Process for Securing Web Sites and Applications

Applies To: Windows Server 2003, Windows Server 2003 with SP1

To configure security for Web sites and applications that are hosted on a newly installed Web server, you need to follow certain security practices, such as enabling only the Web service extensions that you need. Web service extensions provide content and features beyond serving static Web pages. Any dynamic content that is served by the Web server is done by using Web service extensions, such as content and features that are provided by ASP, ASP.NET, or CGI. In addition, each Web site and application might have specific requirements for security settings. Figure 3.1 shows the process for securing your Web sites and applications.

Figure 3.1 Securing Web Sites and Applications

Securing the Web sites and applications requires that the Web server as a whole is secure. The process presented in this section assumes that the network infrastructure connecting the Web servers to the clients and to other servers is secure. The security of the network infrastructure is determined by the placement and configuration of the firewalls, routers, and switches in the network infrastructure.

In addition to assuming that the network infrastructure is secure, the process presented here assumes that the server is a dedicated Web server. A dedicated Web server is a server that is only being used as a Web server and not for other purposes, such as a file server, print server, or database server running Microsoft SQL Server™.

For more information about securing IIS components other than Internet services, such as Simple Mail Transfer Protocol (SMTP) or Network News Transfer Protocol (NNTP), see SMTP Administration or NNTP Administration. For more information about securing other services on a multipurpose server, see Planning a Secure Environment.

The following quick-start guide provides a detailed overview of how to configure security for IIS 6.0. You can use this guide to help identify the steps of the security process that you need additional information to complete and skip the information with which you are already familiar. In addition, all of the procedures that are required to complete the security process are documented in Appendix A: IIS Deployment Procedures.

Reduce the Attack Surface of the Web Server

• Enable only essential Windows Server 2003 components and services.

• Enable only essential IIS 6.0 components and services.

• Enable only essential Web service extensions.

• Configure Windows Server 2003 security settings.

Prevent Unauthorized Access to Web Sites and Applications

• Store content on a dedicated disk volume.

• Set IIS Web site permissions.

• Set IP address and domain name restrictions.

• Set the NTFS file system permissions.

Isolate Web Sites and Applications

1. Evaluate the effects of impersonation on application compatibility:

   • Identify the impersonation behavior for ASP applications.

   • Select the impersonation behavior for ASP.NET applications.

2. Configure Web sites and applications for isolation.

Configure User Authentication

1. Configure Web site authentication.

   • Select the Web site authentication method.

   • Configure the Web site authentication method.

2. Configure File Transfer Protocol (FTP) site authentication.

Encrypt Confidential Data Exchanged with Clients

• Use Secure Sockets Layer (SSL) to encrypt confidential data.

• Use Internet Protocol security (IPsec) or virtual private network (VPN) with remote administration.

Maintain Web Site and Application Security

• Obtain and apply current security patches.

• Enable Windows Server 2003 security logs.

• Enable file access auditing for Web site content.

• Configure IIS logs.

• Review security policies, processes, and procedures.