How to Improve Security on the Edge with Windows Web Server 2008 and Internet Information Services
Published: February 16, 2011
Author: Rodrigo Immaginario, Microsoft MVP - Enterprise Security: Engineering
In this article:
Providing a web server on the Internet is a worrying task for any network and/or security administrator. Although common sense indicates that it is ideal to have a firewall to help protect and filter all traffic to the web server, unfortunately this is not always possible. However, with Windows Web Server 2008 and Internet Information Services (IIS) 7.0, which delivers a platform for developing and hosting websites, services and more, we can, with some minor configurations, minimize the risks of maintaining a web server directly on the Internet.
Let's consider the following example in which a web server-IIS-published directly on the Internet (in a data center or through another hosting model).
We can improve security for this server in various ways including filter rules and the URLScan tool, and hardening.
To restrict server access to some ports you must enable and configure one filter with the new Windows Firewall for Windows Server 2008, and through Windows Firewall with Advanced Security snap-in.
The first step is to ensure that Windows Firewall is turned on (see Figure 2):
Then you must create the access restrictions. For this example (see Figure 3), I have created five rules, as shown below. (Note: This example shows how to enable access only from a specific server or network.)
The same rules can be created through script:
netsh advfirewall consec add rule name="Deny ALL - IN" endpoint1=any endpoint2=x.x.x.x action=requireinrequestout enable=yes
URLScan is a security tool in IIS that analyzes, and is capable of restricting, the HTTP requests that the web server processes. URLScan can mitigate several kinds of attacks, such as a SQL injection attack. While the best form of prevention for SQL injection attacks is correcting the code, the infrastructure can help a bit with URLScan.
Click here for download and installation information of URLScan.
From a security perspective, it is important to run only necessary services and resources. With Security Configuration Wizard, you can configure a server or a set of servers (through Group Policy Objects). This helps ensure that only the features that are necessary for a certain profile (Role) or server to function are running.
The Security Configuration Wizard analyzes your server and suggests changes—e.g. service configurations, network security rules, audit policies, etc.—based on setting selections (see Figure 5.) and templates that are uploaded to a database.
Improving server security is not solely a matter of denying access. We also need to concern ourselves with the guarantee of data continuity (backup) and with information for analysis and development in the security environment. Therefore, it’s also important to consider auditing and backup.
It is good practice to enable object access auditing for folders in which sites are stored (see Figure 6.). The audit information, combined with other data (such as that from IIS logs) can help us identify various issues.
Storing different versions of your files on external drives is the ideal scenario; however, if this is not an available option you can use other types of backup (some of which are faster and cheaper than external storage) to help ensure that old, damaged, or lost files are recoverable when necessary.
Previous Version. Enabling the use of Previous Versions (see Figure 7.) in Windows can help you recover files.
Backup Scripts. Although it is less common, you can also create a script using a utility such as Robocopy to save versions of sites in other folders or disk drives.
In conclusion, you can simply, securely and without additional cost publish a web server (IIS) directly over the Internet when you’re running Windows Web Server 2008 thus considerably reducing the risk of a successful attack.
About the Author
Rodrigo Immaginario has worked in the computer science field since 1994, specializing in security solutions for Microsoft environments including those involving IPsec, Hyper-V, and DirectAccess. His certifications include Certified Information Systems Security Professional (CISSP) and Microsoft Certified Systems Engineer (MCSE) in Security. He has been a Microsoft Most Valuable Professional MVP since 2004.
He is currently Chief Information Officer at the Universitario Vila Velha in Brazil and he developed a post-graduate course in Microsoft .NET.