Title: 70298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
170-298 MCSE Guide to Designing Security for a
Microsoft Windows Server 2003 Network
- Chapter 6Securing Internet Information Services
2Exam Objectives
- 3.3 Design user authentication for Internet
Information Services (IIS) - 3.3.1 Design user authentication for a Web site
by using certificates - 3.3.2 Design user authentication for a Web site
by using IIS authentication - 3.3.3 Design user authentication for a Web site
by using RADIUS for IIS authentication
3Exam Objectives (continued)
- 3.4 Design security for Internet Information
Services (IIS) - 3.4.1 Design security for Web sites that have
different technical requirements by enabling only
the minimum required services - 3.4.2 Design a monitoring strategy for IIS
4Exam Objectives (continued)
- 3.4.3 Design an IIS baseline based on business
requirements - 3.4.4 Design a content management strategy for
updating an IIS server
5Introduction
P352
- Internet Information Services (IIS)
- One of the most popular solutions for private and
commercial Web servers - Favorite target of hackers and virus/worm authors
- Topics include
- User authentication within IIS
- How to harden the IIS installation
- Designing an effective monitoring scheme
- Updating Web content
6Designing User Authentication for IIS
P353
- Redesign of IIS
- More reliable and robust
- Worker process model
- IIS separates all user code from its WWW service
- User application runs in a Internet Server
Application Programming Interface (ISAPI)
application - Web sites do not run within the inetinfo.exe (WWW
services) memory space
7IIS 6.0 Worker Process Model
P353
8HTTP Listener
P353
- HTTP.Sys
- Analyzes request and validates authentication on
it - Request is passed to Inetinfo.exe or SVCHost.exe
if valid
9Is the Worker Process Modelthe Same as IIS 5.0
Isolation Mode?
P354
- Worker process model is more flexible
- Can isolate individual sites
- Minimizes risk of malicious attack on a WWW
service
10IIS 5.0 Isolation Model
P354
11Designing Certificate Authentication
P356
- Certificates
- Proven mechanism to authenticate users in IIS 6.0
- Digital fingerprint for a user or for a number of
users - Certificate management is part of the Secure
Sockets Layer (SSL) in IIS - Mapping
- Verify certificate info against a Windows user
account
12Directory Service Mapping
P356
- Uses native Windows Active Directory Service to
authenticate users - Least popular of three mapping methods
- Shared across all IIS servers
- Best used to integrate Web sites as an intranet
13One-to-One Mapping
P357
- Compares the user certificate to the one stored
on the server - Certificate details need to match exactly to
proceed with authentication - Suits smaller implementations or small set of
users who have access to sensitive data
14One-to-One Mapping Screen
P358
15Many-to-One Mapping
P359
- Compares specific information in the certificate
using wildcards - User certificate information does not need to
match exactly - Popular with large-scale implementations
- Can also be used to leverage the IIS 6.0
anonymous IUSR_ComputerName account
16Enter Rule Information
P361
17Designing Windows Logon Authentication
P362
- Windows accounts can be used to authenticate
users - Methods
- Anonymous access
- Basic authentication
- Digest authentication
- Windows integrated authentication
18Anonymous Authentication
P362
- Least secure
- Used on Web content that does not require any
security - Do not need to provide credentials to view Web
content - No username/password prompt
- IUSR_ComputerName account
- IIS 6.0 impersonates user account to assign a
connection
19Basic Authentication
P364
- Widely used by all Web servers
- Browser requests the users username and password
- Browser will send credentials to the Web server
to authenticate - Credentials will be base-64 encoded
20Digest Authentication
P366
- Similar to basic authentication
- Enhanced security with MD5 hashed encrypted
credentials - Only available on directories that support WebDAV
21Integrated Windows Authentication
P367
- Default authentication mechanism in IIS 6.0
- Kerberos V5 and NTLM authentication used
- Client browser does not request the username and
password from the user - Client logged on user credentials are used
- Will not work over HTTP proxies
- Suited to an intranet environment that can be
tightly controlled by the system administrators
22Designing RADIUS Authentication
P369
- Remote Authentication Dial-In User Service
(RADIUS) - Protocol that defines single sign-on access to
multiple network resources - Internet Authentication Server (IAS)
- RADIUS implementation in Windows Server 2003
23RADIUS Architecture in Windows Server 2003
P370
24Using the Internet Authentication Server
P370
- IAS
- Not installed by default
- Can be managed by the IAS MMC snap-in
- Should enable logging at the IAS
25IAS MMC Snap-In
P372
26Securing the RADIUS Implementation
P373
- RADIUS servers
- Should be physically secured
- Make some configuration changes
27Security Issues with IAS Access
P374
- Use Terminal Services to access the IAS server
- Use IPSec to encrypt communication between the
RADIUS server and the client
28Designing Security for IIS
P375
- Type of Web site determines security needs
- Public sites use anonymous authentication
- Intranet sites are internal to an enterprise
- Extranet sites are similar to intranet sites
- But are for external audience
29Securing IIS Installations
P376
- Use NTFS file system
- Use Configure Your Server Wizard to install other
components - Use unattended setup to install IIS on multiple
machines - Make sure Internet Connection Firewall (ICF) is
enabled and configured properly
30Internet Connection Firewall
P378
- Basic internal software firewall
- Disabled by default
- Can be configured to enable or disable protocol
access through IIS
31Risks to IIS Servers andHow to Harden IIS
Against Them
P381
- Non-HTTP requests
- Disable all non-HTTP and HTTPs data
- Authentication mechanism
- Encrypt authentication with SSL
- Minimize write and execute access
- Do not use not use HTTP GET methods to post data
to the server in client-side scripting
32IIS Best Practices
P383
- Log on with the least credentials
- Disable unwanted services in IIS 6.0
- Keep virus scanners up-to-date
- Keep all software patches up-to-date
33Securing FTP
P383
- Create individual accounts for each FTP user
using IIS Manager - Implement FTP communication over a secure channel
- Such as VPN
34Securing NNTP
P384
- Enable basic authentication or integrated Windows
authentication on the NNTP Service - Restrict NNTP access by IP address
- Restrict the number of NNTP operators
- Use SSL to encrypt communication
35Securing SMTP
P385
- Minimize the number of operators
- Use Transport Layer Security (TLS)
- Restrict IP and network access
- Set basic authentication or Windows integrated
authentication on outbound messages
36New Security Features in IIS 6.0
P385
- Advanced Digest authentication
- Server-gated cryptography
- Selectable Cryptographic Service Provider
- Configurable worker process identity
- Default locked down status
- New authorization framework
37Designing a Monitoring Strategy for IIS
P389
- Windows Server 2003 service calls
- Monitor through event logs
- Use the Network monitor
- Enable logging on all IIS activities
- Create monitoring baseline
- Enable security monitoring
- Monitor event log activities
- Enable health detection
38Identifying a Security Incident
P398
- Three failed logins for a user account will be
logged - Analyze Security log and investigate user access
- Analyze IIS logs
- Obtain more user details and client IP address
data - Use Security Auditing information as evidence
against intrusion
39Design a Content ManagementStrategy for Updating
an IIS Server
P399
- Tools available to deploy content to Web farms
- Microsoft Content Management Server (CMS)
- Microsoft Site Server 4.0
- Third-party content management tools
- Can also use virtual directory concept to
centralize important information and minimize
deployment
40Summary
- IIS 6.0 implements a worker process model to
handle Web requests - Certificate authentication is supported
- Windows logon authentication mechanisms
- Anonymous authentication
- Basic authentication
- Digest authentication
- Windows integrated authentication
41Summary (continued)
- Internet Connection Firewall (ICF)
- Used for small- to medium-sized organizations
- Design monitoring strategy to support
authentication options - Microsoft Content Management Server (CMS)
- Can be used to replicate content to multiple IIS
servers in Web farm
42Exercises
- P357-359 Implementing One-to-One Mapping
- P360-361 Implement Many-To-One Mapping
- P362-363 Configure Anonymous Authentication
- P365 Configure Basic Authentication
- P366 Configure Digest Authentication
- P368 Configure Integrated Windows Authentication
- P370-371 Install IAS
43Exercises
- P379-381 Configure Protocols in ICF
- P391-392 Configure IIS Logging
- P394-395 Enabling Audit Policy on a Local
Machine - P397-398 Enable Health Detection