Internet Information Services (IIS) is one of the most popular solutions for private and commercial Web servers on the Internet today. Because of its popularity, and the overall prevalence of Windows-based machines on the Internet, IIS has become a favorite target of hackers and virus/worm authors. One of the major goals of Microsoft s Secure Computing Initiative was to improve the security of Microsoft software in three areas: by default, by design, and by deployment. IIS 6.0, the version of the Web server software that s bundled with Windows Server 2003, is one of the first major services to reflect this initiative. As opposed to previous releases of the server operating system where IIS was turned on by default, an administrator now needs to install and enable IIS on a Windows Server 2003 machine, and manually enable support for technologies such as Active Server Pages (ASP) and the Network News Transfer Protocol (NNTP). In this chapter, we ll look at the steps needed to create a secure IIS deployment for your enterprise network.
The first major topic that we ll discuss is user authentication within IIS. Gone are the days when the majority of Web servers provided nothing but static content where users were content to browse information anonymously and go merrily on their way. Improvements in e-commerce, customized Web content and the like have increased expectations for an interactive Web experience, and this kind of expectation requires some level of user authentication to protect users privacy and personal information. We ll look at the various types of authentication offered by IIS 6.0, including certificate authentication, integrated Windows logons , and RADIUS authentication using Internet Authentication Server, or IAS.
Once you ve decided on a user authentication scheme, you can focus on other aspects of securing IIS. We ll finish this chapter with a discussion of some common attack vulnerabilities for Web servers in general and IIS servers in particular, and then move on to finding ways to address these concerns for a single server or a large server farm. Some of these steps include ways to harden the IIS installation itself, as well as designing an effective monitoring scheme so that any potential security incidents will be noticed and responded to in a timely fashion. We ll close with some thoughts on securing the process of actually updating Web content itself to secure against the public embarrassment of Web defacement or inadvertent information disclosure. Windows Server 2003 offers an array of options for securing its Web server software; your job as a security administrator and MCSE candidate is to use these options to design a secure IIS deployment for your enterprise network.