لطفا منتظر باشید ...
Overview of the Securing Web Sites and Applications Process
To provide comprehensive security for your Web sites and applications, you must ensure that the entire Web server, including each Web site and application that the server hosts, is protected from unauthorized access. Also, you might have to ensure that the Web sites and applications are protected from other Web sites and applications that are hosted on the same server. Finally, you need to initiate practices to help ensure that your Web sites and applications remain secure.For security reasons, IIS 6.0 is not installed by default on the Microsoft Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition operating systems. When you install IIS 6.0, it is locked down — only request handling for static Web pages is enabled, and only the World Wide Web Publishing Service (WWW service) is installed. Features such as Active Server Pages (ASP), ASP.NET, Common Gateway Interface (CGI) scripting, FrontPage 2002 Server Extensions from Microsoft, and Web Distributed Authoring and Versioning (WebDAV) do not work by default. You can serve dynamic content and enable these features in the Web Service Extensions node in IIS Manager.Before you begin this process, complete the following steps:
Install Windows Server 2003 with the default options.
Install IIS 6.0 with the default settings in Add or Remove Programs in Control Panel.
If you use other methods for installing and configuring Windows Server 2003, such as unattended setup, or enabling IIS 6.0 by using Manage Your Server, then the default configuration settings might not be identical.Upon completing the process outlined in this chapter, you will have a Web server running IIS 6.0 that fulfills your security requirements. However, to maintain the security of your server, you need to implement continuing security practices such as security monitoring, detection, and response. For more information about maintaining Web server security, see "Managing a Secure IIS Solution in Internet Information Services (IIS) 6.0 Resource Guide of the Microsoft Windows Server 2003 Resource Kit.
| Note | The security settings described in this chapter are appropriate for Web sites and applications that are hosted on Web servers on an intranet and the Internet, unless specifically noted. |
Although not the focus of this chapter, you can apply many of the security recommendations described in this chapter to enhance the security of Web servers that have been upgraded from earlier versions of IIS.
Process for Securing Web Sites and Applications
To configure security for Web sites and applications that are hosted on a newly installed Web server, you need to follow certain security practices, such as enabling only the Web service extensions that you need. Web service extensions provide content and features beyond serving static Web pages. Any dynamic content that is served by the Web server is done by using Web service extensions, such as content and features that are provided by ASP, ASP.NET, or CGI. In addition, each Web site and application might have specific requirements for security settings. Figure 3.1 shows the process for securing your Web sites and applications.
Figure 3.1: Securing Web Sites and Applications
Securing the Web sites and applications requires that the Web server as a whole is secure. The process presented in this chapter assumes that the network infrastructure connecting the Web servers to the clients and to other servers is secure. The security of the network infrastructure is determined by the placement and configuration of the firewalls, routers, and switches in the network infrastructure.
| Note | The process presented in this chapter includes all of the steps for securing your Web sites and applications in one of many possible sequences. You can complete these steps in the sequence that is recommended in this chapter, or in another sequence. Regardless of the sequence, it is recommended that you evaluate all of the steps in the process. |
In addition to assuming that the network infrastructure is secure, the process presented here assumes that the server is a dedicated Web server. A dedicated Web server is a server that is only being used as a Web server and not for other purposes, such as a file server, print server, or database server running Microsoft SQL Server™.For more information about securing IIS components other than Internet services, such as Simple Mail Transfer Protocol (SMTP) or Network News Transfer Protocol (NNTP), see "SMTP Administration" or "NNTP Administration" in IIS 6.0 Help, which is accessible from IIS Manager. For more information about securing other services on a multipurpose server, see "Planning a Secure Environment" in Designing and Deploying Directory and Security Services of the Microsoft Windows Server 2003 Deployment Kit.
| Tip | To secure the Web sites and applications in a Web farm, use the process described in this chapter to configure security for each server in the Web farm. |
The following quick-start guide provides a detailed overview of how to configure security for IIS 6.0. You can use this guide to help identify the steps of the security process that you need additional information to complete and skip the information with which you are already familiar. In addition, all of the procedures that are required to complete the security process are documented in "IIS Deployment Procedures in this book.
Reduce the Attack Surface of the Web Server
Enable only essential Windows Server 2003 components and services.
Enable only essential IIS 6.0 components and services.
Enable only essential Web service extensions.
Enable only essential Multipurpose Internet Mail Extensions (MIME) types.
Configure Windows Server 2003 security settings.
Prevent Unauthorized Access to Web Sites and Applications
Store content on a dedicated disk volume.
Set IIS Web site permissions.
Set IP address and domain name restrictions.
Set the NTFS file system permissions.
Isolate Web Sites and Applications
Evaluate the effects of impersonation on application compatibility:
Identify the impersonation behavior for ASP applications.
Select the impersonation behavior for ASP.NET applications.
Configure Web sites and applications for isolation.
Configure User Authentication
Configure Web site authentication.
Select the Web site authentication method.
Configure the Web site authentication method.
Configure File Transfer Protocol (FTP) site authentication.
Encrypt Confidential Data Exchanged with Clients
Use Secure Sockets Layer (SSL) to encrypt confidential data.
Use Internet Protocol security (IPSec) or virtual private network (VPN) with remote administration.
Maintain Web Site and Application Security
Obtain and apply current security patches.
Enable Windows Server 2003 security logs.
Enable file access auditing for Web site content.
Configure IIS logs.
Review security policies, processes, and procedures.
