Chapter 21
Implementing Security for Microsoft IIS 5.0
Microsoft Internet Information Services (IIS) 5.0 is included with the Microsoft Windows 2000 operating system. IIS provides you with the ability to host Web and FTP sites on a Windows 2000 server. When implementing a Web server or an FTP server, you must install the latest service packs and security patches to ensure your server is protected. In addition, you must implement measures to increase baseline security of the Web server. The measures you can take to secure IIS include the following:
The Web or FTP server you deploy must run on a Windows 2000 server that is properly configured for security. You must configure user accounts, the file system, and the registry to implement baseline security required for Internet services.
The Internet Services Manager console allows you to implement an IIS-specific security configuration to ensure that the maximum level of security is implemented for your Web server. This includes defining authentication and Web site permissions and securing communication channels.
Microsoft provides two tools that you can use to configure the security of an IIS server. The IIS Lockdown tool and the URLScan filter increase IIS server security by removing or disabling unnecessary services, restricting which scripts are allowed to execute, and removing unnecessary IIS server components.
If you implement an FTP server, you must configure IIS to increase FTP service security. This includes limiting authentication to anonymous access and configuring an FTP folder structure to reduce attacks against the disk system.