Chapter 11: Locking Down Windows, Internet Information Services, and .NET
|
Overview
Key concepts in this chapter are:
-
Locking down a Windows client
-
Locking down a Windows server
-
Locking down Internet Information Services
-
Locking down .NET
Now that you’re writing hack-resistant code and using encryption, role- based security, and other secure features, let’s turn our attention to the platform on which your applications are installed. This chapter discusses how to make sure Microsoft Windows, Internet Information Services (IIS), and .NET are secured. In security terms, this is known as locking down the platform. Locking down Windows, IIS, and .NET means restricting access to the services your application uses and making configuration changes to turn off services that are not used. The reason you have to lock down the platform is because the platform is capable of being secure, but the default installation is not secure.
In the early 1990s, locking down the platform was simple because Windows didn’t do much beyond providing common printer drivers, a flat memory model, and a graphical solitaire game. Ten years later, Windows has evolved to do a lot more, including hosting Internet applications; providing dynamic indexing; managing domains, file serving, and print serving; and much more. Curiously, it still ships with the same solitaire game, which remains a favorite activity with bored office workers. Since the launch of Windows 95, with each release, the platform has become more and more connected. For example, Windows XP can host Web sites, act as a file transfer protocol (FTP) server, and use the Internet to order photograph prints, download updates, and synchronize the computer’s clock. This increased functionality also opens the possibility for intruders to attack using these features. A big part of locking down Windows is turning off unnecessary features, reducing the ways people can attack the system. As mentioned in earlier chapters, this is known as reducing the attack surface.
|
