Summary

You need to analyze business and security requirements to create a baseline for security on your IIS servers. You should consider the minimum services and account permissions needed to meet the requirements. You will use the information gathered to create a base IIS install. You should then try to automate this policy as much as possible through GPOs or scripts.

Next, you need to implement the minimum number of services required to meet the needs of your applications. This will include paying attention to what is installed on the IIS server and then determining what services each individual website will require. You also need to pay attention to the accounts used by the services.

The baseline will also help you determine how you will authenticate users on the website if you are required to do so. You will have a choice between basic, digest, integrated Windows, forms-based, certificate, anonymous, .NET Passport and RADIUS authentication. Each has their strengths and weaknesses. You will need to decide which authentication protocol would be best for your situations.

Security will also require that you track what the users are accessing on the site. This will allow you to identify security incidents or determine what damage was done by a security breach. You will need to devise a plan for logging information on the server.

Finally, you need to determine a strategy for updating content on the IIS server. Look at the security and business requirements to determine which protocol to use when updating the server. You can choose between WebDAV, FTP, FrontPage Server Extensions, or even a file share. You will also need to determine if encryption will be required when updating content, and you need to verify that permissions are correct for allowing users to update the content.