Windows Server 2008 R2 Unleashed (87 page)

administrative roles to conduct specific administrative tasks on the web server, website,

Securing Internet Information Services 7.5

413

12

FIGURE 12.19

Configuring the properties on the SSL Settings feature page.

ptg

or web application. There are three IIS administrative roles: Web Server Administrator,

Web Site Administrator, and Web Application Administrator. Each role dictates the

settings that can be configured. Table 12.1 lists each IIS administrative role and permis-

sions associated with it.

TABLE 12.1

Server-Level Roles

IIS Administrative Role

Configuration Tasks

Web Server Administrator

Complete and unrestricted access to the web server, including all

sites and applications

Web server

Application pools

Websites

Virtual directories

Physical directories in the websites and web applications

Web server security

Web Site Administrator

Full control over the web to which they have been delegated

Web application within the delegation

Virtual directories within the delegation

Physical directory within the delegation

414

CHAPTER 12

Internet Information Services

TABLE 12.1

Server-Level Roles

IIS Administrative Role

Configuration Tasks

Web Application

Configure web application settings to which they have been

Administrator

delegated

Virtual directories within the web application delegation

Physical directory within the web application delegation

Files in the virtual and physical directory within the web

application delegation

Creating an IIS 7.5 User Account

There might be situations when you need to provide a non-Windows user IIS 7.5 manage-

ment capabilities. You need to create an IIS 7.5 user account; therefore, this non-Windows

user has management privileges to delegate features and IIS functionality. Follow these

steps to create an IIS 7.5 user account:

1. In Internet Information Services (IIS) Manager, navigate to the Connections pane

and select the IIS server.

ptg

2. Select the IIS Manager Users feature icon, which is located in the central details pane.

3. On the IIS Manager Users feature page, click the Add User task, which is located in

the Actions pane.

4. In the Add User dialog box, enter the new user account name and password, and

then click OK.

NOTE

When entering a password, the password policy will be governed by the local Windows

Server 2008 R2 group policy. Therefore, the password will need to be strong to meet

the default complexity password policy.

For ongoing user account management, after the user account is created, use the addi-

tional tasks on the Actions pane to change the password, disable, or remove the account.

Assigning Permissions to an IIS 7.5 User Account

The next step in the user creation process is to assign the appropriate permissions to the

newly created user account. This process allows the user to configure delegated features for

a specific website or application. Follow these steps to authorize a user account to connect

to a site or an application:

1. In Internet Information Services (IIS) Manager, navigate to the Connections pane,

expand the IIS server, and then expand the Sites node.

Securing Internet Information Services 7.5

415

2. Specify the site to which the user account will be granted authorization, and then

select the IIS Manager Permissions feature icon, which is located in the Central

Details pane.

3. On the IIS Manager Permissions feature page, click the Allow User task, which is

located in the Actions pane.

12

4. In the Allow User dialog box, first select the IIS Manager option, then enter the

account that was created in the previous steps, and then click OK.

NOTE

If the IIS Manager option is not available in the Allow User dialog box, the management

service is not set to accept connections from IIS users. To do so, use the Management

Service page to enable remote connections and select the identify option, Windows

Credentials or IIS Manager Credentials.

Configuring Feature Delegation

Follow these steps to configure feature delegation for a newly created website:

1. In Internet Information Services (IIS) Manager, navigate to the Connections pane

and select the IIS server.

ptg

2. Select the Feature Delegation feature icon, which is located in the Central Details pane.

3. On the Features Delegation page, select the Custom Web Site Delegation task from

the Actions pane. Alternatively, select the Customer Web Application Delegation if

you want to delegate an application.

4. Select the site to be delegated from the Sites drop-down menu on the Custom

Website page.

5. Select the appropriate feature in the list and then set the desired feature delegation

from the Actions pane. The delegations include: Read/Write, Read Only, Not

Delegated, and Reset to Inherited.

NOTE

There might be circumstances when there is a need to reset delegation or restore the

defaults. When necessary, click the Reset All Delegation or Default Delegation in the

Actions pane.

Using IIS Logging

IIS logging should be viewed as a necessity rather than an optional feature of IIS because it

helps to ensure IIS security and is also extremely useful for maintenance and troubleshoot-

ing. For example, in the event of a system compromise, logs can be used and a forensic

review performed on the intimate details contained in them. This information can then

be used to review maintenance procedures and identify problems in the system. Equally

important, many organizations now require logging because of regulatory compliance so it

seems logging is here to stay.

416

CHAPTER 12

Internet Information Services

IIS text-based logging, such as the W3C Extended Log File Format, Microsoft IIS Log File

Format, and NCSA Common Log File Format, is controlled by Http.sys, which is a kernel-

mode process. This is a significant change from previous versions where logging was a

user-mode process. The only other log file format that comes close to previous versions is

ODBC as it is implemented using a user mode worker process.

Another bonus about logging is its ability to be implemented at the server, site, web appli-

cation, file, and directory level. For organizations wanting to configure IIS 7.5 logging for

a specific website, follow these procedures:

1. Launch Internet Information Services (IIS) Manager.

2. In the Connections pane, select the desired website for which you want to config-

ure logging.

3. Double-click the Logging feature in the Actions pane.

4. On the Logging page, select the desired logging format to be utilized.

5. Specify the location of the log file by typing a log path into the Directory text box.

Alternatively, click the Browse button and select a directory to store the files.

6. In the Log File Rollover section, select the method to create the new log file. The

options include specifying an Hourly, Daily, Weekly, or Monthly schedule, entering a

maximum file size (in bytes), or selecting the option that puts a stop to the creation

ptg

of new log files.

7. The final option requires you to determine whether to use local time for file naming

and rollover.

8. After all the log file settings have been inputted, select Apply in the Actions pane to

commit the changes.

NOTE

It is possible to either enable or disable a log file for a specific site by selecting Enable

or Disable in the Actions pane of the Logging feature page. To enable logging for IIS

7.5, the HTTP Logging Module must be installed.

Summary

IIS 7.5 is a major improvement over previous versions in terms of security, reliability,

availability, and performance. These facets have been a top priority for Microsoft.

Microsoft has incorporated both internal and customer-based feedback to provide a robust

platform for providing web, application, and FTP services.

Key points in this chapter covered the planning and design of the new IIS 7.5 capabilities

built in to Windows Server 2008 R2. The features have been greatly enhanced to provide

better management, scalability, modification, and reporting of web services operations.

Best Practices

417

Instead of having IIS installed on every installation of Windows server, an administrator

now needs to “add” the IIS server role to the system and then go through a process of

enabling functionality and configuring the web services function to meet the needs of the

organization. This change (from having web services installed automatically to now

requiring specific services to be enabled) provides better security for server systems but

also requires a better understanding of which services should be added or modified to

12

meet the needs of the organization’s applications.

And even with IIS requiring manual installation and configuration, there are still key secu-

rity practices that need to be performed to ensure that web services are not attacked and

compromised, thus creating a security hole in the organization’s network security.

The IIS 7.5 server role is a significant improvement in Windows Server 2008 R2, and one

that administrators from early adopter organizations have found to be a welcome change

in ongoing operations.

Best Practices

The following are best practices from this chapter:

. Use IIS 7.5 to improve performance and strengthen security.

ptg

. Thoroughly design and plan the IIS 7.5 environment.

. Define the goals and objectives of the IIS 7.5 project.

. Identify and review IIS application types and requirements.

. Define security requirements to meet the goals and objectives.

. Balance the security methodologies to be used with the associated risks and end-user

experience.

. Examine and design disaster recovery plans, and monitor requirements and mainte-

nance practices.

. Document the current IIS infrastructure and the IIS design decisions.

. Build fault tolerance into the web infrastructure based on how much downtime can

be afforded and existing SLAs.

. Use IIS to monitor applications such as pinging worker processes after a specified

period of time, monitoring for failed applications, and disabling the application

pool after a certain number of failures or a set number of failures within a given

time frame.

. Isolate FTP users so that FTP content is protected.

. Provide search capabilities for Adobe Acrobat PDF file content on a website by using

the iFilter driver.

. Use NTFS on the disk subsystem, and apply the latest service pack and security

patches to begin securing the IIS system.

418

CHAPTER 12

Internet Information Services

. Carefully review application security on the Windows Server 2008 web server, espe-

cially if using a custom-built application.

. Choose an authentication method carefully depending on business and technical

requirements.

. Apply auditing to web and FTP sites to document attempts to log on (successful and

unsuccessful), to gain unauthorized access to service accounts, to modify or delete

files, and to execute restricted commands.

. Use SSL to ensure confidentiality.

. Use local folders to share downloads, and secure them with NTFS. The folder should

be located on a separate partition from Windows Server 2008 R2 system files.

. Monitor disk space and IIS logs to ensure that a hacker isn’t attempting to gain

unauthorized access.

. Use logging not only to review IIS security, but also to assist with maintenance and

troubleshooting.

ptg

CHAPTER 13

IN THIS CHAPTER

Server-Level Security
. Defining Windows Server 2008

R2 Security

. Deploying Physical Security

. Using the Integrated Windows

Firewall with Advanced Security

. Hardening Server Security

. Examining File-Level Security

The term Microsoft security was long considered, whether

. Additional Security Mechanisms

Other books

MoonlightDrifter by Jessica Coulter Smith
Blood and Royalty by M. R. Mathias
SubmitwithMe by Amber Skyze
1066 by Andrew Bridgeford
Beauty and the Brit by Selvig, Lizbeth
Lazar by Lawrence Heath
The Armada Legacy by Scott Mariani
Dead Lucky by Matt Brolly