Presentation is loading. Please wait.

Presentation is loading. Please wait.

Designing IIS Security (IIS – Internet Information Service)

Published byAlizée Grégoire Modified over 5 years ago

Similar presentations

Presentation on theme: "Designing IIS Security (IIS – Internet Information Service)"— Presentation transcript:

1 Designing IIS Security (IIS – Internet Information Service)
Lecture 12 1

2 Reduce Surface of Attacks
Windows 2008 Server can be harden by enabling only needed IIS components and services. Default options of IIS can be used Or select / Enable only services and components that needed. Enabling only needed services will reduce risks in Windows 2008 Server.

3 Reduce Surface of Attacks (cont.)
1) Automatic updates services Choice of different path for Internet servers Critical Web servers with specialized software and hardware Issues with updates Update downtime can have a higher cost Therefore A higher degree of testing might be necessary Disabling automatic update services & developing an a specific update process

4 Reduce Surface of Attacks (cont.)
2) Access to Files and Folders 2.1 Address File system location Install Web Server in a dedicated disk separate from OS Prevents directory traversal attacks Top-level folder with all subfolders of Web sites and applications One subfolder for each Web site and Web application

5 Reduce Surface of Attacks (cont.)
2.2 Address use of access control lists (ACLs) on files, folders, and registry keys Ensure anonymous accounts have authorized and controlled access to the Web sites of the Web server. If multiple Web sites, ensure that users accessing one site cannot access another site. Ensure Windows accounts & groups have authorized and controlled access on Web pages of the Web server

6 Controlling Access to Web Servers, Web Sites, Applications, and Server Resources
Restrict Access from Specific IP Addresses or Domain Names Block specific domain names and IP addresses. Or allow only specific domains and IP addresses. Restrict access to intranet sites to computers on internal network Better to restrict by range of IP addresses Avoid DNS reverse lookup when access request is received which reduces performance

7 Controlling Access to Web Servers, Web Sites, Applications, and Server Resources (cont.)
2. Use Web Site Permissions Read: Default permission required to view the content and properties of directories and files. Can be removed for scripted content Web site Write: Allows visitors to change the content and properties of directories and files Directory Browsing: Allows users to view file lists

8 Controlling Access to Web Servers, Web Sites, Applications, and Server Resources (cont.)
Use Web Site Permissions Log Visits: Places a log entry for each visit to the Web site Index This Resource: Indexing service will index the resources ⇨ search on resource Script Source Access: Permits access to source files Execute: 3 levels of access: None: No scripts or executables can run on the server Scripts Only: scripts can run Scripts And Executables: scripts & executables can run

9 Protecting Data in Transit
Data exchanged between the Web server and clients. Examples: logon credentials, user identities, credit card numbers Data exchanged between the Web server and any other servers Example: data between IIS and database servers

10 Protecting Data in Transit (cont.)
Three technologies to protect data in transit 1) Secure Sockets Layer (or TLS) 2) IPSec 3) Virtual Private Networks (VPNs)

11 Protecting Data in Transit (cont.)
SSL : Secure Sockets Layer Support for client/Web server communication Used in e-commerce application and remote access Support for communications between SQL Server and IIS Between IIS and ISA (Internet Security and Acceleration Server) Provides server authentication & data encryption between client/server. SSL can tunnel from the client directly to the IIS server or can send data to the ISA server that will be passed to the IIS server

12 Protecting Data in Transit (cont.)
2) IPSec Can protect communications between IIS and other servers communicating with IIS Can protect communications between the administrative workstation and the IIS server. Data transferred using IPSec ensures data confidentiality. Can block unauthorized communication Eliminate attacks based on other protocols Use of IPSec blocking policy By port: example: block access through 3389 terminal services By type of access from specific servers

13 Pictures taken from reference [1]

14 Protecting Data in Transit (cont.)
3) VPN – Virtual Private Network VPN can be used to protect Remote administrative sessions Content management sessions Client access to highly sensitive Web servers

15 Picture taken from reference [1]

16 Designing a Secure Content Management Strategy
After deployment, Web site must be updated Updating and managing content in a secure way and granted only to authorized users Content can be moved to Web server Examples: file transfer, Microsoft FrontPage publishing Authentication, authorization and data protection Content can be directly modified on Web server Authentication, authorization

17 Monitoring and Maintenance
Strategies for IIS Backing-up of IIS server Applying service packs and security patches Auditing the Web server Monitoring modifications and deletions of content via Systems Access Control Lists (SACLs) Reviewing security policies

18 Monitoring and Maintenance Strategies for IIS (cont.)
Preventing intrusion via IDS and designing response strategy to intrusion alert. Configuring the logs: type of logs, types of Web access depending on security level, performance (log size) and cost (log analysis) Designing secure remote administration

19 Reference Designing Security for a Microsoft Windows Server 2008 Network, Roberta Bragg, Microsoft Press

Download ppt "Designing IIS Security (IIS – Internet Information Service)"

Similar presentations

File Server Organization and Best Practices IT Partners June, 02, 2010.

File Server Organization and Best Practices IT Partners June, 02, 2010.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.
Remote Networking Architectures

Remote Networking Architectures
Windows Server 2008 Chapter 8 Last Update 2012.05.31 1.0.0.

Windows Server 2008 Chapter 8 Last Update
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.

Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.

Similar presentations

Ads by Google