Chris Peiris

Installing Internet Information Services (IIS) 6.0

Windows server 2003 is the first major platform released by Microsoft that implements the “secure by design, secure by default, and secure in deployment” paradigm. This chapter describes the major components that make up Internet information services (IIS) including the uses of these components, highlighting which component is installed as part of the application server and mail server roles, and how to modify, add, or remove these components as required. Windows Server 2003 provides a “Configure Your Server” wizard that can be used to quickly configure the server to perform one or more roles. Configuring the server to perform a role installs and configures the necessary components for the server to provide those services. Roles include file server, domain controller and dynamic host configuration protocol (DHCP) server. Automated installations offer faster, less expensive and more consistent installations than manual installations performed by operators. This chapter discusses the method for installing IIS 6.0 as part of an unattended installation. The chapter also discusses the methods for Installing IIS 6.0 after setting up Windows 2003 Server, and upgrading IIS 5.0 to IIS 6.0. The chapter ends with a brief description of the most important administrative tools of IIS 6.0.

Advanced Web Server Security Configuration

This chapter takes a look at the authentication mechanisms and the uses of Internet information services (IIS) accounts. The chapter also discusses the aspects of the IIS request processing cycle and describes how settings in IIS can be used to secure an application against all forms of attack. When IIS 6.0 attempts to read a resource from the servers disk, it impersonates a Windows user account. That user accounts permissions are checked against the new technology file system (NTFS) access control list (ACL) for the file in question to determine whether the requested action is permitted. Regardless of which combination of authentication mechanisms is configured for the Websites resources, a browser making an initial request will not send user credentials. If anonymous authentication is configured for the requested resource, then IIS impersonates the configured anonymous user account. If anonymous authentication is not enabled, but one of the other authentication mechanisms is enabled, the server and browser negotiates to select the most secure authentication mechanism enabled on the server and supported by the browser—integrated windows authentication, then digest and advanced digest, and finally basic authentication. The chapter discusses all these types of authentications. The chapter also discusses the techniques for configuring delegation, IIS user accounts, uniform resource locators (URL) scan, URL authorization with the authorization manager, custom error messages, and configuring the server to use SSL. The chapter closes with a discussion on configuration of IP Address, TCP Port and Host-Header combinations.

Monitoring Internet Information Services (IIS) 6.0

This chapter highlights the uses of monitoring activities in Internet information services (IIS) focusing on indentifying possible unauthorized access and recognizing potential attach hints using that various IIS server log files. Logging site activities helps to keep track of client access requests. This type of log provides the details about who, when, where, and how contents are being accessed. Information that can be logged includes the visitors Internet protocol (IP) address, the user account accessing the contents, a timestamp of when requests were made, the server status reply to the request, the requested resource location, and the amount of bytes used in the request. These log files also provide a good troubleshooting channel to resolve any failure or error request, and can provide clues about possible attacker behavior and intrusion patterns. Event viewer is another log source that records related service events in IIS and Windows operating systems. These events can be logged in three different categories such as system, security, and application. If IIS server is configured as an active directory domain controller (DC) and domain name server (DNS), additional log types in the event viewer can be seen. The directory server and file replication service logs are related to active directory operation events, and the DNS server log captures domain name zone-related events. The chapter closes with a discussion on monitoring HTTP application programming interface (API) error log, and uses of URLScan.

Securing Internet Printing

This chapter highlights different ways to configure and secure the Internet printing. Internet printing allows the users to share printers via the Internet information services (IIS) server, making it available for users to connect and print their documents using a web browser. Internet printing also facilitates in administration of printers via this method. Administrator can manage documents in the print queue, delete partially printed jobs, and pause and resume printers. This chapter describes how Internet printing works, and provides steps to configure the Internet printers. The chapter also focuses on the administrative tasks that allow the users to manage Internet printers and the details associated with this component. Internet printing is a web resource, and it is secured the same way web resource contents are secured. By default, only integrated Windows authentication is configured for Internet printing. This ensures that no anonymous access is allowed. Users are required to provide a valid username and password before connecting to the print server. Monitoring web access log files can also help in keeping track of the access details of the print server. Analysis of log entries helps to understand how Internet printers are accessed, and provides the details of when and which user accessed the server and which web browser the user is using. Access log files also give hints to help troubleshoot the print server if there are connection issues. One more benefit of enabling activity logging is that it allows the administrator to detect if there are unauthorized users trying to gain access to the Internet printers.

Configuring Basic Web Server Security

This chapter explains how to secure the web server by enabling the required dynamic application extensions and configuring multipurpose Internet mail exchange (MIME) types. It also describes the method used to prevent resource access by configuring Website properties and new technology file system (NTFS) permissions. In order to take a more proactive stance against malicious attacks, IIS 6.0 is not installed by default on most operating systems in the Windows Server 2003 family. Once Internet information services (IIS) is installed, its default behavior is to serve only static content such as Hypertext Markup Language (HTML) and image files, and to block all requests to dynamic applications. If running of dynamic applications is required, IIS can be configured by creating web service extension access lists, which control the type of dynamic content that the IIS server provides to its clients. After configuration of the types of files that can be accessed and served, next step is to lay down controls that specify who can and cannot access these files and applications. One way to do this is to limit or restrict access by clients with specific Internet protocol (IP) addresses. The chapter also focuses on changing default web root path to creating user defined default documents and configuring resource access list via NTFS permissions. The chapter closes with a discussion on enabling and securing web access log files.

Hardening Windows Server 2003

This chapter describes techniques to optimize Windows server 2003 that prepare it for the installation of Internet information services (IIS) 6.0. It highlights the different areas of the operating systems that relate to IIS server and provides knowledge to make and keep the windows server secure. The idea of getting secure is to make sure that there is a healthy networking environment for the IIS server. Although Windows Server 2003 comes with a number of security improvements, there are several areas that must be implemented to ensure that a secure operating system is running for IIS 6.0. This chapter focuses on areas specifically related to IIS services. Special attention is paid to areas such as router, firewall, and intrusion detection system. In order to have a secure IIS server, hardened Windows Server 2003 must be ensured. Security fixes, patches, and updates are critical to ensuring that the operation system and IIS are running with the latest components and files. The chapter closes with a brief checklist that should be followed when securing IIS 6.0.

Securing NNTP Virtual Servers

The Windows server 2003 Network News Transfer Protocol (NNTP) component enables the user to create news servers to host newsgroups. This chapter discusses different ways to secure the NNTP newsgroups and manage newsgroups effectively along with securing NNTP connections between users and the NNTP virtual server. NNTP is the protocol for distributing, posting, and reading news messages between news servers and clients. NNTP also gives the ability to host online discussion groups, allowing users to collaborate and participate in discussions about different interest topics. The chapter describes the process of configuring and installing the NNTP virtual server, and creation, configuration, and removal of newsgroups. It also describes how administrators can configure moderations, to monitor and control the news items that will be accepted in the newsgroups. By default, the NNTP service allows anonymous clients to connect and post messages to newsgroups. These messages are transferred from client machines to the server in plain text mode, meaning they are not secured. To secure these newsgroups, the chapter explains methods to configure different authentication modes to authenticate users when connecting to the NNTP virtual server and secure the communication with Secure Sockets Layer (SSL). The chapter closes with a discussion on enabling and securing the NNTP access log files, focusing on its usage in server security.

Securing SMTP and POP3 Services

Simple mail transfer protocol (SMTP) and post office protocol version 3 (POP3) together provide a complete e-mail service that allows users to send and retrieve mail. This chapter describes how to install and configure the SMTP and POP3 servers, highlighting the security options that each offers. The chapter also provides an account of connection controls that can limit the machines that can connect to a server and transport layer security for encryption message delivery and authentication mechanisms for the users. SMTP is the protocol used to deliver e-mail across the Internet. Each SMTP server uses a number of folders to hold its working files, and can be configured to accept mail for multiple domain name system (DNS) domains. By default, each SMTP server accepts mail for its default domain only. Additionally, only authenticated users are able to send mail out to nonlocal domains via the SMTP server. This chapter provides techniques to tweak these authentications. The POP3 protocol allows mail to be retrieved by a user from his or her individual mailbox. An SMTP server receives mail for a domain and passes it across to a POP3 server to be sorted into individual mailboxes. Users then connect to the POP3 server to view or retrieve their mail. The chapter also discusses the techniques used for configuring and securing the POP3 servers.Windows server 2003 provides e-mail services comprising both simple mail transfer protocol (SMTP) server, and a post office protocol version 3 (POP3). Together these provide a complete e-mail service that allows the users to send and retrieve mail. This chapter focuses on techniques used for configuring and installing SMTP and POP3 servers, highlighting the security features that they offer. When the SMTP service is installed, it creates an SMTP server called Default SMTP Virtual Server. For most organizations, this single SMTP server is sufficient. However, it is possible to create additional SMTP servers if required. Each SMTP server must bind to a separate Internet protocol (IP) address, or a unique transmission control protocol (TCP) port. The chapter illustrates the necessary conditions for installing multiple SMTP servers and provides step by step instruction for installation. By adding a local alias domain, each SMTP server can be configured to accept mail for multiple domain name system (DNS) domains. Additionally, a user can add remote domains that specify specific connection settings to be used when the SMTP server attempts to deliver mail to those domains. This chapter also provides steps by step instruction required for various types of SMTP configurations such as configuring SMTP to accept mail for an additional domain, send HELO command instead of EHLO command, forward all mail to smart host, and configuring SMTP server folders. It also discusses about SMTP virtual server security highlighting its uses and necessary configurations and settings required to make it secure. Finally the chapter describes all the major configuration options of POP3 focusing on securing the POP3 server.

Introducing IIS 6.0

Released as part of the windows 2003 server family, Internet Information Services (IIS) 6.0 is the latest incarnation of Microsofts Internet server. This chapter introduces new and enhanced features in IIS 6.0, and highlights how they compare to features in previous versions of IIS. IIS 6.0 has been extensively redesigned to improve reliability and availability, in particular the components involved in serving and managing the web server. A new fault-tolerant architecture detects and restarts failed web-based applications, while a new request system reduces dropped user connections by queuing incoming user requests until a restarted web application is able to process them. The IIS metabase is now in an XML based settings store, allowing easier editing. IIS also has full support for windows management instrumentation (WMI), as well as the active directory service interface (ADSI) classes. A new internal architecture and a number of smaller enhancements are combined in IIS to dramatically improve the performance and scalability that IIS 6.0 offers, particularly in the area of Website hosting. Internally, the processing architecture for the Web server functionality has changed significantly, both to improve performance, and to make IIS 6.0 more resilient to faulty user code and malicious external attacks. This chapter also provides an overview of all the major components of IIS 6.0, explaining how they tie together.

Securing Application Pools

Publisher Summary This chapter discusses the benefits of using Internet information services (IIS) 6.0 in worker process isolation mode, and describes how to implement this mode through the creation and configuration of application pools. Worker process isolation mode works by enabling the creation of application pools. An application pool is simply a group of one or more uniform resource locators (URLs) or Websites applications served by one or more worker processes. Because each pool uses a separate worker process, errors in one pool do not cause errors in another pool. After the creation of application tools, either the default application pool or an user defined one, it must be configured to provide the desired features. This chapter provides a description of methods of configuring these application tools. By using application pools, boundary for each application can be defined, and separate application space for each application can be created, so that even when an application fails, it does not affect other applications running on the same server. Isolation of web applications with application pools results in both reliability and security of the network. This chapter also focuses on how to isolate applications and control how each application should run. The chapter closes with a discussion on user impersonations.