Internet Information Services (ISS) has become one of the mostly used technologies in the Information Systems to handle Hypertext Transfer Protocol (HTTP) requests. However, hackers have greatly targeted these IIS. Moreover, some viruses such as the Nimbda and Code Red have caused severe damages on IIS servers. This paper highlights on the various steps which IIS administrators ought to put into consideration in order to ascertain security for their corporations’ IIS servers by locking down their IIS web servers. Securing the IIS Web Servers
The IIS is used to create, manage and secure websites and is included in the Windows New Technology Operating Systems. To ensure that the IIS server is secured, firstly, the IIS administrator must make sure that he has the system installed with latest updated service pack and the most current IIS packets. Additionally, other packets that are necessary for Windows 2000 must also be availed. In order to maintain the server operating steadily, the administrator has to register for the automatic security updates. Afterwards, the HiSecWeb package has to be unpacked in order to configure the computer well for IIS security.
The IIS configuration settings are located in metabase, which is a data storage area. The metabase has a hierarchical organization structure, which depicts the IIS installation structure. After successful installation of the latest updated operating system and the IIS, the process of securing then gets on the move. This process begins at the network layer (Novick, 2010). In order to lock the network, the router, firewall and switch have to be configured to specifically allow external networks’ traffic pass to the Transmission Control Protocol (TCP) port.
In the web server’s Internet Protocol (IP) address, the TCP is port 80 but when using the Secure Socket Layer (SSL), it is port 443. This configuration, though not complicated, bars the attack of the web server by any malicious external intruders. Securing the network only protects the web server. Therefore and as aforementioned, after testing the security updates of the operating system and the IIS patches, automatic updates is scheduled. In adding security and removing vulnerabilities to the IIS application, the administrator has to rename, disable or delete the IUSR account and recreate it.
The IUSR account refers to an anonymous user in the web. For faster and straightforward securing of this account, the IIS Lockdown Tool, which is a product from Microsoft, is run. This tool uses the New Technology (NT) and IIS existing facilities in protecting the IIS server from the earlier mentioned viruses and other known and mysterious attacks. The use of this tool qualifies the account to become a member of the local group of the web anonymous users. Moreover, the Lockdown tool involuntarily dispenses the web anonymous users’ local group Deny Write or Deny Execute authorizations to the corporation’s directories on the web.
Likewise, adding these group users to be members of the local group will give the same results. UrlScan Security tool is also found within the Lockdown tool and it helps, in conjunction with the former tool, in eliminating web extensions that are considered to be dangerous and of no consequence and checking any attempts to run EXE, IDA and HTA file extensions that are restricted. Furthermore, they put a ceiling on the HTTP request types to be processed by the IIS server (Novick, 2010). Disabling socket pooling also plays a pivotal role in IIS securing. The technique of connection pooling allows many sites to share TCP sockets.
Consequently, disabling this enhancement will ensure that the IIS server is not in a position run services that are using ports with similar port numbers. Since the socket pooling option is by default enabled, the administrator renders it inoperative by configuring the DiasbleSocketPooling, an option in the llisWebServer classes and llsWebService. The IIS web server can further be secured by implementing various logon methods by applying basic authentication realms. For instance, web server user privileges. This strategy assigns a user name and password that ensures only the users having them are the ones who can physically access the server.
Another logon procedure is the use of password pass through. The server only authenticates the user after having entered his/her credentials which have to be entered for each subsequent page in the web (Kozicki, 2003). To further the security of the server, an encryption connection may also be used. However, this option of securing the IIS server has some loopholes since the username and the password are passed over the internet in each log in thus becomes exposed to hackers. Therefore, in order to increase the security levels of the IIS server, modification can be made.
These include employment of authentication methods that are interactive, application authentication and authentication of the network that has the capability to preserve the user credentials. Since IIS servers are highly exposed to public internet, the IIS security checklist provided by Microsoft is also reliable. This provides an extensive security function to the server through the numerous steps of installation and application settings for maximum functionality. However, most of the implementation procedures and steps are more or less similar to those of the UrlScan and the IIS Lockdown tool.