Securing Internet Information Services 6.0
Updated : July 21, 2006
On This Page
Introduction
Before You Begin
Reducing the Attack Surface of the Web Server
Configuring Accounts
Configuring Security for Files and Directories
Securing Web Sites and Virtual Directories
Configuring Secure Sockets Layer on Your Web Server
Related Information
Introduction
Web servers are frequent targets for various types of security attacks. Some of these attacks are serious enough to cause significant damage to business assets, productivity, and customer relationships—and all attacks are inconvenient and frustrating. The security of your Web servers is vital to the success of your business.
This document explains how to begin the process of securing a Web server that is running Internet Information Services (IIS) 6.0 on the Microsoft® Windows Server™ 2003, Standard Edition operating system. First, this section describes some of the most common threats that affect Web server security. Then, the document provides prescriptive guidance about making your Web server more secure against such attacks.
IIS 6.0 takes a more proactive stance against malicious users and attackers by making the following changes from earlier versions of IIS:
IIS 6.0 is not installed by default when you install Windows Server 2003, Standard Edition.
When IIS 6.0 is first installed, your Web server serves, or displays, only static Web pages (HTML), which reduces the risk posed by serving dynamic, or executable, content.
The World Wide Web Publishing Service (WWW service) is the only service that is enabled by default when IIS 6.0 is first installed. You can enable the specific services you need when you need them.
ASP and ASP.NET are disabled by default when IIS 6.0 is first installed.
For additional protection, all of the default security configuration settings in IIS 6.0 meet or exceed the security configuration settings made by the IIS Lockdown Tool. The IIS Lockdown Tool, which was designed to reduce the attack surface of Web servers by disabling unnecessary features, runs on earlier versions of IIS. For more information about the IIS Lockdown Tool, see "Securing Internet Information Services 5.0 and 5" in the Security Guidance Kit, which is available on the Microsoft Download Center Web site at www.microsoft.com/windowsserver2003/techinfo/overview/iis.mspx.
Because the default settings in IIS 6.0 disable many of the features that are commonly used by Web services, this document explains how to configure additional features of your Web server while reducing the extent to which your server is exposed to potential attackers.
This document provides the following guidance for increasing the security of your Web server:
Reducing the attack surface, or the extent to which your server is exposed to potential attackers, of your Web server.
Configuring user and group accounts for anonymous access.
Securing files and directories from unauthorized access.
Securing Web sites and virtual directories from unauthorized access.
Configuring Secure Sockets Layer (SSL) on your Web server.
Important All of the step-by-step instructions that are included in this document were developed by using the default menu that displays when you click the Start button. If you have modified your Start menu, the steps might differ slightly.
After you complete the procedures in this document, your Web server will be able to serve dynamic content in the form of .asp pages, and it will still have significant protection from the following types of attacks that sometimes threaten Internet-facing servers:
Profiling attacks that gather information about your Web site, which can be reduced by blocking unneeded ports and disabling unneeded protocols.
Denial-of-service attacks that flood your Web server with requests, which can be minimized by applying security patches and software updates.
Unauthorized access by a user without the correct permissions, which can often be thwarted by configuring Web and NTFS permissions.
Arbitrary execution of malicious code on your Web server, which can be minimized by preventing access to system tools and commands.
Elevation of privileges that allows a malicious user to use a high-privileged account to run programs, which can be minimized by using least-privileged service and user accounts.
Damage from viruses, worms, and Trojan horses, which can be contained by disabling unneeded functionality, using least-privileged accounts, and promptly applying the latest security patches.
Note Because securing a Web server is a complex and ongoing process, complete security cannot be guaranteed.
Objective of This Document
This document provides introductory information that can help you take the first steps to configure a more secure Web server. However, to make your Web server as secure as possible, you must understand the operation of the applications that run on the server. This document does not contain information about application-specific security configuration.
Before You Begin
This section explains the system prerequisites and the characteristics of the Web server that are described in this document.
System Requirements
The Web server that is used as an example in this document has the following system requirements:
The server is running Windows Server 2003, Standard Edition.
The operating system is installed on an NTFS partition. For information about NTFS, search for "NTFS" in Help and Support Center for Windows Server 2003.
All of the required patches and updates for Windows Server 2003 have been applied to the server. To verify that the latest security updates are installed on your Web server, go to the Microsoft Update page on the Microsoft Web site at https://windowsupdate.microsoft.com and have Microsoft Update scan your server for available updates.
Windows Server 2003 security safeguards have been applied to the server. For more information on securing Windows Server 2003, see the Windows Server 2003 Security Guide at https://go.microsoft.com/fwlink/?LinkId=14845.
Web Server Characteristics
The Web server that is used as an example in this document has the following characteristics:
The Web server is running IIS 6.0 in worker process isolation mode.
The Web server hosts one Internet-facing Web site.
The Web server is behind a firewall, which only allows traffic on HTTP Port 80 and HTTPS Port 443.
The Web server is a dedicated Web server. It is only used as a Web server, and it is not used for other purposes, such as a file server, print server, or database server running Microsoft SQL Server.
Anonymous access to the Web site is permitted.
The Web server serves HTML and ASP pages.
FrontPage 2002 Server Extensions from Microsoft are not configured on the Web server.
The applications on the Web server do not require database connectivity.
The Web server does not support FTP (file uploading and downloading), SMTP (e-mail), or NNTP (newsgroup) protocols.
The Web server does not use Internet Security and Acceleration (ISA) Server.
An administrator must log on locally to administer the Web server.
Reducing the Attack Surface of the Web Server
Begin the process of securing your Web server by reducing its attack surface, or the extent to which your server is exposed to potential attackers. For example, enable only those components, services, and ports that are necessary for your Web server to operate correctly.
Disabling SMB and NetBIOS
Host enumeration attacks scan the network to determine the IP address of potential targets. To reduce the likelihood of successful host enumeration attacks against Internet-facing ports on your Web server, disable all network protocols except Transmission Control Protocol (TCP). Web servers do not require Server Message Block (SMB) or NetBIOS on their Internet-facing network adapters.
This section provides step-by-step instructions for the following tasks, which will help reduce the attack surface of your Web server:
Disabling SMB on an Internet-facing connection
Disabling NetBIOS over TCP/IP
Note When you disable SMB and NetBIOS, the server cannot function as a file server or a print server, no network browsing is possible, and you cannot manage the Web server remotely. If your server is a dedicated Web server that requires administrators to log on locally, these restrictions should not affect the operation of the server.
SMB uses the following ports:
TCP port 139
TCP and UDP port 445 (SMB Direct Host)
NetBIOS uses the following ports:
TCP and User Datagram Protocol (UDP) port 137 (NetBIOS name service)
TCP and UDP port 138 (NetBIOS datagram service)
TCP and UDP port 139 (NetBIOS session service)
Disabling only NetBIOS will not prevent SMB communication because SMB uses TCP port 445 (known as the SMB Direct Host) if a standard NetBIOS port is unavailable. You must disable NetBIOS and SMB separately.
Requirements
You will need the following to complete these tasks:
Credentials. You must be logged on as a member of the Administrators group on the Web server.
Tools. My Computer, System Tools, and Device Manager.
To disable SMB on an Internet-facing connection
Click Start, click Control Panel, and then double-click Network Connections.
Right-click your Internet-facing connection and then click Properties.
Clear the Client for Microsoft Networks check box.
Clear the File and Printer Sharing for Microsoft Networks check box, and then click OK.
To disable NetBIOS over TCP/IP
Click Start, right-click My Computer, and then click Manage.
Double-click System Tools, and then select Device Manager.
Right-click Device Manager, click View, and then click Show hidden devices.
Double-click Non-Plug and Play Drivers.
Right-click NetBIOS over TCP/IP, click Disable (shown in the following screen shot), and then click Yes.
.gif "SIIS601.GIF")
Note Screenshots in this document reflect a test environment and the information might differ from the information that is displayed on your screen.
The preceding procedure disables the SMB direct-hosted listener on TCP port 445 and UDP port 445. It also disables the Nbt.sys driver and requires that you restart the computer.
Verifying New Settings
Complete the following procedures to verify that the appropriate security settings have been applied to your Web server.
To verify that SMB is disabled
Click Start, click Settings, and then click Network and Dial-up Connections.
Right-click your Internet-facing connection and then click Properties.
Verify that both the Client for Microsoft Networks and the File and Printer Sharing for Microsoft Networks boxes are clear, and then click OK.
To verify that NetBIOS is disabled
Click Start, right-click My Computer, and then click Manage.
Double-click System Tools, and then select Device Manager.
Right-click Device Manager, click View, and then click Show hidden devices.
Double-click Non-Plug and Play Drivers, and then right-click NetBIOS over TCP/IP. The Enable selection now appears on the context menu, which means that NetBIOS over TCP/IP is currently disabled.
Click OK to close Device Manager.
Selecting Only Essential IIS Components and Services
IIS 6.0 includes subcomponents and services in addition to the WWW service, such as the FTP service and the SMTP service. To minimize the risk of attacks that target specific services and subcomponents, Microsoft recommends that you select only the services and subcomponents that your Web sites and Web applications need to run correctly.
The following table shows the recommended settings in Add or Remove Programs for IIS subcomponents and services on the Web server used as an example in this document.
Table 1. Recommended Settings for IIS Subcomponents and Services
Subcomponent or service |
Default setting |
Web server setting |
|---|---|---|
Background Intelligent Transfer Service (BITS) server extension |
Disabled |
No change |
Common Files |
Enabled |
No change |
FTP Service |
Disabled |
No change |
FrontPage 2002 Server Extensions |
Disabled |
No change |
Internet Information Services Manager |
Enabled |
No change |
Internet Printing |
Disabled |
No change |
NNTP Service |
Disabled |
No change |
SMTP Service |
Enabled |
Disabled |
World Wide Web Service |
Enabled |
No change |
Background Intelligent Transfer Service (BITS) server extension |
Disabled |
No change |
Requirements
You will need the following to complete this task:
Credentials. You must be logged on as a member of the Administrators group on the Web server.
Tools. Add or Remove Programs.
To configure IIS components and services
Click Start, click Control Panel, and then click Add or Remove Programs.
Click Add/Remove Windows Components.
On the Windows Components Wizard screen, under Components, click Application Server and then click Details.
Click Internet Information Services (IIS), and then click Details.
Refer to the preceding table, and then select or deselect the appropriate IIS components and services by selecting or clearing the check box for that component or service.
Complete the Windows Components Wizard by following the instructions on the screen.
Verifying New Settings
Complete the following procedure to verify that the appropriate security settings have been applied to your Web server.
To verify that IIS components and services are selected
Click Start, click Control Panel, and then click Administrative Tools.
Internet Information Services (IIS) Manager now appears in the menu of administrative tools.
Enabling Only Essential Web Service Extensions
A Web server that serves dynamic content requires Web service extensions. Each type of dynamic content corresponds to a specific Web service extension. For security reasons, IIS 6.0 allows you to enable and disable individual Web service extensions, so only those extensions required by your content are enabled.
Caution Do not enable all of the Web service extensions. Although doing so ensures the highest possible compatibility with existing Web sites and applications, the attack surface of your Web server is greatly increased. You might need to test your Web sites and applications individually to ensure that you enable only the Web service extensions that are necessary.
Suppose the Web server is configured to serve the Default.asp file as its default page. Although the default page is configured, you must enable the Active Server Pages Web service extension to view the .asp page.
Requirements
You will need the following to complete this task:
Credentials. You must be logged on as a member of the Administrators group on the Web server.
Tools. Internet Information Services (IIS) Manager (iis.msc).
To enable the Active Server Pages Web service extension
Click Start, click Control Panel, click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
Double-click the local computer, and then click Web Service Extensions.
Click Active Server Pages, and then click Allow (shown in the following screen shot).
.gif "SIIS602.GIF")
Verifying New Settings
Complete the following procedure to verify that the appropriate security settings have been applied to your Web server.
To verify that the Active Server Pages Web service extension is enabled
Open a text editor, type ASP Test Page, and save the file as Default.asp in the C:\inetpub\wwwroot directory.
In the Address box of Internet Explorer, type the following URL:
https://localhost
Then press ENTER. The text ASP Test Page should display in the browser.
Delete the file C:\inetpub\wwwroot\Default.asp.
Configuring Accounts
Microsoft recommends that you remove unused accounts because an attacker might discover these accounts and use them to gain access to data and Web applications on your server. Always require strong passwords—weak passwords increase the likelihood of a successful brute force or dictionary attack, in which an attacker tries to guess passwords. Use accounts that run with least privilege. Otherwise, an attacker can gain access to unauthorized resources by using an account that runs with a high level of privilege.
This section provides step-by-step instructions for the following tasks:
Disabling unused accounts
Isolating applications by using application pools
Disabling Unused Accounts
Unused accounts and their privileges can be used by attackers to gain access to a server. You should periodically audit local accounts on the server and disable any accounts that are not being used. Disable accounts on a test server before you disable them on a production server to ensure that disabling an account does not adversely affect the way your application operates. If disabling the account does not cause any problems on the test server, disable the account on your production server.
Note If you choose to delete an unused account instead of disabling it, be aware that you cannot recover a deleted account and that the Administrator account and the Guest account cannot be deleted. Also, be sure to delete the account on a test server before you delete it on your production server.
This section provides step-by-step instructions for the following procedures:
Disabling the Guest account
Renaming the Administrator account
Renaming the IUSR_ComputerName account
Disabling the Guest Account
The Guest account is used when an anonymous connection is made to the Web server. During a default installation of Windows Server 2003, the Guest account is disabled. To restrict anonymous connections to your server, ensure that the Guest account remains disabled.
Requirements
You will need the following to complete this task:
Credentials. You must be logged on as a member of the Administrators group on the Web server.
Tools. Computer Management
To disable the Guest account
Click Start, right-click My Computer, and then click Manage.
Double-click Local Users and Groups, and then click the Users folder. The Guest account should be displayed with a red X icon to indicate that it is disabled (shown in the following screen shot).
If the Guest account is not disabled, continue with Step 3 to disable it.
.gif "SIIS603.GIF")
Right-click the Guest account, and then click Properties.
On the General tab, select the Account is disabled check box, and then click OK.
The Guest account should display with a red X icon.
Renaming the Administrator Account
The default local Administrator account is a target for malicious users because of its elevated privileges on the computer. To improve security, rename the default Administrator account and assign it a strong password.
Requirements
You will need the following to complete this task:
Credentials. You must be logged on as a member of the Administrators group on the Web server.
Tools. My Computer.
To rename the Administrator account and assign a strong password
Click Start, right-click My Computer, and then click Manage.
Double-click Local Users and Groups, and then click the Users folder.
Right-click the Administrator account, and then click Rename.
Type a name in the box, and then press ENTER.
On the Desktop, press CTRL+ALT+DEL, and then click Change Password.
Type the new name for the Administrator account in the User name box.
Type the current password in the Old Password box, type a new password in the New Password box, retype the new password in the Confirm New Password box, and then click OK.
Caution Do not use the Set Password menu item on the context menu to change the password unless you have forgotten the password and you do not have a password reset disk available. Using this method of changing the Administrator password might cause irreversible loss of information that is protected by this password.
Renaming the IUSR Account
The default anonymous Internet user account, IUSR_<ComputerName>,* *is created during IIS installation. The value of <ComputerName> is the NetBIOS name of your server when IIS is installed. Renaming this account will make certain brute force attacks less likely to succeed.
Requirements
You will need the following to complete these tasks:
Credentials. You must be logged on as a member of the Administrators group on the Web server.
Tools. My Computer.
To rename the IUSR account
Click Start, right-click My Computer, and then click Manage.
Double-click Local Users and Groups, and then click the Users folder.
Right-click the IUSR_ <ComputerName> * *account, and then click Rename.
Type the new account name, and then press ENTER.
To change the value for the IUSR account in the IIS metabase
Click Start, click Control Panel, click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
Right-click the local computer and then click Properties.
Select the Enable Direct Metabase Edit check box, and then click OK.
Browse to the location of the MetaBase.xml file. By default, it is located in C:\Windows\system32\inetsrv.
Right-click the MetaBase.xml file and then click Edit.
Search for the AnonymousUserName property, and type the new name of the IUSR account.
On the File menu, click Exit, and then click Yes.
Verifying New Settings
Complete the following procedures to verify that the appropriate security settings have been applied to your Web server.
To verify that an account is disabled
Press CTRL+ALT+DEL, and then click Log Off to log off of the Web server.
In the Log on to Windows dialog box, type the name of the disabled account in the User name box, type the password for the disabled account, and then click OK.
The following message will display:
Your account has been disabled. Please see your system administrator.
To verify that an account is renamed
Press CTRL+ALT+DEL, and then click Log Off to log off of the Web server.
In the Log on to Windows dialog box, type the former name of the renamed account in the User name box, type the password for the renamed account, and then click OK.
The following message will display:
The system could not log you on. Make sure your User name and domain are correct , and then type your password again. Letters in passwords must be typed using the correct case.
Click OK, and then type the new name of the renamed account in the User name box.
Type the password for the renamed account, and then click OK.
You should be able to log on to the computer with the renamed account.
Isolating Applications by Using Application Pools
You can use IIS 6.0 to isolate applications into application pools. An application pool is a group of one or more URLs that are served by a worker process or a set of worker processes. Using application pools can help improve the reliability and security of your Web server because each application operates independently of the others.
Every running process on a Windows operating system has a process identity, which determines how the process accesses the resources on the computer. Every application pool also has a process identity, which is an account that runs with the minimum permissions your application requires. This process identity can be used to allow anonymous access to your Web site or applications.
Requirements
You will need the following to complete these tasks:
Credentials. You must be logged on as a member of the Administrators group on the Web server.
Tools. My Computer.
To create an application pool
Click Start, click Control Panel, click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
Double-click the local computer, right-click Application Pools, click New, and then click Application Pool.
In the Application pool ID box, type a new ID for the application pool (the following sample screen shot uses ContosoAppPool for the ID).
.gif "SIIS604.GIF")
Under Application pool settings, select Use default settings for the new application pool, and then click OK.
To assign a Web site or application to an application pool
Click Start, click Control Panel, click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
Right-click the Web site or application you want to assign to an application pool, and then click Properties.
Click the Home Directory, Virtual Directory, or Directory tab, depending on the type of application that you have selected.
If you are assigning a directory or virtual directory to an application pool, verify that the Application name box contains the correct Web site or application name.
-or-
If there is no name in the Application name box, click Create, and then type a name for the Web site or application.
In the Application pool list box, select the name of the application pool to which you want to assign the Web site or application (shown in the following screen shot), and then click OK.
.gif "SIIS605.GIF")
Verifying New Settings
Complete the following procedures to verify that the appropriate security settings have been applied to your Web server.
To verify that an application pool was created
Log on to the Web server using the Administrator account.
Click Start, click Control Panel, click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
Double-click the local computer, double-click Application Pools, and then verify that the application pool you created appears under the Application Pools node.
Right-click the application pool you created, and then click Properties.
Click the Identity tab, verify that the application pool identity is set to a predefined security account called Network Service, and then click OK.
To verify that a Web site or application is assigned to a specific application pool
Log on to the Web server using the Administrator account.
Click Start, click Control Panel, click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
Double-click the local computer, double-click Web Sites, right-click the Web site for which you want to verify the application pool setting, and then click Properties.
Click the Home Directory, Virtual Directory, or Directory tab, depending on the type of application that you have selected.
In the Application pool list box, verify that the name of the application pool to which you want to assign the Web site is listed, and then click Cancel.
Configuring Security for Files and Directories
Use strong access controls to help protect sensitive files and directories. In most situations, allowing access to specific accounts is more effective than denying access to specific accounts. Set access at the directory level whenever possible. As files are added to the folder, they inherit permissions from the folder, so you do not need to take further action.
This section provides step-by-step instructions for the following tasks, which will help you configure security for files and directories:
Relocating and setting permissions for IIS log files
Configuring IIS metabase permissions
Disabling the FileSystemObject component
Relocating and Setting Permissions for IIS Log Files
To increase the security of the IIS log files, you should relocate the files to a non-system drive that is formatted to use the NTFS file system. This location should not be the same as the location of your Web site content. By relocating these files you will prevent certain types of attacks from revealing the content of your log files. Log files also should be secured to provide an audit trail of possible attacks against the server. Placing the log files on a non-system disk can also improve server performance.
Requirements
You will need the following to complete these tasks:
Credentials. You must be logged on as a member of the Administrators group on the Web server.
Tools. My Computer and Internet Information Services (IIS) Manager (Iis.msc).
To move the location of the IIS log files to a non-system partition
Click Start, right-click My Computer, and then click Explore.
Browse to the location where you want to relocate the IIS log files.
Right-click the directory one level above where you want to relocate the IIS log files, click New, and then click Folder.
Type a name for the folder, for example, ContosoIISLogs, and then press ENTER.
Click Start, click Control Panel, click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
Right-click the Web site and then click Properties.
Click the Web Site tab, and then click Properties in the Enable Logging frame.
On the General Properties tab, click Browse, and then navigate to the folder that you just created to store the IIS log files.
Click OK three times.
Note If you already have IIS log files in the original location at Windows\System32\Logfiles, you must move these files to the new location manually. IIS does not move those files for you.
To set ACLs on IIS log files
Click Start, right-click My Computer, and then click Explore.
Browse to the folder where your log files are located.
Right-click the folder, click Properties, and then click the Security tab.
In the top pane, click Administrators, and ensure that the permissions in the bottom pane are set to Full Control.
In the top pane, click System, ensure that the permissions in the bottom pane are set to Full Control, and then click OK.
Verifying New Settings
Complete the following procedure to verify that the appropriate security settings have been applied to your Web server.
To verify that log files are moved and permissions are set
Click Start, click Search, and then click For Files or Folders.
Type a partial or complete file name in the Search for files named box—for example, LogFiles—select a location in the Look in box, and then click Search Now.
The search will display the new location of the log files.
Press CTRL+ALT+DEL, and then click Log Off.
Log on to the Web server using an account that does not have permission to access the log files.
Click Start, right-click My Computer, click Explore, and then browse to the LogFiles directory.
Right-click the LogFiles directory, and then click Open. The following message will display:
Access is denied.
Configuring IIS Metabase Permissions
The IIS metabase is an XML file that contains most of the IIS configuration information.
Requirements
You will need the following to complete this task:
Credentials. You must be logged on as a member of the Administrators group on the Web server.
Tools. My Computer and the MetaBase.xml file.
To restrict access to the MetaBase.xml file
Click Start, right-click My Computer, and then click Explore.
Browse to the Windows\System32\Inetsrv\MetaBase.xml file, right-click the file, and then click Properties.
Click the Security tab, confirm that only members of the Administrators group and the LocalSystem account have Full Control access to the metabase, remove all other file permissions, and then click OK.
Verifying New Settings
Complete the following procedure to verify that the appropriate security settings have been applied to your Web server.
To verify restricted access to the MetaBase.xml file
Press CTRL+ALT+DEL and then click Log Off.
Log on to the Web server using an account that does not have permission to access the MetaBase.xml file.
Click Start, right-click My Computer, click Explore, and then browse to the location of MetaBase.xml.
Right-click the MetaBase.xml file, and then click Open. The following message will display:
Access is denied.
Disabling the FileSystemObject Component
ASP, Windows Script Host, and other scripting applications use the FileSystemObject (FSO) component to create, delete, gain information about and manipulate drives, folders, and files. Consider disabling the FSO component, but be aware that this will also remove the Dictionary object. Also, verify that no other programs require this component.
Requirements
You will need the following to complete this task:
Credentials. You must be logged on as a member of the Administrators group on the Web server.
Tools. Command prompt.
To disable the FileSystemObject component
Click Start, click Run, type cmd in the Open box, and then click OK.
Type cd c:\Windows\system32 and press ENTER to change to the C:\Windows\system32 directory.
At the command prompt, type regsvr32 scrrun.dll /u and then press ENTER. The following message will display:
DllUnregisterServer in scrrun.dll succeeded.
Click OK.
At the command prompt, type exit and press ENTER to close the command prompt window.
Securing Web Sites and Virtual Directories
Relocate Web root directories and virtual directories to a non-system partition to help protect against directory traversal attacks. These attacks allow attackers to execute operating system programs and tools. Because it is not possible to traverse across drives, relocating Web site content to another drive offers added protection against these attacks.
This section provides step-by-step instructions for the following tasks, which will help you secure Web sites and virtual directories:
Moving your Web site content to a non-system drive
Configuring Web site permissions
Moving Your Web Site Content to a Nonsystem Drive
Do not use the default \Inetpub\Wwwroot directory as the location for your Web site content. For example, if your operating system is installed on the C: drive, consider moving your site and content directory to the D: drive to mitigate the risks associated with directory traversal attacks, in which an attacker attempts to browse the directory structure of a Web server. Be sure to verify that all virtual directories point to the new drive.
Requirements
You will need the following to complete this task:
Credentials. You must be logged on as a member of the Administrators group on the Web server.
Tools. Internet Information Services (IIS) Manager (Iis.msc) and a command prompt.
To move your Web site content to a nonsystem drive
Click Start, click Control Panel, click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
Right-click the Web site that has content you want to move, and then click Stop.
Click Start, click Run, type cmd in the Open box, and then click OK.
Type the following at the command prompt:
xcopy c:\inetpub\wwwroot\ <SiteName> <Drive> :\wwwroot\SiteName /s /i /o
where
<SiteName> is the name of your Web site.
<Drive> is the drive letter of the new drive (for example, D).
Return to the Internet Information Services (IIS) Manager snap-in, right-click the Web site and then click Properties.
Click the Home Directory, Virtual Directory, or Directory tab, depending on the type of application you have selected, type the new directory location in the Local path box, and then click OK.
-or-
Browse to the new location of the directory to which you just copied the files, and then click OK.
Right-click the Web site, and then click Start.
Verifying New Settings
Complete the following procedures to verify that the appropriate security settings have been applied to your Web server.
To verify that Web site content has been moved to a nonsystem drive
Click Start, click Search, and then click For Files or Folders.
Type a partial or complete file name in the Search for files named box, select a location in the Look in box, and then click Search Now.
The search results list the files that you moved at their new location as well as the original location.
To delete your Web site content from the system drive
- Navigate to the C:\Inetpub\Wwwroot\SiteName directory, and then delete the files that you moved to a non-system drive.
To verify that Web site content has been deleted from the system drive
Click Start, click Search, and then click For Files or Folders.
Type a partial or complete file name in the Search for files named box, select a location in the Look in box, and then click Search Now.
The search results will only list the files that you moved at their new location.
Configuring Web Site Permissions
You can configure access permissions for your Web server for specific sites, directories, and files. These permissions apply to all users regardless of their specific access rights.
Configuring Permissions on File System Directories
IIS 6.0 relies on NTFS permissions to help protect individual files and directories from unauthorized access. Unlike Web site permissions, which apply to anyone who tries to access your Web site, you can use NTFS permissions to define which users can access your content and how those users are allowed to manipulate that content. For improved security, use both Web site permissions and NTFS permissions.
Access control lists (ACLs) indicate which users or groups have permission to access or modify a particular file. Instead of setting ACLs on each file, create new directories for each file type, set ACLs on each directory, and then allow the files to inherit those permissions from the directory in which they reside.
Requirements
You will need the following to complete these tasks:
Credentials. You must be logged on as a member of the Administrators group on the Web server.
Tools. My Computer and Internet Information Services (IIS) Manager (iis.msc).
To move Web site content into a separate folder
Click Start, right-click My Computer, and then click Explore.
Browse to the folder that contains your Web site content, and then click the top-level folder of your Web site content.
On the File menu, click New and then click Folder to create a new folder in the content directory of your Web site.
Give the folder a name, and then press ENTER.
Press CTRL, and then select each of the pages that you want to protect.
Right-click the pages, and then click Copy.
Right-click the new folder, and then click Paste.
Note If you have created links to these pages, you must update the links to reflect the new location of the site content.
To set permissions for Web content
Click Start, click Control Panel, click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
Right-click the Web Sites folder, Web site, directory, virtual directory, or file you want to configure, and then click Properties.
Select or clear any of the following check boxes (if available), depending on the type of access you want to grant or deny:
Script Source Access. Users can access source files. If Read is selected, source can be read; if Write is selected, source can be written to. Script Source Access includes the source code for scripts. This option is not available if neither Read nor Write is selected.
Read (selected by default). Users can view directory or file content and properties.
Write. Users can change the content and properties of a directory or file.
Directory browsing. Users can view file lists and collections.
Log visits. A log entry is created for each visit to the Web site.
Index this resource. Allows the Indexing Service to index this resource. This allows users to perform searches on the resource.
In the Execute Permissions list box, select the appropriate level of script execution:
None. Do not run scripts or executable files (for example, files with a file type of .exe) on the server.
Scripts only. Run only scripts on the server.
Scripts and Executables. Run both scripts and executable files on the server.
Click OK. If child nodes for a directory have different Web site permissions configured, the Inheritance Overrides box appears.
If the Inheritance Overrides box appears, select the child nodes in the Child Nodes list to which you want the Web permissions of the directory to apply.
-or-
Click Select All to set the property to apply the Web permissions to all of the child nodes.
If you see more than one Inheritance Overrides box, select the child nodes from the Child Nodes list or click Select All, and then click OK to apply the Web permissions for this property to the child nodes.
If a child node belonging to the directory that has Web site permissions you have changed has also set the Web site permissions for a particular option, the permissions in the child node will override those you have set for the directory. If you want the Web site permissions at the directory level to apply to the child nodes, you must select those child nodes in the Inheritance Overrides box.
Verifying New Settings
Complete the following procedure to verify that the appropriate security settings have been applied to your Web server.
To verify that write access is denied to Web site content directories
Press CTRL+ALT+DEL and then click Log Off.
Log on to the Web server using an account that has Read and Execute permission on the physical or virtual directory.
Click Start, right-click My Computer, click Explore, and browse to the location of a file you want to copy to the physical or virtual directory.
Right-click the file and then click Copy.
Browse to the location of the physical or virtual directory, and then right-click the directory. The Paste selection is not available on the context menu, which means that you do not have Write access to the directory.
Configuring Secure Sockets Layer on Your Web Server
Configure Secure Sockets Layer (SSL) security features on your Web server to verify the integrity of your content, verify the identity of users, and encrypt network transmissions. SSL is generally a requirement if you are planning to accept credit card transactions on a Web site. SSL security relies on a server certificate that allows users to authenticate your Web site before they transmit personal information, such as a credit card number. Each Web site can have only one server certificate.
Obtaining and Installing a Server Certificate
Certificates are issued by non-Microsoft organizations called certification authorities (CAs). The server certificate is typically associated with your Web server, specifically with the Web site where you have configured SSL. You must generate a request for a certificate, send the request to the CA, and then install the certificate after you receive it from the CA.
Certificates rely on a pair of encryption keys — one public and one private — to enforce security. When you generate a request for a server certificate, you are actually generating the private key. The server certificate you receive from the CA contains the public key.
Requirements
You will need the following to complete these tasks:
Credentials. You must be logged on as a member of the Administrators group on the Web server.
Tools. Internet Information Services (IIS) Manager (iis.msc) and Web Server Certificate Wizard.
To generate a request for a server certificate
Click Start, right-click My Computer, and then click Manage.
Double-click the Services and Applications section, and then double-click Internet Information Services.
Right-click the Web site on which you want to install a server certificate, and then click Properties.
Click the Directory Security tab. In the Secure Communications section, click Server Certificate to start the Web Server Certificate Wizard, and then click Next.
Click Create a New Certificate, and then click Next.
Click Prepare the request now , but send it later, and then click Next.
In the Name box, type a name that is easy to remember. (The default name is the name of the Web site for which you are generating the certificate request—for example, https://www.contoso.com.)
Specify a bit length, and then click Next.
The bit length of the encryption key determines the strength of the encryption. Most non-Microsoft CAs prefer that you choose a minimum of 1024 bits.
In the Organization section, type your organization and organizational unit information. Ensure that this information is accurate and that the Organization fields do not contain commas, and then click Next.
In the Your Site's Common Name section, type the name of the host computer with the domain name, and then click Next.
Type your geographical information, and then click Next.
Save the file as a .txt file. (The default file name and location is C:\certreq.txt.) The following example shows what a certificate request file looks like.
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDATCCAmoCAQAwbDEOMAwGA1UEAxMFcGxhbjgxDDAKBgNVBAsTA1BTUzESMB A1UEChMJTWljcm9zb2Z0MRIwEAYDVQQHEwlDaGFybG90dGUxFzAVBgNVBAgTDk cnRoIENhcm9saW5hMQswCQYDVQQGEwJVUzCBnzANBgkqhkiG9w0BAQEFAAOBjQ gYkCgYEAtW1koGfdt+EoJbKdxUZ+5vE7TF1ZuT+xaK9jEWHESfw11zoRKrHzHN IASnwg3vZ0ACteQy5SiWmFaJeJ4k7YaKUb6chZXG3GqL4YiSKFaLpJX+YRiKMt JzFzict5GVVGHsa1lY0BDYDO2XOAlstGlHCtENHOKpzdYdANRg0CAwEAAaCCAV GgYKKwYBBAGCNw0CAzEMFgo1LjAuMjE5NS4yMDUGCisGAQQBgjcCAQ4xJzAlMA A1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDATCB/QYKKwYBBAGCNw AjGB7jCB6wIBAR5aAE0AaQBjAHIAbwBzAG8AZgB0ACAAUgBTAEEAIABTAEMAaA AG4AbgBlAGwAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8Adg AGQAZQByA4GJAGKa0jzBn8fkxScrWsdnU2eUJOMUK5Ms87Q+fjP1/pWN3PJnH7 MBc5isFCjww6YnIjD8c3OfYfjkmWc048ZuGoH7ZoD6YNfv/SfAvQmr90eGmKOF TD+hl1hM08gu2oxFU7mCvfTQ/2IbXP7KYFGEqaJ6wn0Z5yLOByPqblQZAAAAAA MhfC7CIvR0McCQ+CBwuLzD+UJxl+kjgb+qwcOUkGX2PCZ7tOWzcXWNmn/4YHQl GEXu0w67sVc2R9DlsHDNzeXLIOmjUl935qy1uoIR4V5C48YNsF4ejlgjeCFsbC Jb9/2RM= -----END NEW CERTIFICATE REQUEST-----
- Confirm your request details, click Next, and then click Finish.
To submit a request for a server certificate
Contact your CA to find out the requirements for submitting a request.
Copy the contents of the .txt file that you created in the preceding procedure into the request format required by your CA.
Send the request to your CA.
When you receive the certificate from your CA, you are ready to install the certificate on your Web server.
To install a server certificate
Copy the certificate (.cer) file to the C:\Windows\System32\CertLog folder.
Click Start, click Control Panel, click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
Right-click the Web site on which you want to install a server certificate, and then click Properties.
Click the Directory Security tab. In the Secure Communications section, click Server Certificate to start the Web Server Certificate Wizard, and then click Next.
Click Process the pending request and install the certificate, and then click Next.
Browse to the certificate you received from the CA. Click Next twice, and then click Finish.
Verifying New Settings
Complete the following procedure to verify that the appropriate security settings have been applied to your local computer.
To verify that a certificate is installed on a Web server
Click Start, click Control Panel, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
Right-click the Web site that has a certificate you want to view, and then click Properties.
On the Directory Security tab, in the Secure communications area, click View Certificate, review the certificate, and then click OK twice.
Enforcing and Enabling SSL Connections on Your Web Server
After you install the server certificate, you must enforce SSL connections on your Web server. Then, you must enable SSL connections.
Note After you require SSL connections to your Web server, any links to the server will need to be updated to use https instead of http.
Requirements
You will need the following to complete these tasks:
Credentials. You must be logged on as a member of the Administrators group on the Web server.
Tools. Internet Information Services (IIS) Manager (iis.msc).
To enforce SSL connections
Click Start, click Control Panel, click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
Right-click the Web site on which you want to enforce SSL connections, and then click Properties.
Click the Directory Security tab. In the Secure Communications section, click Edit.
Click Require Secure Channel (SSL), choose the encryption strength, and then click OK.
Note If you specify 128-bit encryption, client computers that use 40-bit or 56-bit strength browses cannot communicate with your site unless the browsers are upgraded to versions that support 128-bit encryption.
To enable SSL connections on your Web server
Click Start, click Control Panel, click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
Right-click the Web site on which you want to enable SSL connections, and then click Properties.
Click the Web Site tab. In the Web Site Identification section, verify that the SSL Port box is populated with the numeric value 443.
Click Advanced. Typically, two boxes appear, and the IP address and port of the Web site are already listed in the Multiple identities for this Web site box. Under the Multiple SSL Identities for this Web site field, click Add if port 443 is not already listed. Select the IP address of the server, type the numeric value 443 in the SSL Port box, and then click OK.
Verifying New Settings
Complete the following procedure to verify that the appropriate security settings have been applied to your Web server.
To verify SSL connections on your Web server
Open your browser and try to connect to your Web server by using the standard https:// protocol. For example, in the Address box, type https://localhost and press ENTER.
If SSL is being enforced, the following error message appears:
The page must be viewed over a secure channel. The page you are trying to access is secured with Secure Sockets Layer (SSL).
Try again to connect to the page that you want to see by typing https://localhost and pressing ENTER.
Typically, the default page for your Web server will display.
Related Information
For more information about securing IIS 6.0, see the following:
"Security Enhancements in Internet Information Services 6.0" on the Microsoft Windows Server 2003 Web site at www.microsoft.com/windowsserver2003/techinfo/overview/iisenhance.mspx.
"Configuring Application Isolation on Windows Server 2003 and Internet Information Services (IIS) 6.0" on the Microsoft TechNet Web site at www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
webapp/iis/appisoa.mspx.The TechNet Webcast "Effectively Using IIS 6.0 Security" on the Microsoft Internet Information Services Webcasts Web page at www.microsoft.com/windowsserver2003/iis/support/webcasts.mspx.
For more information about IIS 6.0, see the following:
The Internet Information Services (IIS) 6.0 Resource Kit, which is available on the Microsoft Download Center at www.microsoft.com/downloads/details.aspx?familyid=80a1b6e6-829e-49b7-8c02-333d9c148e69\&displaylang=en.
"Technical Overview of Internet Information Services (IIS) 6.0" on the Microsoft Windows Server 2003 Web site at www.microsoft.com/windowsserver2003/techinfo/overview/iis.mspx.
Download