Updated: August 22, 2005
Applies To: Windows Server 2003 R2, Windows Server 2003 with SP1
IIS 6.0 includes a variety of security features and technologies to ensure the integrity of your Web and FTP site content, as well as data transmitted through your sites. IIS security features cover the following security-related tasks: authentication, access control, encryption, certificates, and auditing. This topic describes new and notable security features.
|To help minimize the attack surface of the server, IIS 6.0 is not installed on Windows Server 2003 by default. When you first install IIS 6.0, it is locked down -- which means that only request handling for static Web pages is enabled, and only the World Wide Web Publishing Service (WWW service) is installed. None of the features that sit on top of IIS are turned on, including ASP, ASP.NET, CGI scripting, FrontPage® 2002 Server Extensions from Microsoft, and WebDAV publishing. If you do not enable these features, IIS returns a 404 error. You can enable these features through the Web Service Extensions node in IIS Manager. For more information about how to troubleshoot 404 errors and other issues, see Troubleshooting in IIS 6.0.|
Digest authentication allows robust authentication of users across proxy servers and firewalls. In addition, Anonymous authentication, Basic authentication, and Integrated Windows authentication are still available.
Advanced Digest Authentication — New
Advanced Digest authentication makes improvements over Basic authentication in that credentials are sent over the network as an MD5 hash and are stored as such in the Active Directory® of the domain controller. This mechanism makes it extremely difficult for intruders to discover users' passwords and does not require you to modify your applications.
Secure Sockets Layer (SSL) 3.0 and Transport Layer Security (TLS) provide a secure way to exchange information between clients and servers. In addition, SSL 3.0 and TLS provide a way for the server to verify who the client is before the user logs on to the server. In IIS, client certificates are exposed to both ISAPI and Active Server Pages (ASP), so that programmers can track users through their sites. Also, IIS can map the client certificate to a Windows user account so that administrators can control access to system resources based on the client certificate.
Server-Gated Cryptography (SGC) is an extension of SSL that allows financial institutions with export versions of IIS to use strong 128-bit encryption. Although SGC capabilities are built into IIS, a special SGC certificate is required to use SGC. For more information about SGC, see Server-Gated Cryptography.
Selectable Cryptographic Service Provider — New
Secure Sockets Layer provides a secure way to exchange information between clients and servers. However, the CPU has to perform intensive cryptography, which degrades performance. IIS offers the Selectable Cryptographic Service Provider (CSP), which allows you to select a cryptographic provider that suits your needs. Each provider can create a public and private key for encrypting data sent to and from the Web server. The private key is stored at the server on hardware, a PCI card, a SmartCard, or in the registry — as it is for the two default providers that Microsoft installs. Storing the private key on hardware allows you to plug into hardware-based accelerator cards, that perform cryptographic computations, instead of the server. It is easy to select providers from IIS Manager to use Microsoft CryptoAPI providers or installed CryptoAPI providers from other companies. All CryptoAPIs implement the same methods so that you can switch between providers without having to change your code.
Configurable Worker Process Identity — New
To thwart system attackers and malicious users, you can configure application pools and therefore the worker process executing within, to run under an account with a lower level of permissions than LocalSystem. If you provide services to Internet users, you can allow your customers to upload static content and executable code. Erroneous code will not cause the World Wide Web Publishing Service (WWW service) or computer to fail. Only the application will fail.
The following security wizards simplify server administration tasks:
The Web Server Certificate Wizard simplifies certificate administration tasks, such as creating certificate requests and managing the certificate life cycle.
The CTL Wizard helps you configure your certificate trust lists (CTLs). A CTL is a list of trusted certification authorities (CAs) for a particular directory. CTLs are especially useful for Internet service providers (ISPs) who have several Web sites on their server and need to have a different list of approved certification authorities for each site.
IP and Internet Domain Restrictions
You can assign or deny Web access to individual computers, groups of computers, or entire domains.
Kerberos V5 Authentication Protocol Compliance
IIS is fully integrated with the Kerberos V5 authentication protocol implemented in members of the Windows Server 2003 family, allowing you to pass authentication credentials among connected computers running Windows.
IIS certificate storage is now integrated with the Windows CryptoAPI storage. The Windows Certificate Manager provides a single point of entry that allows you to store, back up, and configure server certificates.