Configure Secure Web Server Computer Science Essay Free Essay Example

A secure web waiter provides a protected field-grade officer undation for hosting your web application and web waiter config uration plays a critical function in your web application security.Badly configured practical directories, a common mistke, can take to unauthorised entree.A forgotten portion can provides a convenient back door, while an unmarked port can be an aggressors front door. Neglected user histories can allow an aggressor to steal by your defense mechanisms unnoticed.

What makes a web waiter secure? Part of the challenge of procuring your web waiter is acknowledging y our end.

Equally shortly as you know what a secure web waiter is, you can larn how to use the constellation puting to make one. This undertaking provides a systematic, quotable attack that you can utilize to successfully configure a secure web waiter.This undertaking provides a methodological analysis and the stairss required to procure your web waiter. You can accommodate the methodological analysis for your ain state of affairs.

The stairss are modular and show how you can set the methodological analysis in pattern. you can utilize these processs on bing web waiter or on new 1s.

The fact that an aggressor can strike remotely makes a web waiter an appealing mark.Understanding menaces to your web waiter and being able to place appropriate countermeasures permits you to expect many onslaughts and queer the ever-growing Numberss of aggressors. The chief menaces to a web waiter are:

Profiling

Denial of service

Unauthorized entree

Arbitrary codification executing

Elevation of privileges

Viruss, worms and Trojan horsesC: UsersBipinDesktopIC16138.

gif

Outstanding Web waiter menaces and common exposures

Methodology for procuring your web waiter

To procure a web waiter, you must use many constellation scenes to cut down the waiter ‘s exposure to assail. So, how do you cognize where to get down, and when do you cognize that you are done? The best attack is to form the safeguards you must take and the scene you must configure, into classs. Using classs allow you to consistently walk Through the procuring procedure from top to bottom or pick a peculiar class and complete specific measure constellation classs. The security methodological analysis in this undertaking has been organized into the classs Shown in

Degree centigrades: UsersBipinDesktopIC40344.gif

Web waiter constellation classs

Stairss for procuring your web waiter

The following subdivisions guide you through the procedure of procuring your web waiter. These subdivisions use the constellation classs introduced in the “ Methodology for procuring your web waiter ” subdivision of this undertaking. Each high-ranking measure contains or more actions to procure a peculiar country or feature..

Measure 1

Measure 2

Measure 3

Measure 4

Measure 5

Measure 6

Measure 7

Measure 8

Measure 9

Spots and Updates

IISLockdown

Servicess

Protocols

Histories

Files and Directories

Shares

Ports

Register

Measure 10

Measure 11

Measure 12

Measure 13

Measure 14

Measure 15

Measure 16

Measure 17

Auditing and Loging

Sites and Virtual Directories

Script Functions

ISAPI Filters

IIS Metabase

Server Certificates

Machine.config

Code Access Security

Measure 1: spots and update

Update your waiter with the latest services battalions and spots. You must update and piece all of the web waiter constituents including Windowss 2000 or Windowss server2003 ( and IIS ) , the.NET model, and Microsoft Data Access Components

During this stairss, you ”

Detects and put in spots and updates

Use the Microsoft Baseline security analyzer ( MBSA ) to observe the spots and updates that may be losing from your current installing. MBSA compares your installing to a list of presently available updates maintained in an XML file. MBSA can download the XML file when it scans your waiter or you can manually download the files to the waiter or do it available on a web waiter.

To observe and put in spots and updates

Download and put in MBSA

Run MBSA by double-clicking the desktop icon or choosing it from the plans menu

Click scan a computing machine. MBSA defaults to local computing machine

Clear all cheque boxes apart from cheque for security updates. This option detects which spots and updates are losing.

Click Start scan. Your waiter is now analysed. When the scan is completes, MBSA display a security study, which it besides writes to the % Userprofile % SecurityScans directory.

Download and put in the losing updates.

Click the consequence inside informations link following to each failed cheque to see the list of security updates that are losing. The ensuing duologue box displays the Microsoft security bulletin refrence figure. Click the mention to happen out more about the bulletin and to download the update.

Measure 2: IIS lockdown

The IIS lockdown tools helps you to automatize certain security stairss. IIS lockdown

Greatly cut down the exposure of a windows2000 web waiter. It allow you to pick a specific type of server function, and so utilize client templets to better security for that peculiar waiter. The templets either disable or unafraid assorted characteristics. In add-on, IIS lockdown put in the URL scan ISAPI filter. URLScan allow web sites decision makers to curtail the sort of HTTP petition that the waiter can treat, Based on a set of regulations that the decision maker controls. By barricading specific HTTP petition, The URL scan filter prevents potentially harmful petition from making the waiter and causation harm.

Note: by default IIS 6.0 has security related constellation puting similar to those made by the IIS lockdown tool. Therefore you do non necessitate to run the IIS lockdown tool on web waiters running IIS 6.0. However, if you are upgrading from a old version of IIS ( 5.0 or lower ) to IIS 6, it recommended that ypu run the IIs lockdown tool to heighten the security of your web waiter.

During this stairss, you:

Install and run IIS lockdown. IIS lockdown is available as an cyberspace download from the Microsoft web site at hypertext transfer protocol: /download.microsoft.com/download/iis50/utility/2.1/NT45XP/EN-US/iislockd.exe.

Save IIS lockd.exe in a local booklet. IISlockd.exe is the IIs lockdown ace and non an installing plan. You can change by reversal any alteration made by IIS lockdown by running IIslockd.exe a 2nd clip.

If you are locking down a window 2000-based computing machine that host s ASP.Net pages, select the dynamic web waiter templates when th IISlockdown tool prompts you. When you select dynamic web waiter, IISlockdown does the followers:

Its disable the undermentioned insecure cyberspace services:

File transportation protocol

E-mail service

News service

It disable book function by mapping the following file extension to the 404.dll:

Index sever

Web interface ( .idq, .htw, .ida )

Server -side include files ( .shtml, .shtm, .stm )

Internet informations connection ( .idc )

.HTR scripting ( .hr ) , internet printing ( .printer )

Log files

IIs Lockdown creates two study that list the alterations it has applied:

% windir % system32inetsryoblt-rep.log. This contain high- degree information.

% windir % system32inetsryoblt-log.log. This contain low-level inside informations such as which plan files are configured with a deny a entree control entry ( ARE ) to forestall anon. cyberspace user histories from accessing them. This log files is besides used to back up the IIS lockdown undo alterations characteristic.

Web Anonymous the web Anonymous User groups and the web application group. The web anon. user group contain the IUSR_MACHINE history. The web application group contain the IWAN_MACHINE history. Permission are assigned to system tools and content way based on these groups and non straight to the IUSR and IWAN histories. You can reexamine specific permission by sing the IIS lockdown log % windir % system32inetsryoblt-log.log.

The 404.dll

IIs lockdown put in the 404.dll to which you can map file extension that must non be run by the client.

URLscan

If you install the URLScan ISAPI filter as portion of IIS lockdown URLscan scene are integrates with the waiter function you select when running ISSLockdown for illustration, if you select a inactive web waiter, URL scan blocks the POST bid.

Change by reversaling IIS lockdown alterations

To change by reversal the alterations that IIS lockdown performs, Run IISlockd.exe a 2nd clip. This does non take the URLScan ISAPI filetr. For information, see “ removing URLScan “ in the following subject.

Install and configure URLScan

URLScan is installed when you run IISlockdown, although you can download it and put in it individually.

Note: IIS 6.0 on window waiter 2003 has functionality tantamount to URLScan construct in.your determination whether to put in URLscan should be based on your specific organisational demands. Download IISLockd.exe from

Hypertext transfer protocol: download.microsoft.com/iis50/Utility/2.1/NT45XP/EN-US/iislockd.exe

Run the undermentioned bid to pull out the URLScan apparatus: iislockd.exe/q/c

Measure 3: services

Servicess that do non authenticates clients, services that use insecure protocols or services that run with excessively much privilege are hazards. If you do non necessitate them, do non run them. By disenabling unneeded services you rapidly and easy cut down the onslaught surface. You besides cut down your operating expense in the footings of care ( spots, services histories, and so on ) if you run a services, make certain that it is unafraid and maintained. To make so, run the services utilizing a least privileges history, and maintain the services current by using spots.

During this stairss you.

Disable unneeded services

Disable FTP, SMTP, NNTP unless you require them.

Disable the ASP.NET provinces services unless you require them.

Measure 4: Protocols

By forestalling the usage of unneeded protocols, you cut down the potency for onslaught. The.NET model provide farinaceous control of protocols through puting in the machince config file.

For illustration, you can command whether your web services can utilize HTTP GET, POST or SOAP.

Disable or unafraid webDav: IIS back up the WebDAV protocol, which is a standard extension to HTTP 1.1 for collaborative content publication. Disable this protocol on production waiters if it is non used.

WebDAv is preferred to FTP from a security position but you need to procure WebDAV. For more information see Microsoft cognition based article 323470, ” how to: Make a secure WebDAV publication directory ”

If you do non necessitate WebDAV, see Microsoft cognition based article 241520, ” how to: disable WebDAV for IIS 5.0.

Harden the TCP/IP stack. : WindowsA 2000 and Windows Server 2003 support the farinaceous control of many parametric quantities that configure its TCP/IP execution. Some of the default scenes are configured to supply server handiness and other specific characteristics.

Disable NetBIOS and SMB. : Disable all unneeded protocols, including NetBIOS and SMB. Web waiters do non necessitate NetBIOS or SMB on their Internet-facing web interface cards ( NICs ) . Disable these protocols to counter the menace of host numbering.

Disabling NetBIOS

NetBIOS uses the undermentioned ports:

TCP and User Datagram Protocol ( UDP ) port 137 ( NetBIOS name service )

TCP and UDP port 138 ( NetBIOS datagram service )

TCP and UDP port 139 ( NetBIOS session service )

Disabling NetBIOS is non sufficient to forestall SMB communicating because if a standard NetBIOS port is unavailable, SMB uses TCP port 445. ( This port is referred to as the SMB Direct Host. ) As a consequence, you must take stairss to disenable NetBIOS and SMB individually.

To disable NetBIOS over TCP/IP

1. Right-click My Computer on the desktop, and click Manage.

2. Expand System Tools, and choice Device Manager.

3. Right-click Device Manager, point to View, and snap Show concealed devices.

4. Expand Non-Plug and Play Drivers.

5. Right-click NetBios over Tcpip, and chink Disable.

This disables the NetBIOS direct host hearer on TCP 445 and UDP 445.

Measure 5. Histories

You should take histories that are non used because an aggressor might detect and utilize them. Necessitate strong watchwords. Weak watchwords increase the likeliness of a successful beast force or dictionary onslaught. Use least privilege. An aggressor can utilize histories with excessively much privilege to derive entree to unauthorised resources.

During this measure, you:

Delete or disable fresh histories. Fresh histories and their privileges can be used by an aggressor to derive entree to a waiter. Audit local histories on the waiter and disable those that are fresh. If disenabling the history does non do any jobs, cancel the history. ( Deleted histories can non be recovered. ) Disable histories on a trial waiter before you disable them on a production waiter.

Disable the Guest history. : The Guest history is used when an anon. connexion is made to the computing machine. To curtail anon. connexions to the computing machine, maintain this history disabled. The invitee history is disabled by default on WindowsA 2000 and Windows Server 2003. To look into whether or non it is enabled, expose theA UsersA booklet in the Computer Management tool. The Guest history should be displayed with a cross icon. If it is non handicapped, expose itsA PropertiesA duologue box and selectA Account is disabled.

Rename the Administrator history. The default local Administrator history is a mark for malicious usage because of its elevated privileges on the computing machine. To better security, rename the default Administrator history and delegate it a strong watchword.

Disable the IUSR Account. Disable the default anon. Internet user history, IUSR_MACHINE. This is created during IIS installing. MACHINE is the NetBIOS name of your waiter at IIS installing clip

Make a usage anon. Web history. If your applications support anon. entree ( for illustration, because they use a usage hallmark mechanism such as Forms hallmark ) , create a usage least privileged anon. history. If you run IISLockdown, add your usage user to the Web Anonymous Users group that is created. IISLockdown denies entree to system public-service corporations and the ability to compose to Web content directories for the Web Anonymous Users group.

If your Web waiter hosts multiple Web applications, you may desire to utilize multiple anon. histories, one per application, so that you can procure and scrutinize the operations of each application independently.

Enforce strong watchword policies. To counter watchword guesswork and beastly force dictionary onslaughts on your application, use strong watchword policies. To implement a strong watchword policy:

SetA watchword length and complexness. Require strong watchwords to cut down the menace of watchword thinking onslaughts or dictionary onslaughts. Strong watchwords are eight or more characters and must include both alphabetical and numeral characters.

SetA watchword termination. Passwords that expire on a regular basis cut down the likeliness that an old watchword can be used for unauthorised entree. Frequency of termination is normally guided by a company ‘s security policy

Password Policy

Default Puting

Recommended Minimum Puting

Enforce watchword history

1 watchword remembered.

24 watchwords remembered.

Maximum watchword age

42 yearss

42 yearss

Minimum watchword age

0 yearss

2 yearss

Minimum watchword length

0 characters

8 characters

Passwords must run into complexness demand.

Disabled

Enabled

Shop watchword utilizing reversible encoding for all users in the sphere.

Disabled

Disabled

Measure 6. Files and Directories

Install WindowsA 2000 and Windows Server 2003 on dividers formatted with the NTFS file system so that you benefit from NTFS permissions to curtail entree. Use strong entree controls to protect sensitive files and directories. In most state of affairss, an attack that allows entree to specific histories is more effectual than one that denies entree to specific histories. Set entree at the directory degree whenever possible. As files are added to the booklet they inherit permissions from the booklet, so you need to take no farther action.

1: Restrict the Everyone group. 2: Restrict the anon. Web history ( s ) . 3: Secure or take tools, public-service corporations, and SDKs. 4: Remove sample files.

Measure 7. Shares

Remove any fresh portions and indurate the NTFS permissions on any indispensable portions. By default all users have full control on freshly created file portions. Harden these default permissions to guarantee that merely authorised users can entree files exposed by the portion. In add-on to explicit portion permissions, usage NTFS ACLs for files and booklets exposed by the portion. Remove unneeded portions: Remove all unneeded portions. To reexamine portions and associated permissions, run the Computer Management MMC snap-in, and selectSharesA fromA SharedA FoldersA as shown in Figure 16.3.

Degree centigrades: UsersBipinDesktopIC57244.gif

Computer Management MMC snap-in Shares Restrict entree to required portions.

Remove the Everyone group and grant specific permissions alternatively. Everyone is used when you do non hold limitations on who should hold entree to the portion.

Extra Considerations

Measure 8. Ports

Servicess that run on the waiter usage specific ports so that they can function incoming petitions. Close all unneeded ports and execute regular audits to observe new ports in the hearing province, which could bespeak unauthorised entree and a security via media.

During this measure, you:

Restrict Internet-facing ports to TCP 80 and 443.

Encrypt or curtail intranet traffic.

Measure 9. Register

The register is the depository for many critical waiter constellation scenes. As such, you must guarantee that merely authorized decision makers have entree to it. If an aggressor is able to redact the register, he or she can reconfigure and compromise the security of your waiter.

During this measure, you:

Restrict distant disposal of the register. The Winreg cardinal determines whether register keys are available for distant entree. By default, this key is configured to forestall users from remotely sing most keys in the register, and merely extremely privileged users can modify it. On WindowsA 2000 and Windows Server 2003, remote register entree is restricted by default to members of theA AdministratorsA andA Backup operatorsA group. Administrators have full control and backup operators have read-only entree.

The associated permissions at the undermentioned register location determine who can remotely entree the register.

HKLMSYSTEMCurrentControlSetControlSecurePipeServerswinreg

To see the permissions for this register key, run Regedt32.exe, navigate to the key, and chooseA PermissionsA from theA SecurityA bill of fare.

Procure the SAM ( stand-alone waiters merely ) . Stand-alone waiters store history names and one-way ( non-reversible ) watchword hashes ( LMHash ) in the local Security Account Manager ( SAM ) database. The SAM is portion of the register. Typically, merely members of the Administrators group have entree to the history information.

Restrict LMHash storage in the SAM by making the key ( non value ) A NoLMHashA in the register as follows: HKLMSystemCurrentControlSetControlLSANoLMHash

Measure 10. Auditing and Loging

Auditing does non forestall system onslaughts, although it is an of import assistance in placing interlopers and onslaughts in advancement, and can help you in naming onslaught footmarks. Enable a minimal degree of scrutinizing on your Web waiter and usage NTFS permissions to protect the log files so that an aggressor can non cover his paths by canceling or updating the log files in any manner. Use IIS W3C Extended Log File Format Auditing. Audit entree to the Metabase.bin file.

Log all failed Logon efforts. You must log failed logon efforts to be able to observe and follow leery behaviour.

Start the Local Security Policy tool from the Administrative Tools plan group.

ExpandA Local PoliciesA and so selectA Audit Policy

Double-clickA Audit history logon events.

ClickA FailureA and thenA OK.

Logon failures are recorded as events in the Windows security event log. The undermentioned event IDs are leery: 531. This means an effort was made to log on utilizing a handicapped history. 529. This means an effort was made to log on utilizing an unknown user history or utilizing a valid user history but with an invalid watchword.

Log all failed actions across the file system. Use NTFS scrutinizing on the file system to observe potentially malicious efforts. This is a two-step procedure.

To enable logging

Start the Local Security Policy tool from the Administrative Tools plan group.

ExpandA Local PoliciesA and so selectA Audit Policy

Double-clickA Audit object entree.

ClickA FailureA and so clickA OK.

To scrutinize failed actions across the file system

Start Windows Explorer and navigate to the root of the file system.

Right-click and so clickA Properties.

Click theA SecurityA check.

ClickA AdvancedA and so snap theA AuditingA check.

ClickA AddA and so come in Everyone in theA NameA field.

ClickA OKA and so choose all of theA FailedA cheque boxes to scrutinize all failed events.

ClickA OKA three times to shut all unfastened duologue boxes.

Relocate and procure the IIS log files: By traveling and renaming the IIS log files, you make it much more hard for an aggressor to cover his paths. The aggressor must turn up the log files before he or she can change them. To do an aggressor ‘s undertaking more hard still, use NTFS permissions to procure the log files.

Move and rename the IIS log file directory to a different volume than your Web site. Do non utilize the system volume. Then, use the undermentioned NTFS permissions to the log files folder and subfolders.

Administrators: Full Control

System: Full Control

Backup Operators: Read

Archive Log Files for Offline Analysis

To ease the offline analysis of IIS log files, you can utilize a book to automatize unafraid remotion of log files from an IIS waiter. Log files should be removed at least every 24 hours. An machine-controlled book can utilize FTP, SMTP, HTTP, or SMB to reassign log files from a waiter computing machine. However, if you enable one of these protocols, do so firmly so that you do non open any extra onslaught chances. Use an IPSec policy to procure ports and channels.

Audit Access to the Metabase.bin File

Audit all failures by the Everyone group to the IIS metabase.bin file located in WINNTSystem32inetsrv . Do the same for the Metabase backup booklet for the backup transcripts of the metabase.

Measure 11. Sites and Virtual Directories

Relocate Web roots and practical directories to a non-system divider to protect against directory traverse onslaughts. These onslaughts allow an aggressor to put to death operating system plans and public-service corporations. It is non possible to track across thrusts. For illustration, this attack ensures that any future canonicalization worm that allows an aggressor to entree system files will neglect. For illustration, if the aggressor formulates a URL that contains the undermentioned way, the petition fails:

/scripts/.. % 5c../winnt/system32/cmd.exe

This IIS metabase puting prevents the usage of “ .. ” in book and application calls to maps such asA MapPath. This helps guard against directory traverse onslaughts.

To disenable parent waies

Start IIS.

Right-click the root of your Web site, and clickA Properties.

Click theA HomeA DirectoryA check.

ClickA Configuration.

Click theA AppA OptionsA check.

ClearA EnableA parentA waies.

Set Web Permissions

Web permissions are configured through the IIS snap-in and are maintained in the IIS metabase. They are non NTFS permissions.

Use the undermentioned Web permissions:

Read Permissions. Restrict Read permissions on include directories.

Write and Execute Permissions. Restrict Write and Execute permissions on practical directories that allow anon. entree.

Script beginning entree. Configure Script beginning entree permissions merely on booklets that allow content authoring.

Write. Configure Write permissions merely on booklets that allow content authoring. Grant write entree merely to content writers.

Measure 12. Script Functions

Script functions associate a peculiar file extension, such as.asp, to the ISAPI extension that handles it, such as Asp.dll. IIS is configured to back up a scope of extensions including.asp, .shtm, .hdc, and so on. ASP.NET HTTP animal trainers are a unsmooth equivalent of ISAPI extensions. In IIS, file extensions, such as.aspx, are first mapped in IIS to Aspnet_isapi.dll, which forwards the petition to the ASP.NET worker procedure. The existent HTTP animal trainer that processes the file extension is so determined by theA & lt ; HttpHandler & gt ; A function in Machine.config or Web.config.

Why Map to the 404.dll?

By mapping file extensions to the 404.dll, you prevent files from being returned and downloaded over HTTP. If you request a file with an extension mapped to the 404.dll, a Web page with the message “ HTTP 404 – File non found ” is displayed. You are recommended to map fresh extensions to the 404.dll instead than canceling the function. If you delete a function, and a file is erroneously left on the waiter ( or put there by error ) it can be displayed in clear text when it is requested because IIS does non cognize how to treat it.

To map a file extension to the 404.dll

Start IIS.

Right-click your waiter name in the left window, and so clickA Properties.

Ensure that theA WWWServiceA is selected in theA MasterA PropertiesA drop-down list, and so snap the adjacentA EditA button.

Click theA HomeA DirectoryA check.

ClickA Configuration. The tabbed page shown in Figure 16.4 is displayed.

Degree centigrades: UsersBipinDesktopIC87501.gif

Select one of the extensions from the list, and so clickA Edit.

ClickA BrowseA and navigate to WINNTsystem32inetsrv404.dll.

NoteA A A This measure assumes that you have antecedently run IISlockd.exe, as the 404.dll is installed by the IISLockdown tool.

ClickA Open, and so clickA OK.

Repeat stairss 6, 7 and 8 for all of the staying file extensions.

Measure 13. ISAPI Filters

In the yesteryear, exposures in ISAPI filters caused important IIS development. There are no unnecessary ISAPI filters after a clean IIS installing, although the.NET Framework installs the ASP.NET ISAPI filter ( Aspnet_filter.dll ) , which is loaded into the IIS procedure reference infinite ( Inetinfo.exe ) and is used to back up cookie-less session province direction.

If your applications do non necessitate to back up cookie-less session province and they do non put theA cookielessA property toA trueA on the & lt ; sessionState & gt ; A component, this filter can be removed.

During this measure, you remove fresh ISAPI filters.

Remove Unused ISAPI Filters

Remove any fresh ISAPI filters as explained in the undermentioned subdivision.

To see ISAPI filters

To get down IIS, selectA Internet Services ManagerA from the Administrative Tools plans group.

Right-click the machine ( non Web site, because filters are machine broad ) , and so clickA Properties.

ClickA Edit.

Click theA ISAPI FiltersA check.

Degree centigrades: UsersBipinDesktopIC170167.gif

Removing fresh ISAPI filters

Measure 14. IIS Metabase

Security and other IIS constellation scenes are maintained in the IIS metabase file. Harden the NTFS permissions on the IIS metabase ( and the backup metabase file ) to be certain that aggressors can non modify your IIS constellation in any manner ( for illustration, to disenable hallmark for a peculiar practical directory. )

Measure 15. Code Access Security

Machine degree codification entree security policy is determined by scenes in the Security.config file located in the undermentioned directory: % windir % Microsoft.NETFramework { version } CONFIG

Run the undermentioned bid to be certain that codification entree security is enabled on your waiter: caspol -s On

Remove all permissions for the local intranet zone. The local intranet zone applies permissions to code running from UNC portions or internal Web sites. Reconfigure this zone to allow no permissions by tie ining it with theA NothingA permission set. To take all permissions for the local intranet zone

Get down the Microsoft.NET Framework version 1.1 Configuration tool from theA Administrative ToolsA plan group.

ExpandA RuntimeA SecurityA Policy, expandA Machine, and so expandA CodeA Groups.

ExpandA All_CodeA and so selectA LocalIntranet_Zone.

ClickA Edit Code Group Properties.

Click theA PermissionA SetA check.

SelectA NothingA from the drop-downA PermissionA list.

ClickA OK.

Degree centigrades: UsersBipinDesktopIC140630.gif

SettingA LocalIntranet_ZoneA codification permissions toA Nothing

Remove All Permissions for the Internet Zone

The Internet zone applies code entree permissions to code downloaded over the Internet. On Web waiters, this zone should be reconfigured to allow no permissions by tie ining it with theA NothingA permission set.

Repeat the stairss shown in the preceding subdivision, “ Remove All Permissions for the Local Intranet Zone, ” except set theA Internet_ZoneA to theA NothingA permission set.

Snapshot of a Secure Web Server

A snapshot position that shows the properties of a secure Web waiter allows you to rapidly and easy compare scenes with your ain Web waiter. The scenes shown in Table 16.4 are based on Web waiters that host Web sites that have proven to be really resilient to assail and show sound security patterns. By following the continuing stairss you can bring forth an identically configured waiter, with respect to security.

Compatibility

Version

Notes

IIS 7.5

TheA & lt ; security & gt ; A component was non modified in IIS 7.5.

IIS 7.0

TheA & lt ; security & gt ; A component was introduced in IIS 7.

IIS 6.0

TheA & lt ; security & gt ; A component replaces the IIS 6.0 security metabase belongingss that

related to certifications, hallmark, and mandate.

How To Setup

HOW TO DISABLE ANONYMOUS AUTHENTICATION

OpenA Internet Information Services ( IIS ) Director:

If you are utilizing Windows Server 2008 or Windows Server 2008 R2:

On the taskbar, clickA Start, point toA Administrative Tools, and so clickA Internet Information Services ( IIS ) Manager.

If you are utilizing Windows Vista or Windows 7:

On the taskbar, clickA Start, and so clickA Control Panel.

Double-clickA Administrative Tools, and so double-clickA Internet Information Services ( IIS ) Manager.

In theA ConnectionsA window glass, expand the waiter name, expandA Sites, and travel to the degree in the hierarchy window glass that you want to configure, and so snap the Web site or Web application.

Coil to theA SecurityA subdivision in theA HomeA window glass, and so double-clickA Authentication.

In theA AuthenticationA window glass, selectA Anonymous Authentication, and so clickA DisableA in theA ActionsA window glass.

hypertext transfer protocol: //i2.iis.net/images/configreference/anonymousAuthentication_howto_6-small.png? cdn_id=2013-04-06-002

HOW TO CHANGE ANONYMOUS AUTHENTICATION CREDENTIALS FROM THE IUSR ACCOUNT

OpenA Internet Information Services ( IIS ) Director:

If you are utilizing Windows Server 2008 or Windows Server 2008 R2:

On the taskbar, clickA Start, point toA Administrative Tools, and so clickA Internet Information Services ( IIS ) Manager.

If you are utilizing Windows Vista or Windows 7:

On the taskbar, clickA Start, and so clickA Control Panel.

Double-clickA Administrative Tools, and so double-clickA Internet Information Services ( IIS ) Manager.

In theA ConnectionsA window glass, expand the waiter name, expandA Sites, and navigate to the degree in the hierarchy window glass that you want to configure, and so snap the Web site or Web application.

Coil to theA SecurityA subdivision in theA HomeA window glass, and so double-clickA Authentication.

In theA AuthenticationA window glass, selectA Anonymous Authentication, and so clickA Edit… A in theA ActionsA window glass.

In theA Edit Anonymous Authentication CredentialsA duologue box, do one of the followers:

SelectA Application pool identityA to utilize the individuality set for the application pool, and so clickA OK.A

hypertext transfer protocol: //i1.iis.net/images/configreference/anonymousAuthentication_howto_7-small.png? cdn_id=2013-04-06-002

ClickA Set… , and so in theA Set CredentialsA duologue box, enter the user name for the history in theA User nameA box, enter the watchword for the history in theA PasswordA andA Confirm passwordA boxes, clickA OK, and so clickA OKA once more.

hypertext transfer protocol: //i1.iis.net/images/configreference/anonymousAuthentication_howto_8-small.png? cdn_id=2013-04-06-002

Note: If you use this process, merely allow the new history minimum privileges on the IIS waiter computing machine.

HOW TO ENABLE BASIC AUTHENTICATION AND DISABLE ANONYMOUS AUTHENTICATION

OpenA Internet Information Services ( IIS ) Director:

If you are utilizing Windows Server 2008 or Windows Server 2008 R2:

On the taskbar, clickA Start, point toA Administrative Tools, and so clickA Internet Information Services ( IIS ) Manager.

If you are utilizing Windows Vista or Windows 7:

On the taskbar, clickA Start, and so clickA Control Panel.

Double-clickA Administrative Tools, and so double-clickA Internet Information Services ( IIS ) Manager.

In theA ConnectionsA window glass, expand the waiter name, expandA Sites, and so snap the site, application or Web service for which you want to enable basic hallmark.

Coil to theA SecurityA subdivision in theA HomeA window glass, and so double-clickA Authentication.

In theA AuthenticationA window glass, selectA Basic Authentication, and so, in theA ActionsA window glass, clickA Enable.

In theA AuthenticationA window glass, selectA Anonymous Authentication, and so clickA DisableA in theA ActionsA window glass.

hypertext transfer protocol: //i2.iis.net/images/configreference/basicAuthentication_howto_1-small.png? cdn_id=2013-04-06-002

HOW TO REQUIRE SECURE SOCKETS LAYER

OpenA Internet Information Services ( IIS ) Director:

If you are utilizing Windows Server 2008 or Windows Server 2008 R2:

On the taskbar, clickA Start, point toA Administrative Tools, and so clickA Internet Information Services ( IIS ) Manager.

If you are utilizing Windows Vista or Windows 7:

On the taskbar, clickA Start, and so clickA Control Panel.

Double-clickA Administrative Tools, and so double-clickA Internet Information Services ( IIS ) Manager.

In theA ConnectionsA window glass, travel to the site, application, or directory for which you want to configure SSL demands. You can non configure SSL at the waiter degree.

In theA HomeA window glass, double-clickA SSL Settings.

hypertext transfer protocol: //i2.iis.net/images/configreference/access_howto_1-small.png? cdn_id=2013-04-06-002

In theA SSL SettingsA window glass, clickA Require SSL.

In theA ActionsA window glass, clickA Apply.

HOW TO ENABLE WINDOWS AUTHENTICATION FOR A WEB SITE, WEB APPLICATION, OR WEB SERVICE

OpenA Internet Information Services ( IIS ) Director:

If you are utilizing Windows Server 2008 or Windows Server 2008 R2:

On the taskbar, clickA Start, point toA Administrative Tools, and so clickA Internet Information Services ( IIS ) Manager.

If you are utilizing Windows Vista or Windows 7:

On the taskbar, clickA Start, and so clickA Control Panel.

Double-clickA Administrative Tools, and so double-clickA Internet Information Services ( IIS ) Manager.

In theA ConnectionsA window glass, expand the waiter name, expandA Sites, and so the site, application, or Web service for which you want to enable Windows hallmark.

Coil to theA SecurityA subdivision in theA HomeA window glass, and so double-clickA Authentication.

In theA AuthenticationA window glass, selectA Windows Authentication, and so clickA EnableA in theA ActionsA pane.A

hypertext transfer protocol: //i1.iis.net/images/configreference/windowsAuthentication_howto_1-small.png? cdn_id=2013-04-06-002

CONFIGURATION SAMPLE

& lt ; location path=”” Contoso ” & gt ;

& lt ; system.webServer & gt ;

& lt ; security & gt ;

& lt ; hallmark & gt ;

& lt ; windowsAuthentication enabled= ” true ” / & gt ;

& lt ; basicAuthentication enabled= ” false ” / & gt ;

& lt ; anonymousAuthentication enabled= ” false ” / & gt ;

& lt ; /authentication & gt ;

& lt ; entree sslFlags=”” Ssl, SslNegotiateCert, Ssl128 ” / & gt ;

& lt ; requestFiltering & gt ;

& lt ; fileExtensions & gt ;

& lt ; add fileExtension= ” .inc ” allowed= ” false ” / & gt ;

& lt ; /fileExtensions & gt ;

& lt ; denyUrlSequences & gt ;

& lt ; add sequence=”” _vti_bin ” / & gt ;

& lt ; add sequence=”” _vti_cnf ” / & gt ;

& lt ; add sequence=”” _vti_pvt ” / & gt ;

& lt ; /denyUrlSequences & gt ;

& lt ; /requestFiltering & gt ;

& lt ; /security & gt ;

& lt ; /system.webServer & gt ;

& lt ; /location & gt ;

appcmd.exe

appcmd.exe set config “ Contoso ” -section: system.webServer/security/authentication/anonymousAuthentication /enabled: ” False ” /commit: apphost

appcmd.exe set config “ Contoso ” -section: system.webServer/security/authentication/basicAuthentication /enabled: ” True ” /commit: apphost

appcmd.exe set config “ Contoso ” -section: system.webServer/security/authentication/windowsAuthentication /enabled: ” True ” /commit: apphost

C #

utilizing System ; utilizing System.Text ; utilizing Microsoft.Web.Administration ; internal inactive category Sample { private inactive nothingness Main ( ) { utilizing ( ServerManager serverManager = new ServerManager ( ) ) { Configuration config = serverManager.GetApplicationHostConfiguration ( ) ;

ConfigurationSection anonymousAuthenticationSection = config.GetSection ( “ system.webServer/security/authentication/anonymousAuthentication ” , “ Contoso ” ) ;

anonymousAuthenticationSection [ “ enabled ” ] = faithlessly ; ConfigurationSection basicAuthenticationSection = config.GetSection ( “ system.webServer/security/authentication/basicAuthentication ” , “ Contoso ” ) ; basicAuthenticationSection [ “ enabled ” ] = true ;

ConfigurationSection windowsAuthenticationSection = config.GetSection ( “ system.webServer/security/authentication/windowsAuthentication ” , “ Contoso ” ) ; windowsAuthenticationSection [ “ enabled ” ] = true ; serverManager.CommitChanges ( ) ;

}

}

}

Decision:

A secure Web waiter provides a protected foundation for hosting your Web applications. This chapter has shown you the chief menaces that have the possible toA impact your ASP.NET Web waiter and has provided the security stairss required forA risk extenuation. By executing the indurating stairss presented in this chapter, youA can make a secure platform and host substructure to back up ASP.NET Web applications and Web services.

The methodological analysis used in this chapter allows you to construct a secure Web waiter from abrasion and besides allows you to indurate the security constellation of an bing Web waiter. The following measure is to guarantee that any deployed applications are right configured.

Refrences:

Web site:

hypertext transfer protocol: //technet.microsoft.com/en-us/library/cc731278 ( v=ws.10 ) .aspx

hypertext transfer protocol: //msdn.microsoft.com/en-us/library/ff648653.aspx

hypertext transfer protocol: //www.iis.net/learn/web-hosting/web-server-for-shared-hosting/installing-the-web-server-role

hypertext transfer protocol: //www.windowsecurity.com/articles/controlling-service-security-windows-server-2008.html

Books:

Professional IIS 7 Ken Schaefer, Jeff Cochran 1st 2008 Wiley Blackwell

Internet Information Services 7.0 Resource Kit Other 1st 2008 Microsoft Press