Best Practices

Best Practices

• Ensure that the base OS is secure.

  The OS must be secure on a Windows 2000 server hosting the IIS service. If the OS including its services, user accounts, files system, or registry is not secure, IIS is susceptible to all vulnerabilities caused by the poor OS security configuration.

• Implement the strongest form of user authentication supported by users connecting to an IIS server.

  Weak authentication configuration can lead to the compromise of a user s domain account and password. By enforcing strong authentication methods be they integrated Windows or certificate based methods you provide the strongest protection of user credentials.

• Assign the minimum required permissions for Web sites.

  Implement a combination of NTFS and Web site permissions that provide the minimum permissions required to access a Web site. Do not assign excess permissions because this reduces the overall security of the Web site

• Implement SSL for Web sites or virtual directories that provide access to nonpublic data.

  SSL ensures that all data transmitted between the Web browser and the IIS server is encrypted. SSL also protects weaker forms of authentication, such as basic authentication, by encrypting the weaker credential information as it is sent to the Web server.

• Implement Microsoft security tools to lock down the IIS server.

  Implement the IIS Lockdown tool and the URLScan filter to configure IIS services, enable script maps, and apply additional security to an IIS server.