove All Permissions from the local Intranet Zone.
Remove All Permissions from the Internet Zone.
Run the IISLockdown tool from Microsoft.
Filter HTTP requests using URLScan.
Secure or disable remote administration of the server.
Set a low session timeout (15 minutes).
Set account lockouts.
