Microsoft Internet Information Server 4.0
S E C U R I T Y

IIS offers a wide range of security options, depending on your security requirements. There are two basic catagories you need to explore to secure your sites and servers, Windows NT Server security and IIS security. You can also add additional security by placing your IIS sites and servers behind Firewall or Proxy Servers.

To take full advantage of the Windows NT security features it is recommended that all IIS components are installed on NTFS partitions, allowing for file-level security.

User Accounts
By default, clients access IIS Web documents through anonymous access using the IUSR_computername Internet Guest account. This account only has the right to log on locally. Be careful when making changes that could affect the rights of this account. If you use any other accounts for access, check what rights the account has and require a strong password to access it.

NT Users and Groups
Windows NT has Global and Local Groups. Global groups are intended to contain users, and local groups represent access to resources, like creating a color printer group. You create the global group and populate it with users, create a local group for the resource and add the global group to the local group.

NTFS Permissions
Can be applied at the file or directory level. By default NTFS permissions include the Eveyone group with full control. You should generally remove permissions for the everyone group and replace it with appropriate permissions. The standard NTFS permissions are as follows:
Full Control
No Access
Read
Change
Special Access


IIS Security

IIS has many features to secure hosted sights that augment and work with NT Server Security.

Authentication
IIS offers the following authentication methods, depending on the type of access and level of security required.
Anonymous
No password is required. Client logs in through the IUSR_Computername account.
HTTP and FTP basic Authentication
The user name and password is sent from the browser to the server unencrypted in clear text.
Windows NT challenge/Response
The password is never actually sent over the network. It is Only supported by Internet Explorer 3 and later.
Custom
An ISAPI filter can handle the authentication.

Controlling Access to folders
The directory browsing allowed check box should generally be unchecked.

Controlling Access by IP Address
You can either grant or deny access based on IP address.

Secure Sockets Layer (SSL)
A protocol that allows a server to establish a secure, encrypted, connection to a client. Both browser and server must support Digital Certificates created by a Certificate Authority (CA). The basic steps in an SSL session are:
1. The browser establishes a secure link with the server.
2. The web server sends the browser a copy of its certificate and public key.
3. The browser and server negotiate the degree of encryption (40 or 128 bit).
4. The browser generates a session key, encrypts it with the servers public key and sends it to the server.
5. Using its own private key, the server decrypts the session key and establishes a secure channel.
6. The browser and the server use the session key to encrypt and decrypt session data.


Configuring SSL
Configuring SSL can be an extensive process which includes either aquiring a Digital Certificate from a Certificate Authority like Verisign or creating your own Digital Certifivate with Microsoft Certificate Services.

1. Install Certificate Services from the NT 4.0 Option Pack including all the subcomponents. For the shared folder use the path Inetpub\. After installation, either restart your server, or start the Certificate services in the Services Applet of the Control Panel. In your Windows NT root directory, create a folder called Cert.

2. Generating an SSL Digital Key
Click Start >> Programs >> Windows NT 4.0 Option Pack >> Microsoft Internet Information Server >> Internet Service Manager. Right-click the Default Web Site node in the Scope Pane. Click on Key Manager, right-click WWW and click Create a new key. Select Put the request in a file that you will send to an authority. Save it to the C:\Cert folder that you created. Fill out the required information and close Key Manager and Directory Security properties. Open the file you just created in Notepad. Select the information between begin and end certificate. Copy the information to the clipboard.

3. Processing the certificate request
Open your browser, and in the address field type http://youripaddress/certsrv. Click Certificate Enrollment Tools. Click Process a Certificate Request. Paste the text you copied into the large text field, and click submit request. Download the Certificate to the C:\Cert folder. Close the Browser.

4. Installing the Certificate
Click Start >> Programs >> Windows NT 4.0 Option Pack >> Microsoft Internet Information Server >> Internet Service Manager. Right-click the Default Web Site node> in the Scope Pane. Click Edit Secure Communications. Click on Key Manager, right-click the Certkey, and click Install Key Certificate using the certificate you just created. Close Key Manager, Secure Communications, and WWWProperties.

5. Requesting a Client Authentication Certificate
Open your browser, and in the address field type http://youripaddress/certsrv. Click Certificate Enrollment Tools. Click Request a Client Authentication Certificate. Complete the enrollment form, click submit, click Download, click Yes, and click OK. Close Internet Explorer.

6. Enable Secure communications and test in browser
Click Start >> Programs >> Windows NT 4.0 Option Pack >> Microsoft Internet Information Server >> Internet Service Manager. Right-click the Default Web Site node in the Scope Pane. Click Directory Security and click Edit Secure Communications. Check require secure channel when connecting to this resource. Close Key Manager, Secure Communications, and WWWProperties. Open your browser, and in the address field type https://youripaddress/certsrv.