Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


November 2001

IIS 101: Protecting Your Web Servers

From the November 2001 Edition
of Windows Web Solutions
Chris Lehr
IIS 101
InstantDoc #22560
Windows Web Solutions
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows Web Solutions | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

When you run a public Web site on the Internet, you open yourself up to hackers, crackers, corporate spies, and the like who see you as a potential target. The only 100 percent foolproof way to avoid Web site attacks—staying off the Internet—doesn't let you provide good customer service. So, how do you stay online while minimizing your risks? You need to protect your site.

When you set up IIS on the Internet, you make more than just a Web site accessible. For example, by default in IIS 4.0, FTP access is on with Anonymous log ons. You might also have the SMTP service running and publicly accessible. The key to avoiding risk is minimizing the different ways in which someone can take advantage of you. Companies today use many tactics to minimize their risk, including firewalls and proxy servers.

Protect by Blocking Access
You can protect your IIS server without having to make configuration changes on the server machine. For example, you can use firewalls or proxy servers that allow access only on certain ports. Some firewalls and proxy servers even monitor the traffic over these ports to ensure that they're receiving valid Web requests. You simply hide your IIS server behind one of these firewall packages, then let the firewall do the work of blocking access. If someone can access your server from outside only through port 80, you've immediately narrowed the methods such users have to get in to your server.

Of course, running a firewall or proxy server has downfalls. You need the added knowledge required to run them. Also, you must remember that the addition of a firewall or proxy server doesn't negate the need for constant updates on security holes. In addition to checking Microsoft's site, you need to check your firewall or proxy server vendor's Web site.

Firewalls and proxy servers are different. Internal users can access the Internet through either, but firewalls can analyze all inbound and outbound traffic across a connection and allow or disallow access based on a rule set that you put in place. Proxy servers offer limited firewall capabilities, but their main focus is usually on managing outbound rather than inbound traffic. Microsoft's new Internet Security and Acceleration (ISA) Server 2000, the next generation of Microsoft Proxy Server, has a mix of proxy server features and firewall functionality. (You can find information about ISA Server at http://www.microsoft .com/isaserver.) A firewall can be both a hardware solution in the form of a network device such as Cisco Secure PIX 500 Firewalls or a software package such as Check Point Firewall-1 that runs on a server.

As an added security measure, consider locking down servers so that only the minimal necessary services are running (thereby decreasing the number of possible holes). For example, if you don't require services such as SMTP, FTP, or Microsoft FrontPage Server Extensions, disable or uninstall them.

Know Your System's Vulnerabilities
Far more important than the method of protection you choose is your awareness of your system's vulnerabilities. To keep up-to-date with patches, service packs, and security tools, be sure to check Microsoft's one-stop shop for IIS administrators at http://www.microsoft .com/technet/security/website/web.asp. In particular, the administration portion of this site has a lot of information about locking down your server and limiting the number of services available on public servers. For IIS 5.0, the Windows 2000 Internet Server Security Configuration Tool automatically makes changes on your system to help lock down the server and limit potential risks. (Be sure to test any template you plan to use from this tool in a nonproduction environment to make sure your security settings still let your server complete its required tasks.)

What's the Best Solution?
After you've learned the basics about firewalls and proxy servers, how do you decide what's right for you? I highly recommend that you use the Internet to research the different products available to you and evaluate how those products match your network's needs and your budget for protecting your Web server.

End of Article

Reader Comments
I just wonder if a valid, "Clent/browser" recognized certificate can be obtained for testing only, with out any cost. I need to do some client-side testing with a valid CA (i.e. Verisign).

I know that an M.S. one can be generated and used but you run into problems with verious browsers not liking the imported CA. It seems a waste to purchase one from Verisign just to test.

PS: I heard that you can obtain a trail SSL Cert from Verisign, is this true???

Can any help?

Anthony Consiglio November 02, 2001

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

How can I stop and start services from the command line?

...

PsExec

This freeware utility lets you execute processes on a remote system and redirect output to the local system. ...
Security Whitepapers The Impact of Messaging and Web Threats

Why SaaS is the Right Solution for Log Management

Protecting (You and) Your Data with Exchange Server 2007
Related Events How IE7 & The New Extended Validation SSL Certificates Impact Your Site

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Register for Orion NPM v9 - Evaluation
Affordable, easy-to-use network performance management with SolarWinds Orion – Free Trial!

Want a Hardware-Independent Image?
Binary Research, the Ghost people, shows you how to clone with 1!

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

Order Your Fundamentals CD Today!
Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing