450 likes | 626 Views
Securing IIS Services. Lesson 6. Skills Matrix. Configuring IP Address Restrictions. Click Start, and then click Administrative Tools > Internet Information Services (IIS) Manager . In the scope pane, select a server, site, folder, or virtual directory.
E N D
Securing IIS Services Lesson 6
Configuring IP Address Restrictions • Click Start, and then click Administrative Tools > Internet Information Services (IIS) Manager. • In the scope pane, select a server, site, folder, or virtual directory. • Double-click the IPv4 Address and Domain Restrictions icon. Lesson 6
Configuring IP Address Restrictions (cont.) • In the actions pane, click Edit Feature Settings. • Select one of the options listed in the Access for unspecified clients drop-down list. Lesson 6
Configuring IP Address Restrictions (cont.) • In the actions pane, click Add Allow Entry. • Select one of the options listed, and key an appropriate entry in the accompanying text box. • Click OK. Lesson 6
Enabling Authentication Methods • Click Start, and then click Administrative Tools > Internet Information Services (IIS) Manager. • In the scope pane, select a server, site, or virtual directory. • Double-click the Authentication icon. Lesson 6
Enabling Authentication Methods (cont.) • Select the authentication method you want to modify. • In the actions pane, click Enable or Disable. Lesson 6
Changing the Anonymous Authentication User • Click Start, and then click Administrative Tools > Internet Information Services (IIS) Manager. • In the scope pane, select a server, site, application, or virtual directory. • Double-click the Authentication icon. • Select Anonymous Authentication and, in the actions pane, click Edit. Lesson 6
Changing the Anonymous Authentication User (cont.) • Click Set. • In the User Name text box, key the name of the account you want IIS7 to use for anonymous access to the element you selected. • In the Password and Confirm Password text boxes, key the password associated with the account you specified. Lesson 6
Changing the Anonymous Authentication User (cont.) • Click OK to close the Set Credentials dialog box. • Click OK to close the Edit Anonymous Authentication Credentials dialog box. • Restart the Website. Lesson 6
Enabling Active Directory Client Certificate Authentication • Click Start, and then click Administrative Tools > Internet Information Services (IIS) Manager. • In the scope pane, select a server. • Double-click the Authentication icon. • Select Active Directory Client Certificate Authentication. Lesson 6
Enabling Active Directory Client Certificate Authentication (cont.) • In the actions pane, click Enable. • Disable any other authentication methods that show a status of Enabled. • Restart the IIS7 service. Lesson 6
Enabling Digest Authentication • Click Start, and then click Administrative Tools > Internet Information Services (IIS) Manager. • In the scope pane, select a server, site, application, or virtual directory. • Select Digest Authentication and, in the actions pane, click Edit. Lesson 6
Enabling Digest Authentication (cont.) • In the Realm text box, key the name of the Active Directory domain of which the Web server is a member, and then click OK. • Select Digest Authentication. • In the actions pane, click Enable. • Restart the IIS7 service. Lesson 6
Enabling Basic Authentication • Click Start, and then click Administrative Tools > Internet Information Services (IIS) Manager. • In the scope pane, select a server, site, application, or virtual directory. • Double-click the Authentication icon. • Select Basic Authentication and, in the actions pane, click Edit. Lesson 6
Enabling Basic Authentication (cont.) • In the Domain text box, key the name of the Active Directory domain in which you want the clients to be authenticated. • Leave the Realm text box blank, or key the name value as the Domain text box, and click OK. • Select Basic Authentication and, in the actions pane, click Enable. • Restart the IIS7 service. Lesson 6
Enabling ASP.NET Impersonation • Click Start, and then click Administrative Tools > Internet Information Services (IIS) Manager. • In the scope pane, select a server, site, application, or virtual directory. • Double-click the Authentication icon. • Select ASP.NET Impersonation and, in the actions pane, click Edit. Lesson 6
Enabling ASP.NET Impersonation (cont.) • Select one of the options listed, and click OK. • Select ASP.NET Impersonation and, in the actions pane, click Enable. • Restart the IIS7 service. Lesson 6
Enabling Forms Authentication • Click Start, and then click Administrative Tools > Internet Information Services (IIS) Manager. • In the scope pane, select a server, site, application, or virtual directory. • Double-click the Authentication icon. • Select Forms Authentication and, in the actions pane, click Edit. Lesson 6
Enabling Forms Authentication (cont.) • Configure the parameters listed, and click OK. • Select Forms Authentication and, in the actions pane, click Enable. • Disable any other authentication methods that show a status of Enabled. • Restart the IIS7 service. Lesson 6
Creating URL Authorization Rules • Click Start, and then click Administrative Tools > Internet Information Services (IIS) Manager. • In the scope pane, select a server, site, application, or virtual directory. • Double-click the Authorization Rules icon. • In the actions pane, click Add Allow Rule or Add Deny Rule. Lesson 6
Creating URL Authorization Rules (cont.) • Specify to whom you want to apply the rule by using one of the options listed. • To limit the rule to specific types of requests, select the Apply this rule to specific verbs checkbox. • Specify the HTTP Method values to which you want the rule to apply. • Click OK. Lesson 6
Configuring Handler Mappings • Click Start, and then click Administrative Tools > Internet Information Services (IIS) Manager. • In the scope pane, select a server, site, application, or virtual directory. • Double-click the Handler Mappings icon. • In the actions pane, click Edit Feature Permissions. Lesson 6
Configuring Handler Mappings (cont.) • Select the checkboxes indicating the default permissions you want clients to have for the selected element, and then click OK. • Select one of the handlers listed in the pane and, in the actions pane, click Edit. • Click Request Restrictions. Lesson 6
Configuring Handler Mappings (cont.) • To limit the application of the handler, select the Invoke handler only if request is mapped to checkbox on the Mapping tab. • Specify whether you want IIS7 to invoke the handler when the request is for a file (the default), a folder, or both. • Click the Verbs tab. Lesson 6
Configuring Handler Mappings (cont.) • To limit the HTTP verbs that the handler can process, select the One of the following verbs option. • In the text box, key the verbs you want to permit. • Click the Access tab. Lesson 6
Configuring Handler Mappings (cont.) • Select the permission you want to assign to the handler. • Click OK. Lesson 6
Creating a Certificate Request File • Click Start, and then click Administrative Tools > Internet Information Services (IIS) Manager. • In the scope pane, select a server. • Double-click the Server Certificates icon. • In the actions pane, click Create Certificate Request. Lesson 6
Creating a Certificate Request File (cont.) • Fill in each text box with the requested information about your organization, and then click Next. Lesson 6
Creating a Certificate Request File (cont.) • In the Cryptographic Service Provider drop-down list, select the provider you want to use for the certificate. • In the Bit Length drop-down list, specify the length for the certificate’s encryption key. • Click Next. • Specify the name you want to use for the certificate request, and click Finish. Lesson 6
Creating an SSL Binding • Click Start, and then click Administrative Tools > Internet Information Services (IIS) Manager. • In the scope pane, right-click one of your Websites and, from the context menu, select Edit Bindings. • Click Add. • In the Type drop-down list, select https. Lesson 6
Creating an SSL Binding (cont.) • In the SSL certificate drop-down list, select the server certificate obtained from your CA. • Click OK. • Select the existing http binding, and click Remove. • Click Yes. • Click Close. Lesson 6
Enabling SSL • Click Start, and then click Administrative Tools > Internet Information Services (IIS) Manager. • In the scope pane, select a Website. • Double-click the SSL Settings icon. Lesson 6
Enabling SSL (cont.) • Select the Require SSL checkbox. • If your clients support it, you can also select the Require 128-bit SSL checkbox. • Select one of the Client Certificates options, indicating whether you want to ignore, accept, or require client certificates. • In the action pane, click Apply. Lesson 6
Enabling SSL for FTP7 • Click Start, and then click Administrative Tools > Internet Information Services (IIS) Manager. • In the scope pane, select an FTP site. • Double-click the FTP SSL Settings icon. • In the SSL Certificate drop-down list, select the certificate you want to use. Lesson 6
Enabling SSL for FTP7 (cont.) • In the SSL Policy box, select the Custom option, and click Advanced. • In the Control Channel box, select one of the options listed. • In the Data Channel box, select one of the options listed. Lesson 6
Enabling SSL for FTP7 (cont.) • Click OK. • In the SSL Policy box, select the Use 128-bit encryption for SSL connection checkbox, if desired. • In the action pane, click Apply. Lesson 6
You Learned • IIS7 retains a security feature from earlier IIS versions that enables you to specify IP addresses or domain names that the server should allow or deny access to a server, site, virtual directory, folder, or file. • IIS7 supports several password-based authentication methods including Anonymous, Windows, Digest, and Basic Authentication. Lesson 6
You Learned (cont.) • In IIS7, the authentication settings you configure at a particular level are inherited by all subordinate levels. • When a client connects to a site configured to use multiple authentication methods, it always attempts to establish an anonymous connection first. Lesson 6
You Learned (cont.) • The anonymous user account in IIS7 is a built-in account called IUSR, which is a member of a group called IIS_IUSRS. • If you are running an intranet Web server on an Active Directory network with its own certification authority, you can configure IIS7 to automatically authenticate domain users that have client certificates. Lesson 6
You Learned (cont.) • Because Active Directory Client Certificate Authentication requires the use of SSL with client certificates, it is not compatible with any of the other authentication methods IIS7 supports. • Of the three traditional challenge/response authentication methods supported by IIS7, Windows Authentication is the most secure. Lesson 6
You Learned (cont.) • The Digest Authentication method in IIS7 is comparable to the Advanced Digest Authentication method from IIS6. • Windows Authentication, Digest Authentication, and Basic Authentication are all challenge-based authentication methods. Lesson 6
You Learned (cont.) • The NTFS permissions protecting a particular file system element are not like the keys to a lock, which provide either full access or no access at all. Permissions are designed to be granular, enabling you to grant specific degrees of access to security principals. • NTFS permissions are realized as access control lists (ACLs), which consist of two basic types of access control entries (ACEs): Allow and Deny. Lesson 6
You Learned (cont.) • Permissions tend to run down through a hierarchy, which is called permission inheritance. • A digital certificate contains identifying information about the party to which it is issued, as well as a public key, which enables the issuee to participate in encrypted communications and prove its identity. Lesson 6
You Learned (cont.) • If you want to use SSL on an Internet Website, you must obtain a certificate for your Web server from a commercial CA, such as VeriSign, which is trusted both by your organization and by your clients. For intranet Web servers, you can use a certificate from an internal CA. • To protect a Website using SSL, you must have a server certificate and an https binding. Then you must enable SSL for the site. Lesson 6