Designing IIS Security (IIS – Internet Information Service)

Slides:

Advertisements

Similar presentations

File Server Organization and Best Practices IT Partners June, 02, 2010.

Advertisements

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.

Module 5: Configuring Access for Remote Clients and Networks.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Chapter 7 HARDENING SERVERS.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

Remote Networking Architectures

Windows Server 2008 Chapter 8 Last Update

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Securing Microsoft® Exchange Server 2010

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Chapter 13 – Network Security

5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.

Copyright 2000 eMation SECURITY - Controlling Data Access with

Module 14: Configuring Server Security Compliance

Course ILT Internet/intranet support Unit objectives Use the Internet Information Services snap-in to manage IIS, Web sites, virtual directories, and WebDAV.

CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+

Module 11: Remote Access Fundamentals

Managing Groups, Folders, Files and Security Local Domain local Global Universal Objects Folders Permissions Inheritance Access Control List NTFS Permissions.

VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.

Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.

Module 11: Implementing ISA Server 2004 Enterprise Edition.

Overview of Microsoft ISA Server. Introducing ISA Server New Product—Proxy Server In 1996, Netscape had begun to sell a web proxy product, which optimized.

1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.

Chapter 9: SHARING FILE SYSTEM RESOURCES1 CHAPTER OVERVIEW  Create and manage file system shares and work with share permissions.  Use NTFS file system.

1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.

Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.

Hands-On Microsoft Windows Server Implementing Microsoft Internet Information Services Microsoft Internet Information Services (IIS) –Software included.

Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.

Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.

1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.

Module 10: Windows Firewall and Caching Fundamentals.

WEB SERVER SOFTWARE FEATURE SETS

Understand Network Isolation Part 2 LESSON 3.3_B Security Fundamentals.

Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.

1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

IS 4506 Windows NTFS and IIS Security Features.  Overview Windows NTFS Server security Internet Information Server security features Securing communication.

ITMT Windows 7 Configuration Chapter 7 – Working with Applications.

VIRTUAL SERVERS Chapter 7. 2 OVERVIEW Exchange Server 2003 virtual servers Virtual servers in a clustering environment Creating additional virtual servers.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Virtual Private Network Access for Remote Networks

Chapter 5 Electronic Commerce | Security Threats - Solution

Microsoft Windows NT 4.0 Authentication Protocols

Securing the Network Perimeter with ISA 2004

Chapter 4: Security Baselines

Implementing a Secure ISA Server

Chapter 5 Electronic Commerce | Security Threats - Solution

Objectives Differentiate between the different editions of Windows Server 2003 Explain Windows Server 2003 network models and server roles Identify concepts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 13: Administering Web Resources.

Unit 27: Network Operating Systems

Server-to-Client Remote Access and DirectAccess

Chapter 27: System Security

Configuring Internet-related services

Windows Server Administration Fundamentals

APACHE WEB SERVER.

Presentation transcript:

Designing IIS Security (IIS – Internet Information Service) Lecture 12 1

Reduce Surface of Attacks Windows 2008 Server can be harden by enabling only needed IIS components and services. Default options of IIS can be used Or select / Enable only services and components that needed. Enabling only needed services will reduce risks in Windows 2008 Server.

Reduce Surface of Attacks (cont.) 1) Automatic updates services Choice of different path for Internet servers Critical Web servers with specialized software and hardware Issues with updates Update downtime can have a higher cost Therefore A higher degree of testing might be necessary Disabling automatic update services & developing an a specific update process

Reduce Surface of Attacks (cont.) 2) Access to Files and Folders 2.1 Address File system location Install Web Server in a dedicated disk separate from OS Prevents directory traversal attacks Top-level folder with all subfolders of Web sites and applications One subfolder for each Web site and Web application

Reduce Surface of Attacks (cont.) 2.2 Address use of access control lists (ACLs) on files, folders, and registry keys Ensure anonymous accounts have authorized and controlled access to the Web sites of the Web server. If multiple Web sites, ensure that users accessing one site cannot access another site. Ensure Windows accounts & groups have authorized and controlled access on Web pages of the Web server

Controlling Access to Web Servers, Web Sites, Applications, and Server Resources Restrict Access from Specific IP Addresses or Domain Names Block specific domain names and IP addresses. Or allow only specific domains and IP addresses. Restrict access to intranet sites to computers on internal network Better to restrict by range of IP addresses Avoid DNS reverse lookup when access request is received which reduces performance

Controlling Access to Web Servers, Web Sites, Applications, and Server Resources (cont.) 2. Use Web Site Permissions Read: Default permission required to view the content and properties of directories and files. Can be removed for scripted content Web site Write: Allows visitors to change the content and properties of directories and files Directory Browsing: Allows users to view file lists

Controlling Access to Web Servers, Web Sites, Applications, and Server Resources (cont.) Use Web Site Permissions Log Visits: Places a log entry for each visit to the Web site Index This Resource: Indexing service will index the resources ⇨ search on resource Script Source Access: Permits access to source files Execute: 3 levels of access: None: No scripts or executables can run on the server Scripts Only: scripts can run Scripts And Executables: scripts & executables can run

Protecting Data in Transit Data exchanged between the Web server and clients. Examples: logon credentials, user identities, credit card numbers Data exchanged between the Web server and any other servers Example: data between IIS and database servers

Protecting Data in Transit (cont.) Three technologies to protect data in transit 1) Secure Sockets Layer (or TLS) 2) IPSec 3) Virtual Private Networks (VPNs)

Protecting Data in Transit (cont.) SSL : Secure Sockets Layer Support for client/Web server communication Used in e-commerce application and remote e-mail access Support for communications between SQL Server and IIS Between IIS and ISA (Internet Security and Acceleration Server) Provides server authentication & data encryption between client/server. SSL can tunnel from the client directly to the IIS server or can send data to the ISA server that will be passed to the IIS server

Protecting Data in Transit (cont.) 2) IPSec Can protect communications between IIS and other servers communicating with IIS Can protect communications between the administrative workstation and the IIS server. Data transferred using IPSec ensures data confidentiality. Can block unauthorized communication Eliminate attacks based on other protocols Use of IPSec blocking policy By port: example: block access through 3389 terminal services By type of access from specific servers

Pictures taken from reference [1]

Protecting Data in Transit (cont.) 3) VPN – Virtual Private Network VPN can be used to protect Remote administrative sessions Content management sessions Client access to highly sensitive Web servers

Picture taken from reference [1]

Designing a Secure Content Management Strategy After deployment, Web site must be updated Updating and managing content in a secure way and granted only to authorized users Content can be moved to Web server Examples: file transfer, Microsoft FrontPage publishing Authentication, authorization and data protection Content can be directly modified on Web server Authentication, authorization

Monitoring and Maintenance Strategies for IIS Backing-up of IIS server Applying service packs and security patches Auditing the Web server Monitoring modifications and deletions of content via Systems Access Control Lists (SACLs) Reviewing security policies

Monitoring and Maintenance Strategies for IIS (cont.) Preventing intrusion via IDS and designing response strategy to intrusion alert. Configuring the logs: type of logs, types of Web access depending on security level, performance (log size) and cost (log analysis) Designing secure remote administration

Reference Designing Security for a Microsoft Windows Server 2008 Network, Roberta Bragg, Microsoft Press