Security Issues for Internet Services

Simply stated, if your computer is connected to the Internet, it's exposed to millions of people who can reach it in milliseconds from anywhere in the world, many of whom have nothing better to do than to try to break into and damage your computer. They're highly motivated. They want to use your computer to send spam, collect peoples' credit card numbers as part of their fraud operations, and, well, who knows what else. Consider your connection to the Internet like the door to your house, and it's in a rough neighborhood: Never leave the door unlocked (and let's talk about putting bars on the windows).

Dealing with security is a little bit scary, but you can take a few steps to ensure your safety.

For a more detailed discussion of keeping your network safe from prying eyes, p. 815.

Keeping Up to Date

First and foremost, you'll need to keep up on bug fixes and security updates released by Microsoft. Since IIS has full access to your computer, and it's in contact with the rest of the world, it's critical that you keep it up to date. You should be sure that your computer is set up to receive Automatic Updates from Microsoft. You also need to subscribe to the Microsoft security bulletin service so you hear about problems as soon as they're discovered. Sometimes they describe interim precautionary measures you can take before bug fixes are released. You can sign up at www.microsoft.com/security. Click on E-mail Updates.

File Security

Your server's file system contributes to the security of data on it. You can do the following:

• Use NTFS for any drives containing folders you share using IIS.

• By default, Windows puts the Web and FTP data directories on the same drive as Windows. For maximum safety, set up a separate NTFS-formatted drive or partition and use that for your IIS data. You can change the location of the Web and FTP home directories on the Properties pages of these services in the Internet Information Services management tool as I described earlier in the chapter.

• If you grant Write permission to any of your Web or FTP folders, you should not use Simple File Sharing. Instead, you should use full user-level security and carefully review and adjust the permissions settings in your \inetpub folder and all of its subfolders. By default, Windows assigns new folders Full Control permissions to the Everyone group. Examine folders you create under the \inetpub folder to be sure that only authorized users can read and write files there. The user name IUSR_xxxx, where xxxx is your computer's name, is used for anonymous users, so IUSR_xxxx needs read permission in any folder that contains public pages.

  For information on Simple File Sharing and folder permissions, p. 1063.

  
  

• Store executable and scripts files in a separate folder from Web pages so that they can be executed but not read. Never check both Write and Script permissions on the same folder: This would let outside people send program scripts to your computer and then run them.

Authentication

If you want to implement user restrictions to limit access to files or folders in your Web site, the Directory Security tab in the IIS Computer Management plug-in (which you open by right-clicking Default Web Site and choosing Properties) lets you permit or prevent Basic Authentication from being used to view protected Web pages.

Basic Authentication transmits unencrypted usernames and passwords across the Internet. This is a bad thing.

But you get a significant trade-off here. If you don't allow Basic Authentication, no Web browser other than Internet Explorer can view the protected pages. If you do allow Basic Authentication, usernames and passwords are transmitted across the Internet without encryption, which is a significant security risk.

My recommendation is that you not permit Basic authentication. These passwords aren't just for a Web page, remember; they're your Windows XP usernames and passwords, the keys to your computer and network domain. You can mitigate the problem somewhat by creating special limited user accounts that you give out to people who need Internet-based access to your computer via FTP or Web folders; then, if the passwords get intercepted, there is less that an intruder can get away with.

Configuring Your Server

My computer management philosophy is "keep it simple." The fewer services you run, the less likely that one will be configured incorrectly and become a security liability. Use care in configuring and managing your server. Be sure to read Chapter 21, "Network Security," for the scoop on securing your computer and network. Here are some additional tips:

• Install and run only the services you actually need and use.

• Set up a separate disk partition, formatted with the NTFS disk format, and put your \inetpub folder there.

• Enable auditing of access failures and privilege violations.

  For instructions on auditing access failures, p. 837.

  
  

• Back up your system frequently. Include the Registry in your backups, for example, by checking System State in the Backup System Tool or the equivalent in another program.

• Run virus checks regularly.

• Be sure your computer is behind a firewall (Windows Firewall will do), and that you use a connection sharing router or Windows Internet Connection Sharing. These services help block incoming attacks.

• Keep track of the services that should be running on your computer, and watch out for unknown services that may have been installed by rogue software or unauthorized users.