In setting up IIS, you will need to remember that certain configurations should be made to both IIS and to the Windows 2000 Server used to host your site.You should look at the account used for anonymous con- nects and ensure that it is properly configured to your needs.You should also determine whether other configurations to the server, its groups, and accounts are necessary.
Active Directory Users and Computers (another MMC snap-in) must be used to configure accounts on a Windows 2000 Server.When
IIS is installed, an account called IUSR_computernameis automatically
created (where computernamestands for the name of your server).This is
the account used by anonymous users of the Web server and is automat- ically added when IIS is installed.You will want to modify this account and limit the access it has to resources on your network.
Figure 3.4HTML Version of Internet Services Manager Accessed
1. To modify the IUSR_computername account, you will need to open Active Directory Users and Computers.You can open this
tool by starting MMC. Click on Runon the Windows Start
menu, type MMC, and then click OK.
2. From the Console menu of MMC, click on the item called
Add/Remove Snap-into display a new dialog box. Click
Add to display a list of available snap-ins and then select the
item called Active Directory Users and Computers.
3. Click Addto add this snap-in, click Closeto return to the pre-
vious dialog box, and then click OKto confirm. Active Directory
Users and Computers now appears in the MMC console. 4. In the left pane of the console, you need to open the folder
identifying your server to view another folder called USERS.
This is the folder in which the IUSR_computernameaccount has
been created. By selecting the users folder, a list of user accounts appears in the right pane of the console.
5. Double-clicking on the IUSR_computernameaccount displays its
properties, which you can then configure.
6. As shown in Figure 3.5, this dialog box provides a number of tabs that allow you to modify the account, including the
account’s ability to access resources.The Accounttab is partic-
ularly important because it allows you to set whether Kerberos preauthentication is required, set password settings, disable the account, set hours the account can log onto the server, and so
forth.The Member Oftab is another important area of config-
uration, as this allows you to set what groups this user account is a member of. By adding permissions to groups, and then adding the user accounts to groups, it is easier to manage large groups of members.
Regardless of the operating system or Web server software being used, a secure server will have strict policies for user rights and permis- sions.You should never give a user the ability to access more than what they need, because doing so will create a hole in your security measures.
This means removing the ability for the anonymous user (and many other user accounts) to write to files in the directory containing scripts, applets, and HTML documents. If users are able to modify these files, they can vandalize Web pages or hack your Web server.When assigning permissions, you should also use the strongest file system possible. In terms of Windows NT and Windows 2000, you should use NTFS as your file system.This will allow you to control access to individual files and folders on your server.
In addition to tools used to manage Windows 2000 Server, Internet Information Server 5.0 provides a number of wizards that walk you through the process of setting and maintaining security.These wizards include the Permissions Wizard,Web Server Certificate Wizard, and the Certificate Trust Lists Wizard. Although tasks performed by using these wizards can also be done manually, the wizards simplify securing your site.
The Permissions Wizard allows you to configure permissions and authentication used on your Web server.This wizard is used to set what users are able to access in folders on your server, but it is limited to con- trolling permissions for folders used to publish information to the Internet
or intranet.This keeps users from accessing data that is meant to be restricted and should not be published to anonymous users of your site.
1. Start the Permissions Wizard through MMC with the Internet Information Services snap-in.You can do this by selecting your Web or FTP site in the right pane of the console and then
clicking on the Permissions Wizard item found in the All
Tasks folder on the Action menu.You can also start it through the HTML version of Internet Information Services Manager. To start the wizard here, select the Web or FTP site in the
browser window, and then click the Permissions Wizard
hyperlink in the left frame of the Web page.
2. The first screen of the Permissions Wizard welcomes you to
using the wizard. Clicking Nextdisplays the Security Settings
screen (Figure 3.6).The first option on this screen allows you to set permissions to be inherited from a parent site or virtual directory.The second option allows you to select new security settings from a template. If you select the first option and click
Next, you are informed as to what security settings will be
applied and can then click Nextagain to reach the final screen
of the wizard. If you select the second option and click Next,
you are asked questions to describe your site.
3. Upon selecting the Select new security settings from a templateoption and clicking Next, you see the Site Scenario screen.This allows you to pick a scenario that best suits your
site. If you choose Public Web Site as a scenario, users will be
able to browse content on your site.This applies security set- tings that are cross-browser compatible. Regardless of the browser being used or whether the user has an account on the site, any user will be able to use your Web site. If you choose
Secure Web Site is chosen, then only users with a valid Windows 2000 account will be able to access the site.
4. After choosing the desired selection and clicking Next, you
reach the final screen. Click Finish to apply your settings and
exit the wizard.
The Web Server Certificate Wizard is used to set up and manage certificates used on your site. (Although we discuss certificates in greater detail later in this chapter, you should know that certificates are used for authentication.) This wizard identifies where the information originated and allows you to exchange data securely. It allows you to set up an SSL-enabled site so that you can use SSL encryption and client certifica- tion authentication. By using this wizard, you can create and administer certificates used by your Web server when transferring information between the server and client.
1. Start the Web Server Certificate Wizard through MMC with the Internet Information Services snap-in. By clicking the
Server Certificate button on the Directory Security tab of your Web site’s Properties sheet, the wizard is launched, showing
an initial welcome screen. Clicking Next displays the Server
Certificate screen shown in Figure 3.7.
2. Clicking the first option on this screen allows you to create a new certificate, which users of your intranet or Internet site can use. If you have an existing certificate, then you should select the second option. If you wish to import a certificate from a backup file, select the third option.
3. Upon selecting your option, follow through the wizard and
then click Finish to apply the settings.
The Certificate Trust Lists Wizard is the third IIS wizard we mention here.This wizard is used to configure certificate trust lists (CTLs) that identify trusted CAs. A CA is a vendor that manages certificates, associ- ating public keys with those applying for the certificate.The CTL allows you to specify which of these vendors is trusted by a site, and it is espe- cially useful for ISPs that have several sites running on a single server. In these cases, different sites may trust different CAs.