Changing Security Settings

Windows Small Business Server 2003 does a pretty good job of locking down IIS while still allowing all its relevant features to work. Nonetheless, there are several security settings that you might want to change, such as which sites are externally accessible or which allow anonymous users, as well as which server certificate is used for secure communications.

Changing Which Sites Are Externally Accessible

You can use three methods to control whether a site hosted by Windows Small Business Server is accessible to external users who don’t have a Virtual Private Network (VPN) connection to your network:

• Change the firewall settings to prohibit or allow access to the Remote Web Workplace, Outlook Web Access, the Default Web Site or the http://companyweb site. This permits or denies all external users (though some sites such as http://companyweb, Remote Web Workplace, and Outlook Web Access are still password protected).

• Change the IP addresses to which a Web site responds in the Internet Information Services console. Configuring the Web site (Default Web Site or http://companyweb) to respond only to the internal IP address blocks all external users to the site and all virtual directories within it.

• Change the Directory Security for a Web site or a virtual directory to block or allow a range of IP addresses or a specific domain. For example, you could block all external IP addresses.

The first method is covered in Chapter 6, “Completing the To Do List and Other Post-Installation Tasks.” To use the other two methods, follow these steps:

1. Open the Server Management console, expand the Advanced Management container, and then expand Internet Information Services.

2. Expand the SBSSRV (local computer) container (assuming your server is named SBSSRV), select the Web Sites container, right-click the Web site or virtual directory with which you want to work, and then choose Properties from the shortcut menu.

   If you chose a Web site, complete Step 3. If you chose a virtual directory, continue with Step 4.

3. If you chose a Web site, use the Web Site tab of the Properties dialog box (Figure 18-4) to identify the IP address or addresses on which you want the Web site to be available.

   Caution

   Choosing an internal IP address for a Web site blocks external access to all virtual directories hosted by the Web site. Doing this on the Default Web Site will block external access to the Remote Web Workplace and Outlook Web Access, even if the firewall is configured to allow it.

   
   Figure 18-4: The Web Site tab of the Properties dialog box.

4. To specify access permissions by IP address, which is the only way to change access to virtual directories, click the Directory Security tab of the Properties dialog box. Click the Edit button in the IP Address And Domain Name Restrictions section of the dialog box. This displays the IP Address And Domain Name Restrictions dialog box shown in Figure 18-5.

   
   Figure 18-5: The IP Address And Domain Name Restrictions dialog box.

5. Choose Granted Access or Denied Access to allow or block all computers by default.

6. Click the Add button to create a rule allowing or denying a computer, group of computers, or all computers belonging to a specific domain name. Depending on the default condition you chose, either the Grant Access (Figure 18-6) or Deny Access dialog box is displayed.

   
   Figure 18-6: The Grant Access dialog box.

7. In the Grant Access or Deny Access dialog box, choose Single Computer or Group Of Computers. To block or allow a single computer, type the computer’s IP address in the Network ID box. To block or allow a group of computers, type the IP address of the first computer in the group in the Network ID box and then type a subnet mask indicating how many computers are in the group. Click OK when you’re finished.

8. Add any additional rules and then click OK when you’re finished.

What Subnet Mask to Use

When including or excluding a group of computers by IP address and subnet mask, use the following subnet masks to include or exclude entire Class A, B, or C networks:

• Use the 255.255.255.0 subnet mask to include all computers in a Class C network (for example, 192.168.16.1 through 192.168.16.254).

• Use the 255.255.0.0 subnet mask to include all computers in a Class B network (for example, 192.168.0.1 through 192.168.255.254).

• Use the 255.0.0.0 subnet mask to include all computers in a Class A network (for example, 10.0.0.1 through 10.255.255.254).

To include or exclude a subset of these networks, you need to use a variable length subnet mask such as 255.255.255.192 (which includes 62 addresses starting with the IP address you type in the Network ID box). For in-depth information about subnet masks, hop on the Web and download a custom subnet mask calculator.

Enabling or Disabling Anonymous Access

You can enable or disable anonymous (unauthenticated) users, controlling access to particular Web sites. This is probably most significant with the http: //companyweb SharePoint site—anonymous users won’t be able to access the site even when you give them permission within Windows SharePoint Services unless you enable anonymous access in Internet Information Services.

To enable or disable anonymous access to a Web site or virtual directory, complete the following steps:

1. Open the Server Management console, expand the Advanced Management container, and then expand Internet Information Services.

2. Expand the SBSSRV (local computer) container (assuming your server is named SBSSRV), select the Web Sites container, right-click the Web site or virtual directory with which you want to work, and then choose Properties from the shortcut menu.

3. Click the Directory Security tab, and then click Edit in the Authentication And Access Control section of the dialog box.

4. In the Authentication Methods dialog box (Figure 18-7), select or clear the Enable Anonymous Access check box depending on whether you want to allow or prohibit anonymous access.

   
   Figure 18-7: The Authentication Methods dialog box.

5. Use the Authenticated Access section of the dialog box to control which methods are available for client authentication. These methods are used when anonymous access is disabled, or when the NTFS permissions on the folder storing the content don’t give Read permissions to the Domain Users group. Click OK when you’re finished.

Anonymous Access and NTFS Folder Permissions

Anonymous access is controlled using the IUSR_SBSSRV user account (where SBSSRV is the name of the Windows Small Business Server computer), which is a member of the Guests and Domain Users groups.

To determine whether anonymous users can access a folder with NTFS permissions applied, right-click the folder in Windows Explorer, choose Properties from the shortcut menu, and then click the Security tab and look for the Users or Domain Users groups. To explicitly check on IUSR_SBSSRV permissions, click Advanced, click the Effective Permissions tab, and then click Select. In the Select User, Computer, Or Group dialog box, type IUSR_SBSSRV (where SBSSRV is the NetBIOS name of the Windows Small Business Server computer), and then click OK. This displays the Effective Permissions for anonymous Web site users, as shown in Figure 18-8.

Figure 18-8: The Advanced Security Settings dialog box.

Changing Server Certificates and SSL Settings

When you run the Configure E-mail and Internet Connection Wizard, the Web Server Certificate page lets you create a new self-signed certificate used to authenticate the Web server for Secure Sockets Layer (SSL) communication, or you can use an existing certificate obtained from a trusted Certificate Authority (such as Verisign or a locally installed CA). Rerunning the wizard is the easiest way to change the certificate used by Internet Information Services, but doing so is cumbersome for viewing and choosing certificates, and the wizard can’t create certificate requests to send to commercial or locally hosted CAs. For these tasks, complete the following steps:

1. Open the Server Management console, expand the Advanced Management container, and then expand Internet Information Services.

2. Expand the SBSSRV (local computer) container (assuming your server is named SBSSRV), select the Web Sites container, right-click the Web site or virtual directory with which you want to work, and then choose Properties from the shortcut menu.

3. Click the Directory Security tab. In the Secure Communications section of the dialog box, click View Certificate to view the currently assigned certificate, or click Edit to enable or disable SSL.

   Caution

   Don’t enable SSL on the http://companyweb site—doing so makes the site inaccessible. This is because SSL encrypts host headers, preventing IIS from sending users to sites that make use of host headers, including the http://companyweb site.

4. To manage certificates, click Server Certificate on the Directory Security tab, and then click Next on the first page of the IIS Certificate Wizard.

5. If a certificate is currently installed, use the Modify The Current Certificate Assignment page (Figure 18-9) to choose the action that you want to perform and then click Next. You can choose from the following actions:

   • Renew The Current Certificate

   • Remove The Current Certificate

   • Replace The Current Certificate

   
   Figure 18-9: The Modify The Current Certificate Assignment page of the IIS Certificate Wizard.

6. If no certificate is currently installed, the Server Certificate page (Figure 18-10) appears instead of the Modify The Current Certificate Assignment page. Choose one of the following actions and then click Next:

   • Create A New Certificate

   • Assign An Existing Certificate

   • Import A Certificate From A .PFX File

   
   Figure 18-10: The Server Certificate page of the IIS Certificate Wizard.

7. If you chose to assign an existing certificate or replace the current certificate, click Next, select a certificate (only certificates that have been installed on the computer are displayed), click Next, accept the default SSL port, click Next, verify the settings, and then click Next to install the certificate for use with IIS.

8. If you chose to create a new certificate, click Next and, on the Delayed Or Immediate Request page, select whether to send the request later or send it immediately to a local CA. Click Next.

   More Info

   For more information about installing Certificate Services and creating your certificate authority, see Chapter 15, “Managing Connectivity.”

9. On the Name And Security Settings page, type a descriptive name for the certificate and then click Next.

10. On the Organization Information page, type the name of your company and organizational unit, and then click Next.

11. On the Your Site’s Common Name page, type the DNS name of the Web site and then click Next. (If this is a publicly accessible Web site, make sure to use the public DNS name of the site.)

12. On the Geographical Information page, type the country, state, and city in which the server is located, and then click Next.

13. If you chose to submit the certificate request later, type a file name for the certificate request and click Next. Review the settings and click Next to complete the request.

14. If you chose to submit the request immediately, click Next on the SSL Port page to accept the default SSL port (443).

15. On the Choose A Certificate Authority page, select the internal CA, click Next, review the settings, and then click Next again to submit the certificate request. Click Finish when prompted.