Chapter 14: Implementing Security Strategies
In this chapter:
- Security Changes in IIS 7.0
- Configuring Applications for Least Privilege
- Implementing Access Control
- Securing Communications with Secure Socket Layer (SSL)
- Securing Configuration
- Summary
- Additional Resources
On the Disc Browse the CD for additional tools and resources.
The predecessor of Internet Information Services (IIS) 7.0—IIS 6.0—established a high bar for providing a secure Web server platform. IIS 7.0 builds on much of the IIS 6.0 feature codebase and secure practices formulated during the IIS 6.0 development life cycle. It also builds on many of the design principles that contributed to the excellent security track record of IIS 6.0, taking them further to improve the security of the Web server and applications that run on it. This includes the secure by default design and an emphasis on reducing the surface area and using least privilege to minimize the risk of exposed application vulnerabilities being successfully exploited by an attacker. IIS 7.0 makes it easier than ever before to apply these crucial security principles by offering modularity that enables you to build minimal surface area Web servers and running your applications in an isolated environment.
Many of the security features in IIS 6.0 remain applicable in IIS 7.0. In this chapter, we will start by reviewing the changes to the security features as well as the new features that IIS 7.0 introduces to help improve the Web server and application security. Then, we will look at applying the general security principles of reducing the surface area and using least privilege to further strengthen the security of the Web server. Finally, we will take a detailed look at using the security features in IIS 7.0, including the authentication and authorization features, securing network communications with Transport Layer Security (TLS), and safeguarding the configuration.
© Microsoft. All Rights Reserved.