Contents Overview 1 Using IP Address and Domain Name Restrictions 2 Configuring Access Permissions for a Web Server 4 Configuring Authentication for a Web Server 15 Multimedia: Overview of IIS Security 30 Lab A: Securing Web Resources Using Permissions and Authentication 31 Using Client Certificates 45 Classroom Discussion 50 Securing Web Communications Using SSL 52 Lab B: Configuring and Managing an Encrypted Connection Using SSL 57 Using Local Security Policies on a Web Server 66 Configuring Security on an FTP Site 68 Configuring Auditing for IIS 70 Review 72 Module 5: Implementing Security on a Web Server Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation. If, however, your only means of access is electronic, permission to print one copy is hereby granted. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2001 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, MS-DOS, Outlook, PowerPoint, SQL Server, Visual Basic, Visual InterDev, Visual SourceSafe, Visual Studio, Windows, Win32, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners. Module 5: Implementing Security on a Web Server iii Instructor Notes This module provides students with the knowledge and skills necessary to implement security on a Web server. After completing this module, students will be able to:  Configure Internet Protocol (IP) address and domain name restrictions for a Web server.  Configure access permissions for a Web server.  Configure authentication for a Web server.  Use client certificates.  Secure Web communications by using Secure Sockets Layer (SSL).  Use local security policies on a Web server.  Configure security on a File Transfer Protocol (FTP) site.  Configure auditing for Microsoft® Internet Information Services (IIS) 5.0. Materials and Preparation This section provides the materials and preparation tasks that you need to teach this module. Required Materials To teach this module, you need the Microsoft PowerPoint® file 2295A_05.ppt. Preparation Tasks To prepare for this module, you should:  Read all of the materials for this module.  Complete the labs.  View the multimedia “Overview of IIS Security.” Presentation: 120 Minutes Labs: 45 Minutes iv Module 5: Implementing Security on a Web Server Module Strategy Use the following strategy to present this module:  Using IP Address and Domain Name Restrictions Discuss how IP address and domain name restrictions can be used to increase security. For example, denying permissions to all IP addresses except for the firewall or proxy server and database servers connected to IIS can make it much more difficult to gain unauthorized access to the Web server.  Configuring Access Permissions for a Web Server Discuss the need for security on a Web server. Emphasize that effective security employs a variety of interdependent technologies. Explain the use of IP addresses and domain name restrictions by using example scenarios when possible. Discuss the differences between Web-based and the NTFS file system permissions. When discussing the Permissions Wizard, create a new test Web site and demonstrate the various ways to use the wizard. Also, discuss the settings on the Security Settings page. Explain how NTFS is essential to secure both IIS log files and Web Distributed Authoring and Versioning (WebDAV) access.  Configuring Authentication for a Web Server Explain each of the authentication methods with an emphasis on Anonymous, Basic, and Integrated Windows. Create a chart on a whiteboard that illustrates the benefits, requirements, and restrictions of authentication methods. Fill in the chart as you discuss each method. Discuss various scenarios and the impacts of using combinations of authentication methods.  Multimedia: Overview of IIS Security Explain that the multimedia presentation provides an overview of the various security features in IIS, when each security feature is used, and how they work together to grant or deny access to Web server resources. After the presentation, ask if there are any questions and discuss problem areas as necessary.  Using Client Certificates Explain how to obtain client certificates and how to set up a Web site to require their use. Demonstrate the one-to-one and one-to-many mapping options in IIS as part of the client certificate mapping. Be sure to explain that using certificate mapping in Active Directory ™ directory services is preferable to implementing it in IIS. Module 5: Implementing Security on a Web Server v  Classroom Discussion Engage students in a classroom discussion on the best way to secure the Web site that is presented in the scenario. Have students go to Appendix A, “Classroom Discussion,” in Course 2295A, Implementing and Supporting Microsoft Internet Information Services 5.0, and use the table provided to help them in the discussion. Explain that the worksheet contains choices that will assist them in determining what types of Web-based permissions, authentication, and NTFS permissions are needed to fulfill the requirements of the scenario.  Securing Web Communications Using SSL Because of required prerequisites for this course, you should not need to define certificates or go into detail about the mechanics of the Secure Sockets Layer (SSL) protocol. Demonstrate using the Web Site Certificate Wizard and emphasize that SSL cannot be employed on host header Web sites. Demonstrate requiring an SSL connection and the errors that occur if you then attempt an HTTP connection. Explain the problems with self- signed certificates and the potential for browser security warnings. Additionally, mention that the Security Wizard may interfere with permissions that are managed by Microsoft FrontPage ® Server Extensions.  Using Local Security Policies on a Web Server Explain where to find the local security policies on the server. Focus on the Log on Locally and Access This Computer from the Network user rights and remind students how these policies relate to authentication. Load the hisecweb.inf policy template in the Security Analysis and Configuration Tool and review the template settings.  Configuring Security on an FTP Site Show how to configure authentication for an FTP site. Explain that FTP communications are in clear text and the SSL cannot be used.  Configuring Auditing for IIS Review standard auditing procedures in Microsoft Windows® 2000 with an emphasis on events that are relevant to a Web server. Include the importance of budgeting time for log reviews in Information Technology (IT) departments. Module 5: Implementing Security on a Web Server 1 Overview  Using IP Address and Domain Name Restrictions  Configuring Access Permissions for a Web Server  Configuring Authentication for a Web Server  Using Client Certificates  Securing Web Communications Using SSL  Using Local Security Policies on a Web Server  Configuring Security on an FTP Site  Configuring Auditing for IIS ***************************** ILLEGAL FOR NON-TRAINER USE****************************** Having the correct security settings on your Web servers can safeguard against security threats such as unauthorized individuals trying to gain access to restricted information and well-intentioned users who might accidentally alter or delete important files. Balancing the need for security with ease of use and the demand on server resources is one of the key tasks of a Web server administrator. Security in Microsoft ® Internet Information Services (IIS) 5.0 is an interaction of permissions, policies, authentication methods, and secure communications protocols. By configuring security correctly on your Web server, you can ensure that your servers are protected from unauthorized access. After completing this lesson, you will be able to:  Use Internet Protocol (IP) address and domain name restrictions for a Web server.  Configure access permissions for a Web server.  Configure authentication for a Web server.  Explain client certificate mapping.  Secure Web communications by using Secure Sockets Layer (SSL).  Use local security policies on a Web server.  Configure security on a File Transfer Protocol (FTP) site.  Configure auditing for IIS. Topic Objective To provide an overview of the module topics and objectives. Lead-in In this module, you will learn how to secure your Web servers from unauthorized access. 2 Module 5: Implementing Security on a Web Server Using IP Address and Domain Name Restrictions ***************************** ILLEGAL FOR NON-TRAINER USE****************************** You can configure IIS to grant or deny access to specific IP addresses, a network address, or a Domain Name System (DNS) name. If you configure IIS to grant access to all IP addresses except those that you list as exceptions, then access is denied to any computer with an IP address that is included in the exception list. Conversely, if IIS is configured to deny all IP addresses, access is denied to all remote users except those whose IP addresses have been specifically granted access. When using a domain name restriction, IIS must perform a DNS reverse lookup on every user’s request for access to determine if the requesting IP address belongs to a restricted domain. The reverse lookup will have a significant negative effect on server performance. Also, if the restricted domain does not have reverse lookup enabled, the user may gain access to the Web server. Topic Objective To explain how you can restrict access by using IP address and domain name restrictions. Lead-in You can restrict access by using IP address and domain name restrictions. Im p ortan t Module 5: Implementing Security on a Web Server 3 When a Web user passes through a proxy server or firewall, the user’s IP address is replaced by the IP address of the proxy server or firewall. Therefore, the incoming connection to your Web server will be that of the proxy server or firewall. Consequently, you can increase security by using IP address restrictions to ensure that IIS will accept only connections from the proxy server or firewall. To restrict access by using IP address or domain name restrictions: 1. Click Start, point to Programs, point to Administrative Tools, and then click Internet Services Manager. In Administrative Tools, the IIS console is called Internet Services Manager; however, when you open the console, it is called Internet Information Services, also known as the IIS snap-in. 2. In the IIS snap-in, right-click the Web site that you want to configure, and then click Properties. 3. On the Directory Security tab, in the IP Address and Domain Name Restrictions box, click Edit. 4. In the IP Address Access Restrictions box, click Denied Access. This option restricts access to all computers that you do not name in the Except those listed below list. 5. Click Add, and then, in the Grant Access On dialog box, type the IP address of the computer to which you will be granting access. If you do not know the IP address and want to search by DNS name, click DNS Lookup, type the name of the computer, and then click OK. 6. Repeat step 5 for each IP address to which you want to grant access. Click OK to close the IP Address and Domain Name Restrictions dialog box, and then click OK. 4 Module 5: Implementing Security on a Web Server    Configuring Access Permissions for a Web Server  Using Web-Based Permissions  Using NTFS Permissions  Special Users and Groups  Using the Permissions Wizard  Securing Permissions for WebDav  Setting Permissions on Log Files ***************************** ILLEGAL FOR NON-TRAINER USE****************************** Permissions are the access rights that you give a specific user, or group of users, that allow them to gain access to and manipulate data on a server. By effectively managing permissions, you can control a user’s actions on Web server content. IIS uses several types of permissions and restrictions to determine if a user is allowed to gain access to resources on the Web server. IIS uses both its own permissions, including some Transmission Control Protocol/Internet Protocol (TCP/IP) application-level permissions, known as Web-based permissions, and the Microsoft Windows ® 2000 NTFS file system permissions. IIS includes a Permissions Wizard to set both Web-based and NTFS permissions for files that are associated with a Web site. Permissions should not be confused with authentication. Authentication determines the identity of a user. Permissions determine what a valid user can access. In addition to securing Web sites, it is also important that you set appropriate permissions on system resources such as log files, and that you configure permissions for Web Distributed Authoring and Versioning (WebDAV) by effectively using a combination of Web-based and NTFS permissions. Topic Objective To understand the various methods for setting permissions on a Web server and how these methods work together. Lead-in There are several methods for controlling access to IIS, and these methods work together to create a secure Web server. Note [...]... enters a valid user name and password or closes the dialog box 4 When the Web server verifies that the user name and password correspond to a valid Windows user account, a connection is established Module 5: Implementing Security on a Web Server 21 Basic authentication is a local logon that requires users to have the Log on Locally user right A user who has the Log On Locally user right and can obtain... requirements 16 Module 5: Implementing Security on a Web Server Web server authentication is a communication between the browser and the server that uses HTTP headers and error messages The flow of communication follows these steps: 1 The Web browser makes a request to a Web server, and then the Web server performs an authentication check If the Web server does not permit anonymous access, it sends back an error... the anonymous user is authenticated as a local logon, the anonymous user credentials can be forwarded to other servers for authentication In other words, Allow IIS to Control Password enables you to control whether or not your anonymous users have access to network resources 20 Module 5: Implementing Security on a Web Server Using Basic Authentication Topic Objective To explain Basic authentication and... directories and files inherit these settings Module 5: Implementing Security on a Web Server 13 Securing Permissions for WebDAV Topic Objective To explain how to secure permissions for WebDAV Control WebDAV Access by Controlling: Control WebDAV Access by Controlling: Lead-in Controlling WebDAV access is essentially the same as controlling normal access to Web server content by using Web- based permissions, authentication,... credentials when required Determining the authentication method is important because not all browsers support all authentication methods Module 5: Implementing Security on a Web Server 17 Using Anonymous Authentication Topic Objective To explain Anonymous authentication and how it works No User Name or Password Required Lead-in Anonymous authentication allows users to access your Web site without a user... 15 Configuring Authentication for a Web Server Topic Objective To explain how to configure authentication for a Web server Lead-in IIS supports several types of authentication Using Anonymous Authentication Using Basic Authentication Making Basic Authentication More Secure Using Digest Authentication Using Integrated Windows Authentication Using Kerberos V5 Protocol vs NTLM in Integrated Windows Authentication... default permission of Everyone Full Control is in effect, anyone gaining access to a WebDAVenabled application can write to the Web site If you have a Web site, virtual directory, or file that enables a user to make changes by using WebDAV, you must manage security by using NTFS permissions 14 Module 5: Implementing Security on a Web Server Setting Permissions on Log Files Topic Objective To explain... or High application protection, you will need to provide appropriate NTFS permissions to this account 10 Module 5: Implementing Security on a Web Server Interactive The Interactive group is a built-in, automatically maintained group in Windows 2000 that consists of all users who are logged on locally A local logon is one that appears to the server to have occurred on the server itself instead of remotely... located locally on your desktop Furthermore, because WebDAV is an extension of Hypertext Transfer Protocol (HTTP), it is often not blocked at firewalls Typically, when a user gains access to a Web server by using Web folders, that access occurs by using WebDAV Note WebDAV capability is enabled by default Controlling WebDAV access is essentially the same as controlling normal access to Web server content... caution because someone could easily intercept and decipher passwords by monitoring communications on your network All authentication methods require that the user enter a valid user name and password for an active user account in Windows 2000 Enabling Basic authentication does not create those accounts, but enables a method to authenticate to the accounts by using the Web server How Basic authentication . (IP) address and domain name restrictions for a Web server.  Configure access permissions for a Web server.  Configure authentication for a Web server. . access.  Configuring Authentication for a Web Server Explain each of the authentication methods with an emphasis on Anonymous, Basic, and Integrated Windows.