Simply stated, if your computer is connected to the Internet, it's exposed to millions of people who can reach it in milliseconds from anywhere in the world, many of whom have nothing better to do than to try to break into and damage your computer. They're highly motivated. They want to use your computer to send spam, collect peoples' credit card numbers as part of their fraud operations, and, well, who knows what else. Consider your connection to the Internet like the door to your house, and it's in a rough neighborhood: Never leave the door unlocked (and let's talk about putting bars on the windows). Dealing with security is a little bit scary, but you can take a few steps to ensure your safety.
For a more detailed discussion of keeping your network safe from prying eyes, p. 815. Keeping Up to DateFirst and foremost, you'll need to keep up on bug fixes and security updates released by Microsoft. Since IIS has full access to your computer, and it's in contact with the rest of the world, it's critical that you keep it up to date. You should be sure that your computer is set up to receive Automatic Updates from Microsoft. You also need to subscribe to the Microsoft security bulletin service so you hear about problems as soon as they're discovered. Sometimes they describe interim precautionary measures you can take before bug fixes are released. You can sign up at www.microsoft.com/security. Click on E-mail Updates. File SecurityYour server's file system contributes to the security of data on it. You can do the following:
AuthenticationIf you want to implement user restrictions to limit access to files or folders in your Web site, the Directory Security tab in the IIS Computer Management plug-in (which you open by right-clicking Default Web Site and choosing Properties) lets you permit or prevent Basic Authentication from being used to view protected Web pages. Basic Authentication transmits unencrypted usernames and passwords across the Internet. This is a bad thing. But you get a significant trade-off here. If you don't allow Basic Authentication, no Web browser other than Internet Explorer can view the protected pages. If you do allow Basic Authentication, usernames and passwords are transmitted across the Internet without encryption, which is a significant security risk. My recommendation is that you not permit Basic authentication. These passwords aren't just for a Web page, remember; they're your Windows XP usernames and passwords, the keys to your computer and network domain. You can mitigate the problem somewhat by creating special limited user accounts that you give out to people who need Internet-based access to your computer via FTP or Web folders; then, if the passwords get intercepted, there is less that an intruder can get away with. Configuring Your ServerMy computer management philosophy is "keep it simple." The fewer services you run, the less likely that one will be configured incorrectly and become a security liability. Use care in configuring and managing your server. Be sure to read Chapter 21, "Network Security," for the scoop on securing your computer and network. Here are some additional tips:
|