There shouldn't be any question that IIS is significantly more secure than its predecessors. Several key enhancements such as a reduced attack surface and enhanced application isolation deliver a robust and secure Web platform. IIS also is enabled by default to present only static information (that is, to use applications or other dynamic content, you must manually enable them). However, Microsoft products are also the most popular products to try to hack. For this reason, it's important to secure the Web server as much as possible. The more barriers there are, the less inclined a hacker would be to try to gain unauthorized access. Each component on the Web server must be secure; the server is as secure as its weakest point. Windows Server 2003 SecurityWindows Server 2003 security actually begins during the planning and designing phases so that every conceivable security aspect is addressed. This can entail physical, logical (Windows Server 2003, applications, and so on), and communications security. When you're securing the Windows Server 2003 Web server, it's important to use NTFS on the disk subsystem and apply the latest service pack and security patches. Using NTFS is critical because it can have appropriate permissions set on files, folders, and shares. Also, keeping up to date with service packs and patches ensures that Windows Server 2003 is operating with the greatest amount of protection. Application security on the Windows Server 2003 Web server should be carefully reviewed, especially if it's a custom-built application. If the application is developed by a vendor, make sure that you have an application that is certified to run on Windows Server 2003 and that the latest service packs and patches have been applied and tested. Note For more information on securing Windows Server 2003, refer to Part IV, "Security." Locking Down Web Service ExtensionsAs mentioned earlier, IIS can display only static content (.htm, image files, and so on) by default until you manually enable dynamic content. IIS gives granular control over the dynamic content. For example, you can enable Active Server Pages but disable ASP.NET applications. To enable or disable dynamic information, do the following:
Using the Web Service Extensions interface, you can also add and allow extensions for specific applications that may not be already listed. IIS AuthenticationAuthentication is a process that verifies that users are who they say they are. IIS supports a multitude of authentication methods, including the following:
These authentication methods can be enabled under the Authentication Methods dialog box, as illustrated in Figure 11.17. You can view this window by clicking the Edit button located on the Directory Security tab of a Web site properties page. Figure 11.17. Authentication Methods settings.
Auditing Web ServicesWindows Server 2003 auditing can be applied to Web and FTP sites to document attempts to log on (successful and unsuccessful), to gain unauthorized access to service accounts, to modify or delete files, and to execute restricted commands. These events can be viewed through the Event Viewer. It's also important to monitor IIS logs in conjunction with audited events to determine how, when, and if external users were trying to gain unauthorized access. Using SSL CertificatesSecure Sockets Layer preserves user and content integrity as well as confidentiality so that communications from a client and the Web server, containing sensitive data such as passwords or credit card information, are protected. SSL is based on the public key security protocol that protects communication by encrypting data before being transmitted. Previous versions of IIS could use SSL, and IIS 6 is no different. The exception to this, though, is how SSL is implemented within IIS. The version implemented within Windows Server 2003's IIS has the following improvements:
SSL certificates serve three primary purposes, although they are typically used to encrypt connections. These purposes include the following:
Note SSL puts little strain on bandwidth but can significantly increase processor utilization. To minimize the performance impact that SSL can have on a given system, consider using a hardware-based SSL adapter to offload the workload from the computer's processors. From an IIS perspective, SSL can be applied to an entire Web site, directories, or specific files within the Web site. SSL configuration can be done through the IIS snap-in located on the Start, Administrative Tools menu. To use SSL on a Web site, it must first be requested and then installed. The request can be created to obtain a certificate either from an external, trusted CA or from an internal PKI. To request a SSL certificate for a Web site, do the following:
After the certificate has been requested, it must be submitted to a trusted CA to process. To submit the newly created certificate request to an internal CA, do the following:
To apply the SSL certificate, do the following:
Configuring FTP Security OptionsFTP is, by default, an unsecured protocol. It's unsecured due to the method of user authentication and the transfer of the data. For example, if users need to supply a username and password, the information can be captured and easily read because the information is transmitted in clear text. Many organizations have abandoned using FTP for supplying read-only downloads to external users. In this scenario, organizations are using HTTP instead to provide downloads. Securing HTTP is much simpler than FTP and doesn't require as much administration. Securing FTP TransferFTP transfer can be secured using encryption via a VPN connection (such as IPSec and L2TP). Typically, this presents unnecessary obstacles and burdens to end users. Users would have to establish a VPN connection before they could download files, which may become a technical challenge for many users. Securing FTP AuthenticationWithout a secure connection between the end user supplying a username and password and the FTP server, it is impossible to adequately secure FTP. Usernames and passwords could potentially be compromised if a hacker were to capture FTP traffic to the server. As a result, FTP security would be more protected if the FTP server allows only anonymous connections. This way, users won't have to supply usernames and passwords. Other FTP Security MeasuresSome other possible ways to minimize FTP security risks are the following:
|