Skip to main content

How to Improve Security on the Edge with Windows Web Server 2008 and Internet Information Services

Published: February 16, 2011

Author: Rodrigo Immaginario, Microsoft MVP - Enterprise Security: Engineering

In this article:

Providing a web server on the Internet is a worrying task for any network and/or security administrator. Although common sense indicates that it is ideal to have a firewall to help protect and filter all traffic to the web server, unfortunately this is not always possible. However, with Windows Web Server 2008 and Internet Information Services (IIS) 7.0, which delivers a platform for developing and hosting websites, services and more, we can, with some minor configurations, minimize the risks of maintaining a web server directly on the Internet.

Let's consider the following example in which a web server-IIS-published directly on the Internet (in a data center or through another hosting model).

web server-IIS-published directly on the Internet

Figure 1.

We can improve security for this server in various ways including filter rules and the URLScan tool, and hardening.

Filter Rules

To restrict server access to some ports you must enable and configure one filter with the new Windows Firewall for Windows Server 2008, and through Windows Firewall with Advanced Security snap-in.

The first step is to ensure that Windows Firewall is turned on (see Figure 2):

Windows Firewall settings

Figure 2.

Then you must create the access restrictions. For this example (see Figure 3), I have created five rules, as shown below. (Note: This example shows how to enable access only from a specific server or network.)

  • Deny All – IN: Blocks external access to any server port. Note: This rule sets the restriction option only for inbound access, thus the server will continue running with outbound access without constraint.
  • HTTP – IN: Enables any external access to port 80 (TCP)
  • HTTPs – IN: Enables any external access to port 443 (TCP)
  • RDP – IN: Enables any external access to port 3389 (TCP)
  • SQL – IN: Enables external access to the port 1433 (TCP) only from a specific IP range.

Windows Firewall with Advanced Security screenshot

Figure 3.

The same rules can be created through script:

netsh advfirewall consec add rule name="Deny ALL - IN" endpoint1=any endpoint2=x.x.x.x action=requireinrequestout enable=yes

netsh advfirewall consec add rule name="HTTP - IN" endpoint1=any endpoint2=2.2.2.2 action=noauthentication port2=80 protocol=tcp enable=yes

netsh advfirewall consec add rule name="HTTPS - IN" endpoint1=any endpoint2=2.2.2.2 action=noauthentication port2=443 protocol=tcp enable=yes

netsh advfirewall consec add rule name="RDP - IN" endpoint1=any endpoint2=2.2.2.2 action=noauthentication port2=3389 protocol=tcp enable=yes

netsh advfirewall consec add rule name="SQL - IN" endpoint1=1.1.1.1/24 endpoint2=2.2.2.2 action=noauthentication port2=1433 protocol=tcp enable=yes

URLScan

URLScan is a security tool in IIS that analyzes, and is capable of restricting, the HTTP requests that the web server processes.  URLScan can mitigate several kinds of attacks, such as a SQL injection attack. While the best form of prevention for SQL injection attacks is correcting the code, the infrastructure can help a bit with URLScan.

Click here for download and installation information of URLScan.

Hardening

From a security perspective, it is important to run only necessary services and resources. With Security Configuration Wizard, you can configure a server or a set of servers (through Group Policy Objects). This helps ensure that only the features that are necessary for a certain profile (Role) or server to function are running.

Security Configuration Wizard start screen

Figure 4.

The Security Configuration Wizard analyzes your server and suggests changes—e.g. service configurations, network security rules, audit policies, etc.—based on setting selections (see Figure 5.) and templates that are uploaded to a database.

Security Configuration Wizard screenshots

Figure 5.

Improving server security is not solely a matter of denying access. We also need to concern ourselves with the guarantee of data continuity (backup) and with information for analysis and development in the security environment. Therefore, it’s also important to consider auditing and backup.

Auditing

It is good practice to enable object access auditing for folders in which sites are stored (see Figure 6.). The audit information, combined with other data (such as that from IIS logs) can help us identify various issues.

Advanced Security Settings for Sites screenshot

Figure 6.

Backup

Storing different versions of your files on external drives is the ideal scenario; however, if this is not an available option you can use other types of backup (some of which are faster and cheaper than external storage) to help ensure that old, damaged, or lost files are recoverable when necessary.

Previous Version. Enabling the use of Previous Versions (see Figure 7.) in Windows can help you recover files.

Sites Properties screenshot

Figure 7.

Backup Scripts. Although it is less common, you can also create a script using a utility such as Robocopy to save versions of sites in other folders or disk drives.

In conclusion, you can simply, securely and without additional cost publish a web server (IIS) directly over the Internet when you’re running Windows Web Server 2008 thus considerably reducing the risk of a successful attack.

About the Author

Rodrigo Immaginario photoRodrigo Immaginario has worked in the computer science field since 1994, specializing in security solutions for Microsoft environments including those involving IPsec, Hyper-V, and DirectAccess. His certifications include Certified Information Systems Security Professional (CISSP) and Microsoft Certified Systems Engineer (MCSE) in Security. He has been a Microsoft Most Valuable Professional MVP since 2004.

He is currently Chief Information Officer at the Universitario Vila Velha in Brazil and he developed a post-graduate course in Microsoft .NET.  

Microsoft Security Newsletter

Sign up for a free monthly roundup of security news, bulletins, and guidance for IT pros and developers.