70298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

1
70-298 MCSE Guide to Designing Security for a
Microsoft Windows Server 2003 Network

• Chapter 6Securing Internet Information Services

2
Exam Objectives

• 3.3 Design user authentication for Internet
  Information Services (IIS)
• 3.3.1 Design user authentication for a Web site
  by using certificates
• 3.3.2 Design user authentication for a Web site
  by using IIS authentication
• 3.3.3 Design user authentication for a Web site
  by using RADIUS for IIS authentication

3
Exam Objectives (continued)

• 3.4 Design security for Internet Information
  Services (IIS)
• 3.4.1 Design security for Web sites that have
  different technical requirements by enabling only
  the minimum required services
• 3.4.2 Design a monitoring strategy for IIS

4
Exam Objectives (continued)

• 3.4.3 Design an IIS baseline based on business
  requirements
• 3.4.4 Design a content management strategy for
  updating an IIS server

5
Introduction
P352

• Internet Information Services (IIS)
• One of the most popular solutions for private and
  commercial Web servers
• Favorite target of hackers and virus/worm authors
• Topics include
• User authentication within IIS
• How to harden the IIS installation
• Designing an effective monitoring scheme
• Updating Web content

6
Designing User Authentication for IIS
P353

• Redesign of IIS
• More reliable and robust
• Worker process model
• IIS separates all user code from its WWW service
• User application runs in a Internet Server
  Application Programming Interface (ISAPI)
  application
• Web sites do not run within the inetinfo.exe (WWW
  services) memory space

7
IIS 6.0 Worker Process Model
P353
8
HTTP Listener
P353

• HTTP.Sys
• Analyzes request and validates authentication on
  it
• Request is passed to Inetinfo.exe or SVCHost.exe
  if valid

9
Is the Worker Process Modelthe Same as IIS 5.0
Isolation Mode?
P354

• Worker process model is more flexible
• Can isolate individual sites
• Minimizes risk of malicious attack on a WWW
  service

10
IIS 5.0 Isolation Model
P354
11
Designing Certificate Authentication
P356

• Certificates
• Proven mechanism to authenticate users in IIS 6.0
• Digital fingerprint for a user or for a number of
  users
• Certificate management is part of the Secure
  Sockets Layer (SSL) in IIS
• Mapping
• Verify certificate info against a Windows user
  account

12
Directory Service Mapping
P356

• Uses native Windows Active Directory Service to
  authenticate users
• Least popular of three mapping methods
• Shared across all IIS servers
• Best used to integrate Web sites as an intranet

13
One-to-One Mapping
P357

• Compares the user certificate to the one stored
  on the server
• Certificate details need to match exactly to
  proceed with authentication
• Suits smaller implementations or small set of
  users who have access to sensitive data

14
One-to-One Mapping Screen
P358
15
Many-to-One Mapping
P359

• Compares specific information in the certificate
  using wildcards
• User certificate information does not need to
  match exactly
• Popular with large-scale implementations
• Can also be used to leverage the IIS 6.0
  anonymous IUSR_ComputerName account

16
Enter Rule Information
P361
17
Designing Windows Logon Authentication
P362

• Windows accounts can be used to authenticate
  users
• Methods
• Anonymous access
• Basic authentication
• Digest authentication
• Windows integrated authentication

18
Anonymous Authentication
P362

• Least secure
• Used on Web content that does not require any
  security
• Do not need to provide credentials to view Web
  content
• No username/password prompt
• IUSR_ComputerName account
• IIS 6.0 impersonates user account to assign a
  connection

19
Basic Authentication
P364

• Widely used by all Web servers
• Browser requests the users username and password
• Browser will send credentials to the Web server
  to authenticate
• Credentials will be base-64 encoded

20
Digest Authentication
P366

• Similar to basic authentication
• Enhanced security with MD5 hashed encrypted
  credentials
• Only available on directories that support WebDAV

21
Integrated Windows Authentication
P367

• Default authentication mechanism in IIS 6.0
• Kerberos V5 and NTLM authentication used
• Client browser does not request the username and
  password from the user
• Client logged on user credentials are used
• Will not work over HTTP proxies
• Suited to an intranet environment that can be
  tightly controlled by the system administrators

22
Designing RADIUS Authentication
P369

• Remote Authentication Dial-In User Service
  (RADIUS)
• Protocol that defines single sign-on access to
  multiple network resources
• Internet Authentication Server (IAS)
• RADIUS implementation in Windows Server 2003

23
RADIUS Architecture in Windows Server 2003
P370
24
Using the Internet Authentication Server
P370

• IAS
• Not installed by default
• Can be managed by the IAS MMC snap-in
• Should enable logging at the IAS

25
IAS MMC Snap-In
P372
26
Securing the RADIUS Implementation
P373

• RADIUS servers
• Should be physically secured
• Make some configuration changes

27
Security Issues with IAS Access
P374

• Use Terminal Services to access the IAS server
• Use IPSec to encrypt communication between the
  RADIUS server and the client

28
Designing Security for IIS
P375

• Type of Web site determines security needs
• Public sites use anonymous authentication
• Intranet sites are internal to an enterprise
• Extranet sites are similar to intranet sites
• But are for external audience

29
Securing IIS Installations
P376

• Use NTFS file system
• Use Configure Your Server Wizard to install other
  components
• Use unattended setup to install IIS on multiple
  machines
• Make sure Internet Connection Firewall (ICF) is
  enabled and configured properly

30
Internet Connection Firewall
P378

• Basic internal software firewall
• Disabled by default
• Can be configured to enable or disable protocol
  access through IIS

31
Risks to IIS Servers andHow to Harden IIS
Against Them
P381

• Non-HTTP requests
• Disable all non-HTTP and HTTPs data
• Authentication mechanism
• Encrypt authentication with SSL
• Minimize write and execute access
• Do not use not use HTTP GET methods to post data
  to the server in client-side scripting

32
IIS Best Practices
P383

• Log on with the least credentials
• Disable unwanted services in IIS 6.0
• Keep virus scanners up-to-date
• Keep all software patches up-to-date

33
Securing FTP
P383

• Create individual accounts for each FTP user
  using IIS Manager
• Implement FTP communication over a secure channel
• Such as VPN

34
Securing NNTP
P384

• Enable basic authentication or integrated Windows
  authentication on the NNTP Service
• Restrict NNTP access by IP address
• Restrict the number of NNTP operators
• Use SSL to encrypt communication

35
Securing SMTP
P385

• Minimize the number of operators
• Use Transport Layer Security (TLS)
• Restrict IP and network access
• Set basic authentication or Windows integrated
  authentication on outbound messages

36
New Security Features in IIS 6.0
P385

• Advanced Digest authentication
• Server-gated cryptography
• Selectable Cryptographic Service Provider
• Configurable worker process identity
• Default locked down status
• New authorization framework

37
Designing a Monitoring Strategy for IIS
P389

• Windows Server 2003 service calls
• Monitor through event logs
• Use the Network monitor
• Enable logging on all IIS activities
• Create monitoring baseline
• Enable security monitoring
• Monitor event log activities
• Enable health detection

38
Identifying a Security Incident
P398

• Three failed logins for a user account will be
  logged
• Analyze Security log and investigate user access
• Analyze IIS logs
• Obtain more user details and client IP address
  data
• Use Security Auditing information as evidence
  against intrusion

39
Design a Content ManagementStrategy for Updating
an IIS Server
P399

• Tools available to deploy content to Web farms
• Microsoft Content Management Server (CMS)
• Microsoft Site Server 4.0
• Third-party content management tools
• Can also use virtual directory concept to
  centralize important information and minimize
  deployment

40
Summary

• IIS 6.0 implements a worker process model to
  handle Web requests
• Certificate authentication is supported
• Windows logon authentication mechanisms
• Anonymous authentication
• Basic authentication
• Digest authentication
• Windows integrated authentication

41
Summary (continued)

• Internet Connection Firewall (ICF)
• Used for small- to medium-sized organizations
• Design monitoring strategy to support
  authentication options
• Microsoft Content Management Server (CMS)
• Can be used to replicate content to multiple IIS
  servers in Web farm

42
Exercises

• P357-359 Implementing One-to-One Mapping
• P360-361 Implement Many-To-One Mapping
• P362-363 Configure Anonymous Authentication
• P365 Configure Basic Authentication
• P366 Configure Digest Authentication
• P368 Configure Integrated Windows Authentication
• P370-371 Install IAS

43
Exercises

• P379-381 Configure Protocols in ICF
• P391-392 Configure IIS Logging
• P394-395 Enabling Audit Policy on a Local
  Machine
• P397-398 Enable Health Detection