Securing IIS


There shouldn't be any question that IIS is significantly more secure than its predecessors. Several key enhancements such as a reduced attack surface and enhanced application isolation deliver a robust and secure Web platform. IIS also is enabled by default to present only static information (that is, to use applications or other dynamic content, you must manually enable them).

However, Microsoft products are also the most popular products to try to hack. For this reason, it's important to secure the Web server as much as possible. The more barriers there are, the less inclined a hacker would be to try to gain unauthorized access. Each component on the Web server must be secure; the server is as secure as its weakest point.

Windows Server 2003 Security

Windows Server 2003 security actually begins during the planning and designing phases so that every conceivable security aspect is addressed. This can entail physical, logical (Windows Server 2003, applications, and so on), and communications security.

When you're securing the Windows Server 2003 Web server, it's important to use NTFS on the disk subsystem and apply the latest service pack and security patches. Using NTFS is critical because it can have appropriate permissions set on files, folders, and shares. Also, keeping up to date with service packs and patches ensures that Windows Server 2003 is operating with the greatest amount of protection.

Application security on the Windows Server 2003 Web server should be carefully reviewed, especially if it's a custom-built application. If the application is developed by a vendor, make sure that you have an application that is certified to run on Windows Server 2003 and that the latest service packs and patches have been applied and tested.

Note

For more information on securing Windows Server 2003, refer to Part IV, "Security."


Locking Down Web Service Extensions

As mentioned earlier, IIS can display only static content (.htm, image files, and so on) by default until you manually enable dynamic content. IIS gives granular control over the dynamic content. For example, you can enable Active Server Pages but disable ASP.NET applications.

To enable or disable dynamic information, do the following:

1.

In the IIS Manager, expand the Web server name and select Web Service Extensions.

2.

In the Web Service Extensions window on the right, select the extensions you want to configure and click on either Allow or Prohibit.

Using the Web Service Extensions interface, you can also add and allow extensions for specific applications that may not be already listed.

IIS Authentication

Authentication is a process that verifies that users are who they say they are. IIS supports a multitude of authentication methods, including the following:

  • Anonymous Users can establish a connection to the Web site without providing credentials.

  • Integrated Windows authentication This authentication method can be integrated with Active Directory. As users log on, the hash value of the password is sent across the wire instead of the actual password.

  • Digest authentication Similar to Integrated Windows authentication, a hash value of the password is transmitted. Digest authentication requires a Windows Server 2003 domain controller to validate the hash value.

  • Basic authentication Basic authentication sends the username and password over the wire in clear text format. This authentication method offers little security to protect against unauthorized access.

  • .NET Passport authentication .NET Passport is a Web authentication service developed by Microsoft. It doesn't reside on the hosting Web server but rather is a central repository contained and secured by Microsoft that allows users to create a .NET Passport account once. This username and password can be used at any .NET Passportenabled site. For more information on .NET Passport, refer to Chapter 14, "Windows Server 2003 Passports."

These authentication methods can be enabled under the Authentication Methods dialog box, as illustrated in Figure 11.17. You can view this window by clicking the Edit button located on the Directory Security tab of a Web site properties page.

Figure 11.17. Authentication Methods settings.


Auditing Web Services

Windows Server 2003 auditing can be applied to Web and FTP sites to document attempts to log on (successful and unsuccessful), to gain unauthorized access to service accounts, to modify or delete files, and to execute restricted commands. These events can be viewed through the Event Viewer. It's also important to monitor IIS logs in conjunction with audited events to determine how, when, and if external users were trying to gain unauthorized access.

Using SSL Certificates

Secure Sockets Layer preserves user and content integrity as well as confidentiality so that communications from a client and the Web server, containing sensitive data such as passwords or credit card information, are protected. SSL is based on the public key security protocol that protects communication by encrypting data before being transmitted.

Previous versions of IIS could use SSL, and IIS 6 is no different. The exception to this, though, is how SSL is implemented within IIS. The version implemented within Windows Server 2003's IIS has the following improvements:

  • SSL's performance is up to 50% faster than previous implementations. SSL has been streamlined so that resource requirements aren't as high.

  • SSL can now be remotely managed from a centralized location.

  • A greater number of SSL hardware devices is now supported in Windows Server 2003. These hardware devices (such as smart cards, bio-informatic controllers, and so on) offload some of the resource requirements from Windows Server 2003.

SSL certificates serve three primary purposes, although they are typically used to encrypt connections. These purposes include the following:

  • SSL server authentication This allows a client to validate a server's identity. SSL-enabled client software can use a public key infrastructure (PKI) to check whether a server's certificate is valid. It can also check whether the certificate has been issued by a trusted certificate authority (CA).

  • SSL client authentication This allows a server to validate a client's identity. SSL can validate that a client's certificate is valid as well as check whether the certificate is from a trusted CA.

  • Encrypting SSL connections The most common application of SSL is encrypting all traffic on a given connection. This provides a high degree of confidentiality and security.

Note

SSL puts little strain on bandwidth but can significantly increase processor utilization. To minimize the performance impact that SSL can have on a given system, consider using a hardware-based SSL adapter to offload the workload from the computer's processors.


From an IIS perspective, SSL can be applied to an entire Web site, directories, or specific files within the Web site. SSL configuration can be done through the IIS snap-in located on the Start, Administrative Tools menu.

To use SSL on a Web site, it must first be requested and then installed. The request can be created to obtain a certificate either from an external, trusted CA or from an internal PKI. To request a SSL certificate for a Web site, do the following:

1.

Open the Internet Information Services (IIS) Manager snap-in and expand the desired computer, Web sites folder, and the Web site to assign the certificate.

2.

Right-click on the Web site and select Properties.

3.

On the Directory Security tab, select Server Certificate.

4.

Click Next on the Web Server Certificate Wizard Welcome screen.

5.

Click the Create a New Certificate button and click Next.

6.

Select the Prepare the Request Now, But Send It Later option and then click Next.

7.

Enter the new certificate name and choose the desired bit length for the encryption key. It is recommended to use 1024 (the default) or higher as the bit length. Keep in mind that higher bit lengths can decrease performance. Click Next when done.

8.

Type in the company and organization unit name and then click Next.

9.

Type the name of the IIS computer hosting the Web site in the Common Name box. If the site will be accessed from the Internet, enter in the fully qualified domain name such as server.domain.com. The common name should match the URL users will use to connect to the Web site. Click Next to continue.

10.

Select a Country/Region from the first pull-down menu and then type in the State/Province and City/Locality that will be embedded in the certificate. Click Next to continue.

11.

Provide a path and filename for the certificate request and then click Next.

12.

Review the Request File Summary to ensure that all information is accurate. Click Next and then click Finish to complete the request.

After the certificate has been requested, it must be submitted to a trusted CA to process. To submit the newly created certificate request to an internal CA, do the following:

1.

Open a browser and enter the following URL of the server that is hosting Certificate Services (for example, http://servername/certsrv).

2.

If a sign-in dialog box appears, enter a username and password with sufficient privileges to generate the certificate and click OK.

3.

Select Request a Certificate.

4.

On the next page, select Advanced Certificate Request.

5.

Select Submit a Certificate Request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

6.

On the Submit a Certificate Request or Renewal Request page, click the Browse for a File to Insert link or manually enter the text within the certificate request file you just created.

7.

Within the Certificate Template section, use the pull-down menu to select Web Server as shown in Figure 11.18. Click the Submit button when done.

Figure 11.18. Submitting a certificate request.


8.

On the Certificate Issued page, select the Download Certificate link and when prompted click Save to then be able to specify a path and filename for the certificate.

To apply the SSL certificate, do the following:

1.

Open the IIS Manager snap-in and navigate to the Web site for which the certificate was created.

2.

Right-click on the Web site and select Properties.

3.

Click on the Directory Security tab and click the Server Certificate button.

4.

Click Next on the initial Server Certificate Wizard window, and then select Process the Pending Request and Install the Certificate. Click Next to continue.

5.

Locate the certificate file that was created in the previous steps and then click Next.

6.

On the SSL Port window, type in the listening port for SSL (443 is the default) and then click Next.

7.

Review the summary information and then click Next. Click Finish if the information is correct; otherwise, click the Back button or submit a new request.

Configuring FTP Security Options

FTP is, by default, an unsecured protocol. It's unsecured due to the method of user authentication and the transfer of the data. For example, if users need to supply a username and password, the information can be captured and easily read because the information is transmitted in clear text.

Many organizations have abandoned using FTP for supplying read-only downloads to external users. In this scenario, organizations are using HTTP instead to provide downloads. Securing HTTP is much simpler than FTP and doesn't require as much administration.

Securing FTP Transfer

FTP transfer can be secured using encryption via a VPN connection (such as IPSec and L2TP). Typically, this presents unnecessary obstacles and burdens to end users. Users would have to establish a VPN connection before they could download files, which may become a technical challenge for many users.

Securing FTP Authentication

Without a secure connection between the end user supplying a username and password and the FTP server, it is impossible to adequately secure FTP. Usernames and passwords could potentially be compromised if a hacker were to capture FTP traffic to the server. As a result, FTP security would be more protected if the FTP server allows only anonymous connections. This way, users won't have to supply usernames and passwords.

Other FTP Security Measures

Some other possible ways to minimize FTP security risks are the following:

  • Use local folders to share downloads and secure them with NTFS. The folder should be located on a separate partition from Windows Server 2003 system files.

  • Offer read-only content to users.

  • Monitor disk space and IIS logs to ensure that a hacker isn't attempting to gain unauthorized access.




Microsoft Windows Server 2003 Unleashed(c) R2 Edition
Microsoft Windows Server 2003 Unleashed (R2 Edition)
ISBN: 0672328984
EAN: 2147483647
Year: 2006
Pages: 499

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net