Securing NNTP Virtual Servers

Applies To: Windows Server 2003, Windows Server 2003 with SP1

By configuring the properties of your NNTP virtual server correctly, you can increase the security of your NNTP server and your network. The Access, Settings, and Security tabs each have security-related properties that you can use to configure access-related settings, set post and connection limits, and assign administrative credentials. You can also increase security through the use of access control lists (ACLs).

Configuring Access-Related Settings

The Access tab has three important security-related settings: Authentication, Certificate, and Connection.

Authentication

The Authentication option allows you to select from the following authentication methods for newsgroup users:

Anonymous access. Anonymous access is enabled by default. If you do not disable Anonymous access, everyone is able to access all of the newsgroups on this virtual server.

• Basic authentication. If you enable Basic authentication and you disable anonymous access, users must enter a valid Windows user name and an authorized password to access the newsgroup. However, those credentials are not encrypted when they are sent across the network (credentials are sent in plaintext). Basic authentication leaves your server vulnerable to a dictionary attack. Use this option only if your newsgroups are internal.

• Integrated Windows authentication. If you enable Integrated Windows authentication and you disable anonymous access, users must enter a valid Windows user name and an authorized password to access the newsgroup, and those credentials are encrypted when they are sent over the network. Integrated Windows authentication can also leave your Web server vulnerable to a dictionary attack. Outlook Express supports this protocol.

• SSL client authentication. SSL provides a secure, encrypted connection between the NNTP service and the client. SSL support requires that an SSL certificate is installed on the computer running Windows Server 2003 and that the client software supports SSL. (Outlook Express supports SSL.) If a server certificate is installed, then the NNTP service uses SSL whenever a client requests it. You have the option to require SSL for all newsgroups or for newsgroups located in a virtual directory.

Certificate

The Certificate option starts the Web Server Certificate Wizard, which you can use to create and administer server certificates used in secure Web communications, such as those that require SSL.

Connection

The Connection option allows you to restrict access to the virtual server based on the IP address of the client. By default, all IP addresses have access to the NNTP service. You can either allow or deny access to a specific list of IP addresses, and you can specify the IP addresses individually or as a group using a subnet mask. You can also specify IP addresses using a domain name, but doing so adds the overhead of a DNS lookup for each connection. For more information about domain names and DNS, see DNS Overview.

Setting Post and Connection Limits

There are several options on the Settings tab that affect the security of your NNTP virtual server. You can set the post size, in kilobytes, of the largest single article a user can post. You can also set the connection size, in megabytes, of the maximum amount of data that a user can post to a newsgroup during a connection. When you set limits on the size of posts and connections, you help prevent a malicious individual from trying to overload your server resources by posting extremely large articles.

Assigning Administrative Credentials

You can use the Security tab to grant administrative credentials to Windows user accounts. By default, the Windows Administrator account is granted administrative credentials. For more information about security and access control, see Managing a Secure IIS 6.0 Solution.

Creating ACLs

After you set the authentication requirements for your virtual server, you can further restrict access to newsgroups with ACLs. For example, in the case of departmental newsgroups, ACLs can prevent non-executives from reading the executive newsgroup. You can control access to individual newsgroups or sets of newsgroups by assigning permissions on your computer running Windows Server 2003 for the directories that contain those newsgroups. You can set permissions for an individual directory or for a set of directories. For more information about ACLs, see Access control in Help and Support Center for Windows Server 2003.