Student Academic blog

The following quick-start guide provides a detailed overview of how to configure security for IIS 6.0.

Reduce the Attack Surface of the Web Server

1.       Enable only essential Windows Server 2003 components and services.

2.       Enable only essential IIS 6.0 components and services.

3.       Enable only essential Web service extensions.

4.       Enable only essential Multipurpose Internet Mail Extensions (MIME) types.

5.       Configure Windows Server 2003 security settings.

Prevent Unauthorized Access to Web Sites and Applications

1.       Store content on a dedicated disk volume.

2.       Set IIS Web site permissions.

3.       Set IP address and domain name restrictions.

4.       Set the NTFS file system permissions.

Isolate Web Sites and Applications

1.       Evaluate the effects of impersonation on application compatibility:

2·         Identify the impersonation behavior for ASP applications.

3·         Select the impersonation behavior for ASP.NET applications.

4.       Configure Web sites and applications for isolation.

Configure User Authentication

1.       Configure Web site authentication.

2·         Select the Web site authentication method.

3·         Configure the Web site authentication method.

4.       Configure File Transfer Protocol (FTP) site authentication.

Encrypt Confidential Data Exchanged with Clients

1.       Use Secure Sockets Layer (SSL) to encrypt confidential data.

2.       Use Internet Protocol security (IPSec) or virtual private network (VPN) with remote administration.

Maintain Web Site and Application Security

1.       Obtain and apply current security patches.

2.       Enable Windows Server 2003 security logs.

3.       Enable file access auditing for Web site content.

4.       Configure IIS logs.

5.       Review security policies, processes, and procedures.

 Note:To secure the Web sites and applications in a Web farm, use the process described in this chapter to configure security for each server in the Web farm.

Reducing the Attack Surface of the Web Server

Immediately after installing Windows Server 2003 and IIS 6.0 with the default settings, the Web server is configured to serve only static content. If your Web sites consist of static content and you do not need any of the other IIS components, then the default configuration of IIS minimizes the attack surface of the server. When your Web sites and applications contain dynamic content, or you require one or more of the additional IIS components, you will need to enable additional features. However, you still want to ensure that you minimize the attack surface of the Web server. The attack surface of the Web server is the extent to which the server is exposed to a potential attacker.


Preventing Unauthorized Access to Web Sites and Applications

Each Web site and application in IIS 6.0 and Windows Server 2003 is stored as a grouping of folders and files. Unauthorized access to, or modification of, these files and folders can present a serious breach of security. You must ensure that only authorized users can access or modify the Web sites and applications that are hosted on your Web server.

ALL, IIS 6 iis 6, security

orginal contents visit
creating virtual directory on window 2003 server
http://www.startvbdotnet.com/aspsite/extras/virtualdirectory.aspx

ALL, IIS, IIS 6 iis 6,

Force IE8 into IE7 compatibility mode using a meta tag in the header. 

This tag needs to be first in the <head> (before any css):

<meta http-equiv="X-UA-Compatible" content="IE=7" />

IIS 6

Go to the website, bring up the properties for it, and click on the HTTP Headers tab.

 HTTP Headers tab of an IIS 6 Website

Then, add a new header as below:

Add custom HTTP Header 

IIS 7

IIS 7 is much the same.  Just go to the site and click on “HTTP Response Headers”.

IIS 7 Website Properties – IIS Section 

Then, just add the header:

 Add custom HTTP Header 

Incidentally, this just sets a value in the web.config, as below:

More later - jv

ALL, asp.net, Web.Config, HTML, IIS, IIS 6, IIS 7, TIPS asp.net, iis 7, html, iis 6, web.config,

Web.config for Test site
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<httpHandlers>
<add verb="GET" path="studentacad.aamirhasan" type="CustomHandler.Writer, CustomHandler" />
</httpHandlers>
</system.web>
</configuration>



CustomHandler.Writer Class Source Code
using System;
using System.Web;


namespace CustomHandler
{

public class Writer : IHttpHandler
{
public void ProcessRequest(HttpContext oContext)
{

oContext.Response.Write("<HTML>");
oContext.Response.Write("<HEAD>");
oContext.Response.Write("<title>WebForm1</title>");
oContext.Response.Write("</HEAD>");
oContext.Response.Write("<body>");
oContext.Response.Write("<form name='Form1' method='post' action='studentacad.aamirhasan' id='Form1'>");
oContext.Response.Write("<input name='TextBox1' type='text' value='text textbox value' id='TextBox1' >");
oContext.Response.Write("</form>");
oContext.Response.Write("</body>");
oContext.Response.Write("</HTML>");

}

public bool IsReusable { get { return true; } }
}
}



Writer.ashx Source Code
<%@ WebHandler Language="C#" Class="Writer" %>
using System;
using System.Web;


namespace CustomHandler
{

public class Writer : IHttpHandler
{
public void ProcessRequest(HttpContext oContext)
{

oContext.Response.Write("<HTML>");
oContext.Response.Write("<HEAD>");
oContext.Response.Write("<title>WebForm1</title>");
oContext.Response.Write("</HEAD>");
oContext.Response.Write("<body>");
oContext.Response.Write("<form name='Form1' method='post' action='studentacad.aamirhasan' id='Form1'>");
oContext.Response.Write("<input name='TextBox1' type='text' value='text textbox value' id='TextBox1' >");
oContext.Response.Write("</form>");
oContext.Response.Write("</body>");
oContext.Response.Write("</HTML>");

}

public bool IsReusable { get { return true; } }
}
}

ALL, asp.net, Web.Config, asp.net 4.0, IIS, IIS 6

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/44ebc761-ac76-4b44-8894-551c9315af6c.mspx?mfr=true

ALL, IIS 6 iis 6