Windows Server 2008 R2 Unleashed (87 page)
Read Windows Server 2008 R2 Unleashed Online
Authors: Noel Morimoto
administrative roles to conduct specific administrative tasks on the web server, website,
Securing Internet Information Services 7.5
413
12
FIGURE 12.19
Configuring the properties on the SSL Settings feature page.
ptg
or web application. There are three IIS administrative roles: Web Server Administrator,
Web Site Administrator, and Web Application Administrator. Each role dictates the
settings that can be configured. Table 12.1 lists each IIS administrative role and permis-
sions associated with it.
TABLE 12.1
Server-Level Roles
IIS Administrative Role
Configuration Tasks
Web Server Administrator
Complete and unrestricted access to the web server, including all
sites and applications
Web server
Application pools
Websites
Virtual directories
Physical directories in the websites and web applications
Web server security
Web Site Administrator
Full control over the web to which they have been delegated
Web application within the delegation
Virtual directories within the delegation
Physical directory within the delegation
414
CHAPTER 12
Internet Information Services
TABLE 12.1
Server-Level Roles
IIS Administrative Role
Configuration Tasks
Web Application
Configure web application settings to which they have been
Administrator
delegated
Virtual directories within the web application delegation
Physical directory within the web application delegation
Files in the virtual and physical directory within the web
application delegation
Creating an IIS 7.5 User Account
There might be situations when you need to provide a non-Windows user IIS 7.5 manage-
ment capabilities. You need to create an IIS 7.5 user account; therefore, this non-Windows
user has management privileges to delegate features and IIS functionality. Follow these
steps to create an IIS 7.5 user account:
1. In Internet Information Services (IIS) Manager, navigate to the Connections pane
and select the IIS server.
ptg
2. Select the IIS Manager Users feature icon, which is located in the central details pane.
3. On the IIS Manager Users feature page, click the Add User task, which is located in
the Actions pane.
4. In the Add User dialog box, enter the new user account name and password, and
then click OK.
NOTE
When entering a password, the password policy will be governed by the local Windows
Server 2008 R2 group policy. Therefore, the password will need to be strong to meet
the default complexity password policy.
For ongoing user account management, after the user account is created, use the addi-
tional tasks on the Actions pane to change the password, disable, or remove the account.
Assigning Permissions to an IIS 7.5 User Account
The next step in the user creation process is to assign the appropriate permissions to the
newly created user account. This process allows the user to configure delegated features for
a specific website or application. Follow these steps to authorize a user account to connect
to a site or an application:
1. In Internet Information Services (IIS) Manager, navigate to the Connections pane,
expand the IIS server, and then expand the Sites node.
Securing Internet Information Services 7.5
415
2. Specify the site to which the user account will be granted authorization, and then
select the IIS Manager Permissions feature icon, which is located in the Central
Details pane.
3. On the IIS Manager Permissions feature page, click the Allow User task, which is
located in the Actions pane.
12
4. In the Allow User dialog box, first select the IIS Manager option, then enter the
account that was created in the previous steps, and then click OK.
NOTE
If the IIS Manager option is not available in the Allow User dialog box, the management
service is not set to accept connections from IIS users. To do so, use the Management
Service page to enable remote connections and select the identify option, Windows
Credentials or IIS Manager Credentials.
Configuring Feature Delegation
Follow these steps to configure feature delegation for a newly created website:
1. In Internet Information Services (IIS) Manager, navigate to the Connections pane
and select the IIS server.
ptg
2. Select the Feature Delegation feature icon, which is located in the Central Details pane.
3. On the Features Delegation page, select the Custom Web Site Delegation task from
the Actions pane. Alternatively, select the Customer Web Application Delegation if
you want to delegate an application.
4. Select the site to be delegated from the Sites drop-down menu on the Custom
Website page.
5. Select the appropriate feature in the list and then set the desired feature delegation
from the Actions pane. The delegations include: Read/Write, Read Only, Not
Delegated, and Reset to Inherited.
NOTE
There might be circumstances when there is a need to reset delegation or restore the
defaults. When necessary, click the Reset All Delegation or Default Delegation in the
Actions pane.
Using IIS Logging
IIS logging should be viewed as a necessity rather than an optional feature of IIS because it
helps to ensure IIS security and is also extremely useful for maintenance and troubleshoot-
ing. For example, in the event of a system compromise, logs can be used and a forensic
review performed on the intimate details contained in them. This information can then
be used to review maintenance procedures and identify problems in the system. Equally
important, many organizations now require logging because of regulatory compliance so it
seems logging is here to stay.
416
CHAPTER 12
Internet Information Services
IIS text-based logging, such as the W3C Extended Log File Format, Microsoft IIS Log File
Format, and NCSA Common Log File Format, is controlled by Http.sys, which is a kernel-
mode process. This is a significant change from previous versions where logging was a
user-mode process. The only other log file format that comes close to previous versions is
ODBC as it is implemented using a user mode worker process.
Another bonus about logging is its ability to be implemented at the server, site, web appli-
cation, file, and directory level. For organizations wanting to configure IIS 7.5 logging for
a specific website, follow these procedures:
1. Launch Internet Information Services (IIS) Manager.
2. In the Connections pane, select the desired website for which you want to config-
ure logging.
3. Double-click the Logging feature in the Actions pane.
4. On the Logging page, select the desired logging format to be utilized.
5. Specify the location of the log file by typing a log path into the Directory text box.
Alternatively, click the Browse button and select a directory to store the files.
6. In the Log File Rollover section, select the method to create the new log file. The
options include specifying an Hourly, Daily, Weekly, or Monthly schedule, entering a
maximum file size (in bytes), or selecting the option that puts a stop to the creation
ptg
of new log files.
7. The final option requires you to determine whether to use local time for file naming
and rollover.
8. After all the log file settings have been inputted, select Apply in the Actions pane to
commit the changes.
NOTE
It is possible to either enable or disable a log file for a specific site by selecting Enable
or Disable in the Actions pane of the Logging feature page. To enable logging for IIS
7.5, the HTTP Logging Module must be installed.
IIS 7.5 is a major improvement over previous versions in terms of security, reliability,
availability, and performance. These facets have been a top priority for Microsoft.
Microsoft has incorporated both internal and customer-based feedback to provide a robust
platform for providing web, application, and FTP services.
Key points in this chapter covered the planning and design of the new IIS 7.5 capabilities
built in to Windows Server 2008 R2. The features have been greatly enhanced to provide
better management, scalability, modification, and reporting of web services operations.
Best Practices
417
Instead of having IIS installed on every installation of Windows server, an administrator
now needs to “add” the IIS server role to the system and then go through a process of
enabling functionality and configuring the web services function to meet the needs of the
organization. This change (from having web services installed automatically to now
requiring specific services to be enabled) provides better security for server systems but
also requires a better understanding of which services should be added or modified to
12
meet the needs of the organization’s applications.
And even with IIS requiring manual installation and configuration, there are still key secu-
rity practices that need to be performed to ensure that web services are not attacked and
compromised, thus creating a security hole in the organization’s network security.
The IIS 7.5 server role is a significant improvement in Windows Server 2008 R2, and one
that administrators from early adopter organizations have found to be a welcome change
in ongoing operations.
The following are best practices from this chapter:
. Use IIS 7.5 to improve performance and strengthen security.
ptg
. Thoroughly design and plan the IIS 7.5 environment.
. Define the goals and objectives of the IIS 7.5 project.
. Identify and review IIS application types and requirements.
. Define security requirements to meet the goals and objectives.
. Balance the security methodologies to be used with the associated risks and end-user
experience.
. Examine and design disaster recovery plans, and monitor requirements and mainte-
nance practices.
. Document the current IIS infrastructure and the IIS design decisions.
. Build fault tolerance into the web infrastructure based on how much downtime can
be afforded and existing SLAs.
. Use IIS to monitor applications such as pinging worker processes after a specified
period of time, monitoring for failed applications, and disabling the application
pool after a certain number of failures or a set number of failures within a given
time frame.
. Isolate FTP users so that FTP content is protected.
. Provide search capabilities for Adobe Acrobat PDF file content on a website by using
the iFilter driver.
. Use NTFS on the disk subsystem, and apply the latest service pack and security
patches to begin securing the IIS system.
418
CHAPTER 12
Internet Information Services
. Carefully review application security on the Windows Server 2008 web server, espe-
cially if using a custom-built application.
. Choose an authentication method carefully depending on business and technical
requirements.
. Apply auditing to web and FTP sites to document attempts to log on (successful and
unsuccessful), to gain unauthorized access to service accounts, to modify or delete
files, and to execute restricted commands.
. Use SSL to ensure confidentiality.
. Use local folders to share downloads, and secure them with NTFS. The folder should
be located on a separate partition from Windows Server 2008 R2 system files.
. Monitor disk space and IIS logs to ensure that a hacker isn’t attempting to gain
unauthorized access.
. Use logging not only to review IIS security, but also to assist with maintenance and
troubleshooting.
ptg
IN THIS CHAPTER
Server-Level Security
. Defining Windows Server 2008
R2 Security
. Deploying Physical Security
. Using the Integrated Windows
Firewall with Advanced Security
. Hardening Server Security
. Examining File-Level Security
The term Microsoft security was long considered, whether
. Additional Security Mechanisms
