IIS 6.0 implements a worker process model to handle Web requests . This is different from the IIS 5.0 isolation model. Each worker process is handled by an instance of W3wp.exe and uses an application pool. The application pool will manage the resources of the Web site. HTTP.Sys is the new kernel mode driver to consume the incoming Web requests.
Certificate authentication is supported by the IIS 6.0 SSL implementation. The certificate details need to be verified against a Windows account. This verification process is referred to as mapping. There are three mapping mechanisms available in IIS 6.0: Directory Service, one-to-one, and many-to-one . The Directory Service is a native Active Directory mapping that supports internal authentication for a large enterprise. The one-to-one mapping will match the exact certificate details from the client browser to the server certificate. They need to match precisely to authenticate. This will only suit a small set of users. The many-to-one implementation is more flexible. We match partial criteria using custom rules in many-to-many . This implementation is more popular than the previous two.
There are several Windows logon authentication mechanisms supported by IIS 6.0: anonymous authentication, basic authentication, digest authentication, and Windows integrated authentication. The default is Windows integrated authentication. Anonymous authentication will impersonate each user with an IUSR_ComputerName account to direct Web requests to IIS 6.0. Basic authentication needs to be wrapped in SSL since it transmits credentials as clear text. Digest authentication will be implemented with the help of an Active Directory in the enterprise.
An enterprise implements several remote networks in the current climate. They need to support remote dial-up Internet, VPN, and wireless access to the employees and their business partners . The Remote Authentication Dial-In User Service (RADIUS) protocol defines a single sign- on mechanism to authenticate users to the enterprise. The RADIUS implementation in Windows Server 2003 is refereed to as Internet Authentication Service (IAS). IAS can act either as a proxy or an authentication server to facilitate the enterprise remote access needs.
Designing security for IIS servers can be a complex and tedious task due to the flexibility of the Internet, intranet, and extranet sites. Windows Server 2003 comes with Internet Connection Firewall (ICF) to facilitate small to medium- sized organizations. It also installs IIS 6.0 in a locked-down state . We need to enable Web Services Extensions to enhance the appropriate settings for the enterprise. We can also implement SSL, TLS, and Point-to-Point Tunneling protocols to secure FTP, NNTP, and SMTP virtual servers.
We need to design a monitoring strategy to support IIS 6.0 authentication options. We will facilitate event logs, IIS logs, security auditing, and network monitor software to achieve this. IIS logs can be configured to support all Web sites and FTP sites. We can identify security breaches by analyzing the Security event logs and IIS server logs. IIS server logs can be configured to record all the environmental variables of a Web request.
Microsoft Content Management Server (CMS) can be used to replicate content to multiple IIS servers in a Web farm. CMS will create projects to manage the deployment and provide GUI interface to troubleshoot the projects. We also need to take into account the content deployment strategy when we initiate an IIS 6.0 implementation on Windows Server 2003.