securitywing

IIS Security Settings

by

The version of IIS is all about its modules and functions. If you are just learning IIS then before reading this article, it is better to take  a closer look at the IIS manger on your server and then go through the following  instructions. To secure your IIS server you need to put some extra care to the following settings of IIS server

  1. IIS authentication
  2. IPv4 and domain rules
  3. ISAPI and CGI
  4. Filtering request
  5. Configuration to shared  hosting sites
  6. Authorize the URLs in your server     

For higher level security concentrate on the followings:

  1. Server certificates
  2. Implement SSL

Note: This setting is applicable to IIS version 7 or higher

iis installation checklist
iis installation checklist

IIS authentication

By default IIS allows every user to access to your WebPages unless you disable the anonymous account. If your website is public and wants to make it accessible to only the ones who have been authorized, then click on the authentication in the “Features View” section and then select anonymous authentication. From the action menu, on the right pane, click on edit and next check the “specific user” and click on “set”. Now you have to put the user name and password to allow access to your website. Remember that this user needs to be an active directory user. Otherwise keep the anonymous account enabled to allow everyone to view your website, which is the case for all public domain website. For intranet users to access your website, the best practice is to create an anonymous group for anonymous users and deny this group to access your web resources.

Another noteworthy IIS authentication feature is to authenticate users with NTLM or Kerberos. You can set this option from “windows authentication” under the authentication module on your features view of IIS.

 

IIS authentication
IIS authentication

IPv4 and domain restriction

This feature of IIS is one of the easily understood and sophisticated ways to control access to your website and servers to the outside world. By controlling IP you can identify the people who can have access to your server or the contents on your site. There are a level of restrictions that you can put on your web contents and servers. The levels are:

  • · Web server
  • · Site
  • · Application
  • · Virtual and physical directories
  • · File

 

To enable the IP and domain restriction on your server you need to install a piece of software or code that is commonly known as modules, which can be enabled at web server, site or even application level. One such type of module that you can install in IIS is IpRestrictionModule. Besides modules, there is another type of code –known as handlers-which you can enable at any levels.

For instance, you want to block an IP 10.10.10.10 from entering your websever. To implement this IP restriction, you have to open the IIS and then click on IPv4 Address and Domain Restrictions in the features view. Next, click on the add deny enter on the  Actions pane, select Specific IP address type the IP address and then click O.k. you need to block a range of IP then select the “IP address range”

 

IPv4 Address and Domain Restrictions
IPv4 Address and Domain Restrictions

Configuring URL Authorization

This feature is more valuable to restrict intranet users rather than Internet users because it helps web administrator to authorize a specific group of computers to access your web contents. For instance, you have some content on your web server that should be viewed only by the HR department, not by other members of another department. To implement authorization rule to a group, click on the Authorization rule and then open add rule from the action pane. Next, select the specified users group that you want to allow to access to your web contents. Similarly, you can block a specific by using the add deny rule in the action pane. Remember the user groups you allow or deny access are the groups that are on your active directory of windows server, not any Internet users from the external networks.

 

Configure SSL on IIS

Without certificates you cannot implement SSL in your webserver. In IIS 7.5 you can implement two type of SSL: internet server certificate and domain server certificate.  You need to use Internet server certificate only if you want your website to go public, not only to your intranet or extranet.  But this SSL solution will require you to get some third party CA such as VeriSign, to show trust to the users, otherwise it won’t server your main purpose of SSL-the trust of your server. You can easily implement domain server certificate for your client server mode, where one of your server will act as a CA or certificate authority. For SSL configuration go the server certificates and then click on the create certificate request for Internet server certificates. To implement SSL in your domain use the “create domain certificate” option.

server certificate

ISAPI and CGI Restrictions

You might consider not using the following ISAPI to increase IIS security.

Sspifilt

Compression

Md5filt

Fpexdll.dll

You can edit ISAPI from the features view of IIS manager.

You can get some useful information about ISAPI in Microsoft’s Technet blog

 

Request Filters configuration

This is one of the useful ways to protect your website from being scanned  by injecting codes or strings  by anyone with evil intention. What you can do by restriction filter is setting up rules for query strings, URL, http verbs headers and hidden segments. For request filter to work you need to have RequestFilteringModule installed on your IIS-normally this module get installed by default during the installing time.

Microsoft also has a good collection of IIS related  guides that you can found at configuring web server section of Technet.

Related posts:

  1. Webhosting Security-Best Practices and Concerns
  2. Internet Explorer Security Settings Configuration Guide
  3. MySQL Security Settings Checklist and Issues
  4. WordPress Security Best Practices