Configure Secure Web Server Computer Science Essay

Published:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

A secure web server provides a protected fo undation for hosting your web application and web server config uration plays a critical role in your web application security.Badly configured virtual directories ,a common mistke ,can lead to unauthorized access .A forgotten share can provides a convenient back door ,while an overlooked port can be an attackers front door. Neglected user accounts can permit an attacker to slip by your defences unnoticed.

What makes a web server secure? Part of the challenge of securing your web server is recognizing y our goal. As soon as you know what a secure web server is ,you can learn how to apply the configuration setting to create one. This project provides a systematic ,repeatable approach that you can use to successfully configure a secure web server .This project provides a methodology and the steps required to secure your web server. You can adapt the methodology for your own situation .The steps are modular and demonstrate how you can put the methodology in practice. you can use these procedures on existing web server or on new ones.

The fact that an attacker can strike remotely makes a web server an appealing target .Understanding threats to your web server and being able to identify appropriate countermeasures permits you to anticipate many attacks and thwart the ever-growing numbers of attackers. The main threats to a web server are:

Profiling

Denial of service

Unauthorized access

Arbitrary code execution

Elevation of privileges

Viruses, worms and Trojan horsesC:\Users\Bipin\Desktop\IC16138.gif

Prominent Web server threats and common vulnerabilities

Methodology for securing your web server

To secure a web server, you must apply many configuration settings to reduce the server's vulnerability to attack. So, how do you know where to start, and when do you know that you are done? The best approach is to organize the precautions you must take and the setting you must configure, into categories. Using categories allow you to systematically walk Through the securing process from top to bottom or pick a particular category and complete specific step configuration categories. The security methodology in this project has been organized into the categories Shown in

C:\Users\Bipin\Desktop\IC40344.gif

Web server configuration categories

Steps for securing your web server

The next sections guide you through the process of securing your web server. These sections use the configuration categories introduced in the "Methodology for securing your web server" section of this project. Each high-level step contains or more actions to secure a particular area or feature..

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Patches and Updates

IISLockdown

Services

Protocols

Accounts

Files and Directories

Shares

Ports

Registry

Step 10

Step 11

Step 12

Step 13

Step 14

Step 15

Step 16

Step 17

Auditing and Logging

Sites and Virtual Directories

Script Mappings

ISAPI Filters

IIS Metabase

Server Certificates

Machine.config

Code Access Security

Step 1: patches and update

Update your server with the latest services packs and patches. You must update and patches all of the web server components including windows 2000 or windows server2003 (and IIS), the .NET framework, and Microsoft Data Access Components

During this steps, you"

Detects and install patches and updates

Use the Microsoft Baseline security analyser (MBSA) to detect the patches and updates that may be missing from your current installation. MBSA compares your installation to a list of currently available updates maintained in an XML file. MBSA can download the XML file when it scans your server or you can manually download the files to the server or make it available on a network server.

To detect and install patches and updates

Download and install MBSA

Run MBSA by double-clicking the desktop icon or selecting it from the programs menu

Click scan a computer. MBSA defaults to local computer

Clear all check boxes apart from check for security updates. This option detects which patches and updates are missing .

Click Start scan. Your server is now analysed. When the scan is completes, MBSA display a security report , which it also writes to the %Userprofile%\SecurityScans directory.

Download and install the missing updates.

Click the result details link next to each failed check to view the list of security updates that are missing. The resulting dialog box displays the Microsoft security bulletin refrence number . Click the reference to find out more about the bulletin and to download the update.

Step 2: IIS lockdown

The IIS lockdown tools helps you to automate certain security steps. IIS lockdown

Greatly reduce the vulnerability of a windows2000 web server. It allow you to pick a specific type of server role, and then use customer templates to improve security for that particular server. The templates either disable or secure various features. In addition, IIS lockdown install the URL scan ISAPI filter. URLScan allow web sites administrators to restrict the kind of HTTP request that the server can process, Based on a set of rules that the administrator controls. By blocking specific HTTP request, The URL scan filter prevents potentially harmful request from reaching the server and causing damage.

Note : by default IIS 6.0 has security related configuration setting similar to those made by the IIS lockdown tool. Therefore you do not need to run the IIS lockdown tool on web servers running IIS 6.0. However, if you are upgrading from a previous version of IIS(5.0 or lower) to IIS 6 , it recommended that ypu run the IIs lockdown tool to enhance the security of your web server.

During this steps, you:

Install and run IIS lockdown . IIS lockdown is available as an internet download from the Microsoft web site at http:/download.microsoft.com/download/iis50/utility/2.1/NT45XP/EN-US/iislockd.exe.

Save IIS lockd.exe in a local folder. IISlockd.exe is the IIs lockdown wizard and not an installation program. You can reverse any change made by IIS lockdown by running IIslockd.exe a second time.

If you are locking down a window 2000-based computer that host s ASP.Net pages, select the dynamic web server templates when th IISlockdown tool prompts you . When you select dynamic web server, IISlockdown does the following:

Its disable the following insecure internet services:

File transfer protocol

E-mail service

News service

It disable script mapping by mapping the following file extension to the 404.dll:

Index sever

Web interface (.idq, .htw, .ida)

Server -side include files (.shtml, .shtm, .stm)

Internet data connector (.idc)

.HTR scripting (.hr) , internet printing (.printer)

Log files

IIs Lockdown creates two report that list the changes it has applied :

%windir%\system32\inetsry\oblt-rep.log. This contain high- level information.

%windir%\system32\inetsry\oblt-log.log. This contain low-level details such as which program files are configured with a deny a access control entry (ARE) to prevent anonymous internet user accounts from accessing them. This log files is also used to support the IIS lockdown undo changes feature.

Web Anonymous the web Anonymous User groups and the web application group. The web anonymous user group contain the IUSR_MACHINE account. The web application group contain the IWAN_MACHINE account. Permission are assigned to system tools and content direction based on these groups and not directly to the IUSR and IWAN accounts. You can review specific permission by viewing the IIS lockdown log %windir%\system32\inetsry\oblt-log.log.

The 404.dll

IIs lockdown install the 404.dll to which you can map file extension that must not be run by the client.

URLscan

If you install the URLScan ISAPI filter as part of IIS lockdown URLscan setting are integrates with the server role you select when running ISSLockdown for example, if you select a static web server, URL scan blocks the POST command.

Reversing IIS lockdown changes

To reverse the changes that IIS lockdown performs , Run IISlockd.exe a second time . This does not remove the URLScan ISAPI filetr. For information , see "removing URLScan " in the next topic.

Install and configure URLScan

URLScan is installed when you run IISlockdown, although you can download it and install it separately.

Note: IIS 6.0 on window server 2003 has functionality equivalent to URLScan built in.your decision whether to install URLscan should be based on your specific organizational requirements. Download IISLockd.exe from

Http:download.microsoft.com/iis50/Utility/2.1/NT45XP/EN-US/iislockd.exe

Run the following command to extract the URLScan setup :iislockd.exe/q/c

Step 3: services

Services that do not authenticates clients, services that use insecure protocols or services that run with too much privilege are risks. If you do not need them, do not run them. By disabling unnecessary services you quickly and easily reduce the attack surface. You also reduce your overhead in the terms of maintenance (patches, services accounts, and so on) if you run a services, make sure that it is secure and maintained. To do so, run the services using a least privileges account, and keep the services current by applying patches.

During this steps you.

Disable unnecessary services

Disable FTP, SMTP, NNTP unless you require them.

Disable the ASP.NET states services unless you require them.

Step 4: Protocols

By preventing the use of unnecessary protocols, you reduce the potential for attack. The .NET framework provide granular control of protocols through setting in the machince config file .

For example , you can control whether your web services can use HTTP GET , POST or SOAP.

Disable or secure webDav: IIS support the WebDAV protocol, which is a standard extension to HTTP 1.1 for collaborative content publication. Disable this protocol on production servers if it is not used.

WebDAv is preferable to FTP from a security perspective but you need to secure WebDAV. For more information see Microsoft knowledge based article 323470," how to: Create a secure WebDAV publication directory"

If you do not need WebDAV, see Microsoft knowledge based article 241520,"how to: disable WebDAV for IIS 5.0.

Harden the TCP/IP stack. : Windows 2000 and Windows Server 2003 support the granular control of many parameters that configure its TCP/IP implementation. Some of the default settings are configured to provide server availability and other specific features.

Disable NetBIOS and SMB.: Disable all unnecessary protocols, including NetBIOS and SMB. Web servers do not require NetBIOS or SMB on their Internet-facing network interface cards (NICs). Disable these protocols to counter the threat of host enumeration.

Disabling NetBIOS

NetBIOS uses the following ports:

TCP and User Datagram Protocol (UDP) port 137 (NetBIOS name service)

TCP and UDP port 138 (NetBIOS datagram service)

TCP and UDP port 139 (NetBIOS session service)

Disabling NetBIOS is not sufficient to prevent SMB communication because if a standard NetBIOS port is unavailable, SMB uses TCP port 445. (This port is referred to as the SMB Direct Host.) As a result, you must take steps to disable NetBIOS and SMB separately.

To disable NetBIOS over TCP/IP

1. Right-click My Computer on the desktop, and click Manage.

2. Expand System Tools, and select Device Manager.

3. Right-click Device Manager, point to View, and click Show hidden devices.

4. Expand Non-Plug and Play Drivers.

5. Right-click NetBios over Tcpip, and click Disable.

This disables the NetBIOS direct host listener on TCP 445 and UDP 445.

Step 5. Accounts

You should remove accounts that are not used because an attacker might discover and use them. Require strong passwords. Weak passwords increase the likelihood of a successful brute force or dictionary attack. Use least privilege. An attacker can use accounts with too much privilege to gain access to unauthorized resources.

During this step, you:

Delete or disable unused accounts. Unused accounts and their privileges can be used by an attacker to gain access to a server. Audit local accounts on the server and disable those that are unused. If disabling the account does not cause any problems, delete the account. (Deleted accounts cannot be recovered.) Disable accounts on a test server before you disable them on a production server.

Disable the Guest account.: The Guest account is used when an anonymous connection is made to the computer. To restrict anonymous connections to the computer, keep this account disabled. The guest account is disabled by default on Windows 2000 and Windows Server 2003. To check whether or not it is enabled, display the Users folder in the Computer Management tool. The Guest account should be displayed with a cross icon. If it is not disabled, display its Properties dialog box and select Account is disabled.

Rename the Administrator account. The default local Administrator account is a target for malicious use because of its elevated privileges on the computer. To improve security, rename the default Administrator account and assign it a strong password.

Disable the IUSR Account. Disable the default anonymous Internet user account, IUSR_MACHINE. This is created during IIS installation. MACHINE is the NetBIOS name of your server at IIS installation time

Create a custom anonymous Web account. If your applications support anonymous access (for example, because they use a custom authentication mechanism such as Forms authentication), create a custom least privileged anonymous account. If you run IISLockdown, add your custom user to the Web Anonymous Users group that is created. IISLockdown denies access to system utilities and the ability to write to Web content directories for the Web Anonymous Users group.

If your Web server hosts multiple Web applications, you may want to use multiple anonymous accounts, one per application, so that you can secure and audit the operations of each application independently.

Enforce strong password policies. To counter password guessing and brute force dictionary attacks on your application, apply strong password policies. To enforce a strong password policy:

Set password length and complexity. Require strong passwords to reduce the threat of password guessing attacks or dictionary attacks. Strong passwords are eight or more characters and must include both alphabetical and numeric characters.

Set password expiration. Passwords that expire regularly reduce the likelihood that an old password can be used for unauthorized access. Frequency of expiration is usually guided by a company's security policy

Password Policy

Default Setting

Recommended Minimum Setting

Enforce password history

1 password remembered.

24 passwords remembered.

Maximum password age

42 days

42 days

Minimum password age

0 days

2 days

Minimum password length

0 characters

8 characters

Passwords must meet complexity requirement.

Disabled

Enabled

Store password using reversible encryption for all users in the domain.

Disabled

Disabled

Step 6. Files and Directories

Install Windows 2000 and Windows Server 2003 on partitions formatted with the NTFS file system so that you benefit from NTFS permissions to restrict access. Use strong access controls to protect sensitive files and directories. In most situations, an approach that allows access to specific accounts is more effective than one that denies access to specific accounts. Set access at the directory level whenever possible. As files are added to the folder they inherit permissions from the folder, so you need to take no further action.

1:Restrict the Everyone group. 2:Restrict the anonymous Web account(s). 3:Secure or remove tools, utilities, and SDKs. 4:Remove sample files.

Step 7. Shares

Remove any unused shares and harden the NTFS permissions on any essential shares. By default all users have full control on newly created file shares. Harden these default permissions to ensure that only authorized users can access files exposed by the share. In addition to explicit share permissions, use NTFS ACLs for files and folders exposed by the share. Remove unnecessary shares :Remove all unnecessary shares. To review shares and associated permissions, run the Computer Management MMC snap-in, and selectShares from Shared Folders as shown in Figure 16.3.

C:\Users\Bipin\Desktop\IC57244.gif

Computer Management MMC snap-in Shares Restrict access to required shares.

Remove the Everyone group and grant specific permissions instead. Everyone is used when you do not have restrictions on who should have access to the share.

Additional Considerations

Step 8. Ports

Services that run on the server use specific ports so that they can serve incoming requests. Close all unnecessary ports and perform regular audits to detect new ports in the listening state, which could indicate unauthorized access and a security compromise.

During this step, you:

Restrict Internet-facing ports to TCP 80 and 443.

Encrypt or restrict intranet traffic.

Step 9. Registry

The registry is the repository for many vital server configuration settings. As such, you must ensure that only authorized administrators have access to it. If an attacker is able to edit the registry, he or she can reconfigure and compromise the security of your server.

During this step, you:

Restrict remote administration of the registry. The Winreg key determines whether registry keys are available for remote access. By default, this key is configured to prevent users from remotely viewing most keys in the registry, and only highly privileged users can modify it. On Windows 2000 and Windows Server 2003, remote registry access is restricted by default to members of the Administrators and Backup operators group. Administrators have full control and backup operators have read-only access.

The associated permissions at the following registry location determine who can remotely access the registry.

HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg

To view the permissions for this registry key, run Regedt32.exe, navigate to the key, and choose Permissions from the Security menu.

Secure the SAM (stand-alone servers only). Stand-alone servers store account names and one-way (non-reversible) password hashes (LMHash) in the local Security Account Manager (SAM) database. The SAM is part of the registry. Typically, only members of the Administrators group have access to the account information.

Restrict LMHash storage in the SAM by creating the key (not value) NoLMHash in the registry as follows: HKLM\System\CurrentControlSet\Control\LSA\NoLMHash

Step 10. Auditing and Logging

Auditing does not prevent system attacks, although it is an important aid in identifying intruders and attacks in progress, and can assist you in diagnosing attack footprints. Enable a minimum level of auditing on your Web server and use NTFS permissions to protect the log files so that an attacker cannot cover his tracks by deleting or updating the log files in any way. Use IIS W3C Extended Log File Format Auditing. Audit access to the Metabase.bin file.

Log all failed Logon attempts. You must log failed logon attempts to be able to detect and trace suspicious behavior.

Start the Local Security Policy tool from the Administrative Tools program group.

Expand Local Policies and then select Audit Policy

Double-click Audit account logon events.

Click Failure and then OK.

Logon failures are recorded as events in the Windows security event log. The following event IDs are suspicious: 531. This means an attempt was made to log on using a disabled account. 529. This means an attempt was made to log on using an unknown user account or using a valid user account but with an invalid password.

Log all failed actions across the file system. Use NTFS auditing on the file system to detect potentially malicious attempts. This is a two-step process.

To enable logging

Start the Local Security Policy tool from the Administrative Tools program group.

Expand Local Policies and then select Audit Policy

Double-click Audit object access.

Click Failure and then click OK.

To audit failed actions across the file system

Start Windows Explorer and navigate to the root of the file system.

Right-click and then click Properties.

Click the Security tab.

Click Advanced and then click the Auditing tab.

Click Add and then enter Everyone in the Name field.

Click OK and then select all of the Failed check boxes to audit all failed events.

Click OK three times to close all open dialog boxes.

Relocate and secure the IIS log files :By moving and renaming the IIS log files, you make it much more difficult for an attacker to cover his tracks. The attacker must locate the log files before he or she can alter them. To make an attacker's task more difficult still, use NTFS permissions to secure the log files.

Move and rename the IIS log file directory to a different volume than your Web site. Do not use the system volume. Then, apply the following NTFS permissions to the log files folder and subfolders.

Administrators: Full Control

System: Full Control

Backup Operators: Read

Archive Log Files for Offline Analysis

To facilitate the offline analysis of IIS log files, you can use a script to automate secure removal of log files from an IIS server. Log files should be removed at least every 24 hours. An automated script can use FTP, SMTP, HTTP, or SMB to transfer log files from a server computer. However, if you enable one of these protocols, do so securely so that you do not open any additional attack opportunities. Use an IPSec policy to secure ports and channels.

Audit Access to the Metabase.bin File

Audit all failures by the Everyone group to the IIS metabase.bin file located in \WINNT\System32\inetsrv\. Do the same for the \Metabase backup folder for the backup copies of the metabase.

Step 11. Sites and Virtual Directories

Relocate Web roots and virtual directories to a non-system partition to protect against directory traversal attacks. These attacks allow an attacker to execute operating system programs and utilities. It is not possible to traverse across drives. For example, this approach ensures that any future canonicalization worm that allows an attacker to access system files will fail. For example, if the attacker formulates a URL that contains the following path, the request fails:

/scripts/..%5c../winnt/system32/cmd.exe

This IIS metabase setting prevents the use of ".." in script and application calls to functions such as MapPath. This helps guard against directory traversal attacks.

To disable parent paths

Start IIS.

Right-click the root of your Web site, and click Properties.

Click the Home Directory tab.

Click Configuration.

Click the App Options tab.

Clear Enable parent paths.

Set Web Permissions

Web permissions are configured through the IIS snap-in and are maintained in the IIS metabase. They are not NTFS permissions.

Use the following Web permissions:

Read Permissions. Restrict Read permissions on include directories.

Write and Execute Permissions. Restrict Write and Execute permissions on virtual directories that allow anonymous access.

Script source access. Configure Script source access permissions only on folders that allow content authoring.

Write. Configure Write permissions only on folders that allow content authoring. Grant write access only to content authors.

Step 12. Script Mappings

Script mappings associate a particular file extension, such as .asp, to the ISAPI extension that handles it, such as Asp.dll. IIS is configured to support a range of extensions including .asp, .shtm, .hdc, and so on. ASP.NET HTTP handlers are a rough equivalent of ISAPI extensions. In IIS, file extensions, such as .aspx, are first mapped in IIS to Aspnet_isapi.dll, which forwards the request to the ASP.NET worker process. The actual HTTP handler that processes the file extension is then determined by the <HttpHandler> mapping in Machine.config or Web.config.

Why Map to the 404.dll?

By mapping file extensions to the 404.dll, you prevent files from being returned and downloaded over HTTP. If you request a file with an extension mapped to the 404.dll, a Web page with the message "HTTP 404 - File not found" is displayed. You are recommended to map unused extensions to the 404.dll rather than deleting the mapping. If you delete a mapping, and a file is mistakenly left on the server (or put there by mistake) it can be displayed in clear text when it is requested because IIS does not know how to process it.

To map a file extension to the 404.dll

Start IIS.

Right-click your server name in the left window, and then click Properties.

Ensure that the WWWService is selected in the Master Properties drop-down list, and then click the adjacent Edit button.

Click the Home Directory tab.

Click Configuration. The tabbed page shown in Figure 16.4 is displayed.

C:\Users\Bipin\Desktop\IC87501.gif

Select one of the extensions from the list, and then click Edit.

Click Browse and navigate to \WINNT\system32\inetsrv\404.dll.

Note   This step assumes that you have previously run IISlockd.exe, as the 404.dll is installed by the IISLockdown tool.

Click Open, and then click OK.

Repeat steps 6, 7 and 8 for all of the remaining file extensions.

Step 13. ISAPI Filters

In the past, vulnerabilities in ISAPI filters caused significant IIS exploitation. There are no unneeded ISAPI filters after a clean IIS installation, although the .NET Framework installs the ASP.NET ISAPI filter (Aspnet_filter.dll), which is loaded into the IIS process address space (Inetinfo.exe) and is used to support cookie-less session state management.

If your applications do not need to support cookie-less session state and they do not set the cookieless attribute to true on the<sessionState> element, this filter can be removed.

During this step, you remove unused ISAPI filters.

Remove Unused ISAPI Filters

Remove any unused ISAPI filters as explained in the following section.

To view ISAPI filters

To start IIS, select Internet Services Manager from the Administrative Tools programs group.

Right-click the machine (not Web site, because filters are machine wide), and then click Properties.

Click Edit.

Click the ISAPI Filters tab.

C:\Users\Bipin\Desktop\IC170167.gif

Removing unused ISAPI filters

Step 14. IIS Metabase

Security and other IIS configuration settings are maintained in the IIS metabase file. Harden the NTFS permissions on the IIS metabase (and the backup metabase file) to be sure that attackers cannot modify your IIS configuration in any way (for example, to disable authentication for a particular virtual directory.)

Step 15. Code Access Security

Machine level code access security policy is determined by settings in the Security.config file located in the following directory: %windir%\Microsoft.NET\Framework\{version}\CONFIG

Run the following command to be sure that code access security is enabled on your server: caspol -s On

Remove all permissions for the local intranet zone. The local intranet zone applies permissions to code running from UNC shares or internal Web sites. Reconfigure this zone to grant no permissions by associating it with the Nothing permission set. To remove all permissions for the local intranet zone

Start the Microsoft .NET Framework version 1.1 Configuration tool from the Administrative Tools program group.

Expand Runtime Security Policy, expand Machine, and then expand Code Groups.

Expand All_Code and then select LocalIntranet_Zone.

Click Edit Code Group Properties.

Click the Permission Set tab.

Select Nothing from the drop-down Permission list.

Click OK.

C:\Users\Bipin\Desktop\IC140630.gif

Setting LocalIntranet_Zone code permissions to Nothing

Remove All Permissions for the Internet Zone

The Internet zone applies code access permissions to code downloaded over the Internet. On Web servers, this zone should be reconfigured to grant no permissions by associating it with the Nothing permission set.

Repeat the steps shown in the preceding section, "Remove All Permissions for the Local Intranet Zone," except set the Internet_Zone to the Nothing permission set.

Snapshot of a Secure Web Server

A snapshot view that shows the attributes of a secure Web server allows you to quickly and easily compare settings with your own Web server. The settings shown in Table 16.4 are based on Web servers that host Web sites that have proven to be very resilient to attack and demonstrate sound security practices. By following the proceeding steps you can generate an identically configured server, with regard to security.

Compatibility

Version

Notes

IIS 7.5

The <security> element was not modified in IIS 7.5.

IIS 7.0

The <security> element was introduced in IIS 7.

IIS 6.0

The <security> element replaces the IIS 6.0 security metabase properties that

related to certificates, authentication, and authorization.

How To Setup

HOW TO DISABLE ANONYMOUS AUTHENTICATION

Open Internet Information Services (IIS) Manager:

If you are using Windows Server 2008 or Windows Server 2008 R2:

On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

If you are using Windows Vista or Windows 7:

On the taskbar, click Start, and then click Control Panel.

Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.

In the Connections pane, expand the server name, expand Sites, and go to the level in the hierarchy pane that you want to configure, and then click the Web site or Web application.

Scroll to the Security section in the Home pane, and then double-click Authentication.

In the Authentication pane, select Anonymous Authentication, and then click Disable in the Actions pane.

http://i2.iis.net/images/configreference/anonymousAuthentication_howto_6-small.png?cdn_id=2013-04-06-002

HOW TO CHANGE ANONYMOUS AUTHENTICATION CREDENTIALS FROM THE IUSR ACCOUNT

Open Internet Information Services (IIS) Manager:

If you are using Windows Server 2008 or Windows Server 2008 R2:

On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

If you are using Windows Vista or Windows 7:

On the taskbar, click Start, and then click Control Panel.

Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.

In the Connections pane, expand the server name, expand Sites, and navigate to the level in the hierarchy pane that you want to configure, and then click the Web site or Web application.

Scroll to the Security section in the Home pane, and then double-click Authentication.

In the Authentication pane, select Anonymous Authentication, and then click Edit... in the Actions pane.

In the Edit Anonymous Authentication Credentials dialog box, do one of the following:

Select Application pool identity to use the identity set for the application pool, and then click OK. 

http://i1.iis.net/images/configreference/anonymousAuthentication_howto_7-small.png?cdn_id=2013-04-06-002

Click Set..., and then in the Set Credentials dialog box, enter the user name for the account in the User name box, enter the password for the account in the Password and Confirm password boxes, click OK, and then click OK again.

http://i1.iis.net/images/configreference/anonymousAuthentication_howto_8-small.png?cdn_id=2013-04-06-002

Note: If you use this procedure, only grant the new account minimal privileges on the IIS server computer.

HOW TO ENABLE BASIC AUTHENTICATION AND DISABLE ANONYMOUS AUTHENTICATION

Open Internet Information Services (IIS) Manager:

If you are using Windows Server 2008 or Windows Server 2008 R2:

On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

If you are using Windows Vista or Windows 7:

On the taskbar, click Start, and then click Control Panel.

Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.

In the Connections pane, expand the server name, expand Sites, and then click the site, application or Web service for which you want to enable basic authentication.

Scroll to the Security section in the Home pane, and then double-click Authentication.

In the Authentication pane, select Basic Authentication, and then, in the Actions pane, click Enable.

In the Authentication pane, select Anonymous Authentication, and then click Disable in the Actions pane.

http://i2.iis.net/images/configreference/basicAuthentication_howto_1-small.png?cdn_id=2013-04-06-002

HOW TO REQUIRE SECURE SOCKETS LAYER

Open Internet Information Services (IIS) Manager:

If you are using Windows Server 2008 or Windows Server 2008 R2:

On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

If you are using Windows Vista or Windows 7:

On the taskbar, click Start, and then click Control Panel.

Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.

In the Connections pane, go to the site, application, or directory for which you want to configure SSL requirements. You cannot configure SSL at the server level.

In the Home pane, double-click SSL Settings.

http://i2.iis.net/images/configreference/access_howto_1-small.png?cdn_id=2013-04-06-002

In the SSL Settings pane, click Require SSL.

In the Actions pane, click Apply.

HOW TO ENABLE WINDOWS AUTHENTICATION FOR A WEB SITE, WEB APPLICATION, OR WEB SERVICE

Open Internet Information Services (IIS) Manager:

If you are using Windows Server 2008 or Windows Server 2008 R2:

On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

If you are using Windows Vista or Windows 7:

On the taskbar, click Start, and then click Control Panel.

Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.

In the Connections pane, expand the server name, expand Sites, and then the site, application, or Web service for which you want to enable Windows authentication.

Scroll to the Security section in the Home pane, and then double-click Authentication.

In the Authentication pane, select Windows Authentication, and then click Enable in the Actions pane. 

http://i1.iis.net/images/configreference/windowsAuthentication_howto_1-small.png?cdn_id=2013-04-06-002

CONFIGURATION SAMPLE

<location path="Contoso">

<system.webServer>

<security>

<authentication>

<windowsAuthentication enabled="true" />

<basicAuthentication enabled="false" />

<anonymousAuthentication enabled="false" />

</authentication>

<access sslFlags="Ssl, SslNegotiateCert, Ssl128" />

<requestFiltering>

<fileExtensions>

<add fileExtension=".inc" allowed="false" />

</fileExtensions>

<denyUrlSequences>

<add sequence="_vti_bin" />

<add sequence="_vti_cnf" />

<add sequence="_vti_pvt" />

</denyUrlSequences>

</requestFiltering>

</security>

</system.webServer>

</location>

appcmd.exe

appcmd.exe set config "Contoso" -section:system.webServer/security/authentication/anonymousAuthentication /enabled:"False" /commit:apphost

appcmd.exe set config "Contoso" -section:system.webServer/security/authentication/basicAuthentication /enabled:"True" /commit:apphost

appcmd.exe set config "Contoso" -section:system.webServer/security/authentication/windowsAuthentication /enabled:"True" /commit:apphost

C#

using System; using System.Text; using Microsoft.Web.Administration; internal static class Sample { private static void Main() { using(ServerManager serverManager = new ServerManager()) { Configuration config = serverManager.GetApplicationHostConfiguration();

ConfigurationSection anonymousAuthenticationSection = config.GetSection("system.webServer/security/authentication/anonymousAuthentication", "Contoso");

anonymousAuthenticationSection["enabled"] = false; ConfigurationSection basicAuthenticationSection = config.GetSection("system.webServer/security/authentication/basicAuthentication", "Contoso"); basicAuthenticationSection["enabled"] = true;

ConfigurationSection windowsAuthenticationSection = config.GetSection("system.webServer/security/authentication/windowsAuthentication", "Contoso"); windowsAuthenticationSection["enabled"] = true; serverManager.CommitChanges();

}

}

}

Conclusion:

A secure Web server provides a protected foundation for hosting your Web applications. This chapter has shown you the main threats that have the potential to impact your ASP.NET Web server and has provided the security steps required for risk mitigation. By performing the hardening steps presented in this chapter, you can create a secure platform and host infrastructure to support ASP.NET Web applications and Web services.

The methodology used in this chapter allows you to build a secure Web server from scratch and also allows you to harden the security configuration of an existing Web server. The next step is to ensure that any deployed applications are correctly configured.

Refrences:

Website:

http://technet.microsoft.com/en-us/library/cc731278(v=ws.10).aspx

http://msdn.microsoft.com/en-us/library/ff648653.aspx

http://www.iis.net/learn/web-hosting/web-server-for-shared-hosting/installing-the-web-server-role

http://www.windowsecurity.com/articles/controlling-service-security-windows-server-2008.html

Books:

Professional IIS 7 Ken Schaefer, Jeff Cochran 1st 2008 Wiley Blackwell

Internet Information Services 7.0 Resource Kit Other 1st 2008 Microsoft Press

Writing Services

Essay Writing
Service

Find out how the very best essay writing service can help you accomplish more and achieve higher marks today.

Assignment Writing Service

From complicated assignments to tricky tasks, our experts can tackle virtually any question thrown at them.

Dissertation Writing Service

A dissertation (also known as a thesis or research project) is probably the most important piece of work for any student! From full dissertations to individual chapters, we’re on hand to support you.

Coursework Writing Service

Our expert qualified writers can help you get your coursework right first time, every time.

Dissertation Proposal Service

The first step to completing a dissertation is to create a proposal that talks about what you wish to do. Our experts can design suitable methodologies - perfect to help you get started with a dissertation.

Report Writing
Service

Reports for any audience. Perfectly structured, professionally written, and tailored to suit your exact requirements.

Essay Skeleton Answer Service

If you’re just looking for some help to get started on an essay, our outline service provides you with a perfect essay plan.

Marking & Proofreading Service

Not sure if your work is hitting the mark? Struggling to get feedback from your lecturer? Our premium marking service was created just for you - get the feedback you deserve now.

Exam Revision
Service

Exams can be one of the most stressful experiences you’ll ever have! Revision is key, and we’re here to help. With custom created revision notes and exam answers, you’ll never feel underprepared again.