Web shares, or virtual directories, can be very useful in publishing corporate information to users both inside and outside the company's network. By using the existing server or DFS (distributed file system) shares within the company, administrators and end users can publish content without the use of specialized Web editing tools. Securing such shares requires you to pay special attention to both the underlying operating system and the method by which the end user is accessing the resources. Using both NTFS permissions and Web-based permissions to ensure the security of the Web shares is the best possible method because it provides a layered approach to securing the Web shares. You should pay special attention to the root folder of each disk volume. By default Windows Server 2003 installs the Everyone group on the system volume. This is the volume where Windows Server 2003 is installed. By default this group has Read and Execute permissions on any new folders that are created on this volume. It's a best practice to remove this group to avoid leaving the entire directory structure vulnerable to attack. Protecting the PerimeterCompanies should always use a firewall plan and an intrusion detection system (IDS) to create a way to monitor traffic to and from their Web servers. It is called a firewall plan because it's not just a hardware or software product. A firewall plan involves multiple products and security planning, including what to do when there is a compromise in the company's security. Compromises will happen; what you do to reduce exposure is an essential part of the plan. Part of the firewall plan can be virtual private network (VPN) access and some form of Internet authentication services such as the one provided by RADIUS. Both of these services are available on the Windows Server 2003 platform. The VPN approach should be used when accessing any enterprise resources from outside the firewall perimeter. As is discussed later in this chapter, in "Establishing Virtual Directory Permissions," authentication and document access can be provided by front-end Web servers that are placed between two firewalls in what is known as a demilitarized zone (DMZ). Protecting the Server ContentThere are numerous best practices for protecting Web servers facing the Internet. Here are just a few ways to reduce the impact of a security breach:
Following the HTTP Authentication RequestIIS authentication is the front line of defense in the access authorization process. When a user makes an HTTP request for a Web page several security- related steps take place. The sequence of events is as follows :
Following the order in which IIS allows access makes your troubleshooting efforts easier. By turning off or lessening levels of authentication you can determine which authentication method might be disallowing the delivery of the Web content to the end-user. Allowing Trusted NetworksNarrowing the field of possible vulnerabilities is one of your best tools in protecting Web-based content. By allowing only trusted IP addresses or disallowing known abusers to access the Web content you can keep your eyes on efficiency. To enable or disable IP addresses, IP ranges, or domains perform the following steps:
The method by which you choose to limit access will most likely depend on whether the Web site will be used solely on an intranet, in which you should allow access by domain name. If the Web site is going to be accessed via the Internet as well, you might have to grant access to domains as well as front-end Web servers and known IP addresses or subnets of users. Creating the Virtual DirectoryTo publish content to the company's intranet or to an SSL-secured Internet site, you need to create a Web site in IIS and then Virtual Directories under that Web root. These Virtual Directories can exist in the directory structure of the server that IIS is running on, or a UNC (Universal Naming Convention) path . These Virtual Directories can be created either from the IIS Management console or in the file system using Explorer. IIS Administrator Needs to Allow Either Browse or Directory Browsing To allow content to be viewed that doesn't have an HTML formatted home page, the IIS administrator needs to allow either Browse or Directory Browsing. Otherwise an error page will appear instead of the desired folder contents. Creating a Virtual Directory with IIS ManagerTo create a Virtual Directory in the Internet Information Services (IIS) Manager, perform the following steps:
Creating a Virtual Directory with Windows ExplorerYou have the option of creating a Web site Virtual Directory through the Windows Explorer. This is an easy way to publish content quickly that resides on the IIS server without opening up the IIS Manager tool. To create a Web share, perform the following steps:
Establishing Virtual Directory PermissionsWhen creating either a new Web site or a virtual directory under that site, you must decide who will have access, and of which type to the published content. A preferred method of protecting the content is by first choosing the access rights to the content. Securing Virtual Directories Mapped to Local DirectoriesIIS Virtual Directories that reside on the local server are secured by both the underlying NTFS permissions and the permissions granted through IIS. To set the permissions on a locally hosted Virtual Directory perform the following steps in IIS Manager:
Securing Virtual Directories Mapped to Windows SharesAs described previously, virtual directories can point to UNC paths containing content hosted on other servers or workstations on the local area network. Shares can have their own permissions as well. It's a best practice to leave the share permission to Everyone Full Access. This method makes it much easier to track the applied permissions on folders and files within the enterprise. Placing permissions on the folders and down to the files, if desired, allows for more granular management and auditing of file access. NTFS permissions enable you to discretely allow or deny any group or user permissions down to the file level. Authentication either directly from the Web site or passed through to the host of the UNC share will determine the permissions allowed to that user. IIS 6.0 now allows you to use pass-through Web authentication to UNC share and NTFS permissions. Simply put, the Web server sends the authentication request on to the server or workstation that is hosting the virtual directory UNC resource and asks permission for access. The steps to allow this process to take place are as follows:
Choosing Proper User Access ControlsJust as you set permissions on traditional file shares, you must also take this approach on directories and files exposed via IIS virtual directories. There are also several options related to Web content access as mentioned in the "Securing Virtual Directories Mapped to Local Directories" section earlier in this chapter. As stated previously, there are several lines of defenseat the IIS level, at the share level, and at the file level. How you choose to secure their shared data depends quite a bit on their installed environment. Creating the IIS 6.0 virtual directories will definitely give you more tools and levels of authentication than ever before. To choose the proper authentication method you need to take the following steps:
|