CIS 288 WEEK 7: Securing Internet Information Services Slide 1 Introduction Welcome to week 7 of C-I-S 288: Security Design

in a Windows 2003 Environment. In the previous lesson we discussed securing the network services and protocols. In this week we will discuss Securing Internet Information Services. Next Slide: Slide 2 Objectives When you complete this lesson you will be able to: Design user authentication for Internet Information Services; Design user authentication for a Web site by using certificates; Design user authentication for a Web site by using I-I-S authentication; Design security for Internet Information Services; Design security for Web sites that have different technical requirements by enabling only the minimum required services; Design a monitoring strategy for I-I-S; And Design a content management strategy for updating an I-I-S server. Slide 3 Designing User Authenticati on for IIS Next Slide: Microsoft has done a great job of redesigning I-I-S to be more reliable and robust. Perhaps the most significant modification is the emphasis on the worker process model. This concept was initially embedded into I-I-S four-pointzero as running an application in a separate memory space. Lets investigate these modifications in detail. I-I-S separates all user code from its W-W-W service. The user application functions as a separate Internet Server Application Programming Interface application. The separate I-S-A-P-I workspace is referred as a worker process. The worker process can also be configured to run on a specified C-P-U. The worker process model can store application-specific data in its own memory space. Therefore, you can assign a Web site to run on specific C-PUs. This mechanism will enable you to dedicate more resources to popular Web sites. The I-I-S web request

process is illustrated on this slide. Next Slide: Certificates are a proven mechanism to authenticate users in I-I-S six-point-zero. A certificate is a digital fingerprint for a user or for a number of users. This digital fingerprint will provide access information of the user to I-I-S six-pointzero. The certificate information needs to be verified by a Windows user account, a process referred to as mapping. There are three ways to map a certificate to a Windows user account: Directory Service mapping, one-to-one mapping, and many-to-one mapping. These three mechanisms provide a very flexible certificate mapping mechanism in Windows Server 2003. You are able to map multiple users to single certificate information, and a number of certificates to the same user by using the mapping mechanisms. Slide 5 Designing Windows Logon Authenticati on Next Slide: There are several Windows logon authentication mechanisms available in Windows Server 2003. Windows accounts can be used to authenticate users to gain access to Web and F-T-P content. These authentication methods are anonymous access, basic authentication, digest authentication, and Windows integrated authentication. The anonymous authentication method is the least secure of the Windows Server 2003 authentication options, and is used on Web content that does not require any security. Basic authentication is widely used by all Web servers. The browser will request the users username and password. The user will enter the details into the Web browser. The collection of username and password details is referred to as credentials. The web browser will send the credentials to the Web server to authenticate. The credentials will be base-sixty-four encoded before they are sent to the Web servers, and are not encrypted. Therefore anyone snooping into the network can obtain these details. The third authentication type is digest authentication. Digest authentication is similar to basic authentication. The limitation of basic authentication is the transportation of the credentials as clear text. Digest authentication overcomes this issue by having M-D-five hashed encrypted credentials.

Slide 4

Designing Certificate Authenticati on

The M-D-five hash or message digest cannot be deciphered from the hash. Digest authentication is only available on directories that support Web-D-A-V. The last authentication type is integrated windows authentication. Integrated Windows authentication is the default authentication mechanism in I-I-S six-point-zero. This was formerly called N-T-L-M or Windows N-T challenge response method. Integrated windows authentication uses a hashed algorithm to encrypt the credentials; therefore it is a safe method. Slide 6 Designing RADIUS Authenticati on Next Slide: There are multiple network options for organizations. Technical advances enable you to use Internet, virtual private networks, and wireless access to the same resources. These multiple implementations add another level of complexity to your enterprise. You do not want to have different authorization and authentication mechanisms to access different resources. The Remote Authentication Dial-In User Service, or Radius, is a protocol that defines single sign-on access to multiple network resources. The implementation of Radius in Windows Server 2003 is referred to as Internet Authentication Server, or I-A-S. I-A-S in Windows Server 2003 implements a Radius server and a Radius proxy. The Radius server will provide centralized connection for authentication, authorization, and accounting functions for networks that include wireless access, V-P-N remote access, Internet access, extranet business partner access, and router-to-router connections. Radius servers will be hosted in a server room with other enterprise software servers. These servers need to be physically protected from intruders. This will include locked doors, security alarm systems and dedicated server space for the I-A-S servers. You can also make some configuration changes to protect the servers from intruders. Next Slide:

Slide 7

Designing Security for IIS

I-I-S provides many services in Windows Server 2003. It supports Web, F-T-P, S-M-T-P, and N-N-T-P services. Web sites can be configured as Internet sites, intranet sites, or extranet sites. Some contents of intranet sites need to be available as content for extranet sites. Therefore, it is a tedious task to design security to address every one of these implementations. The most common Web sites are public Internet sites. These have to be enabled for public access by default. Therefore, you need to enable anonymous login for all the public Web sites. You need to take extra caution to ensure the I-U-S-R Computer Name account is not mishandled. Intranet sites are internal to an enterprise. Therefore, you can leverage the existing security architectures for an intranet site. You can use integrated Windows authentication, Digests authentication, or basic authentication as your authentication mechanisms. Extranet sites are similar to intranet sites, except that they are for an external audience. This is a mechanism of sharing business information with business partners. You will not have the luxury of enterprisewide Active Directory or network implementations of intranet sites under extranet implementations.

Slide 8

Next Slide: Securing IIS I-I-S in not installed by default in the Windows Server 2003 Installations setup, except in the Web Server Edition. There are three different ways to install I-I-S: Use the configure your server wizard; use the add or remove option from the Control Panel; and use the unattended setup. Installation best practices will ensure the optimum scalability and performance of I-I-S six-point-zero. Here are some of the important steps to ensure maximum security with I-I-S: The file system onto which you install I-I-S should be N-TF-S. If the partition is not already formatted as N-T-F-S, upgrade the Fat thirty-two file system to N-T-F-S prior to installation or during the upgrade process. The Configure Your Server Wizard will let you install multiple application server components. Therefore, you can install other components parallel to I-I-S six-point-zero setup.

Use unattended setup to install I-I-S on multiple machines. And make sure the Internet Connection Firewall is enabled and configured properly unless you will be relying on a separate firewall product. Next Slide: Slide 9 Creating a Monitoring Baseline Implementating a monitoring baseline is an important element of enterprise architecture. This will set security standards for the organization and act as the minimum security requirements for the enterprise. All these tools are available in Windows Server 2003 or native in I-I-S sixpoint-zero. These items allow you to: Configure I-I-S logs; enable security auditing; monitor event log activities; enable health detection; and monitor network monitor and system monitor activities. It is important to analyze these tools in more detail. Next Slide: Slide 10 Design a Content Managemen t Strategy for Updating an IIS Server Content is the greatest driver for a successful Web site. The Web site content needs to update very frequently in the current Web site. Most Web sites are operated as Web farms. A Web farm is a collection of multiple I-I-S servers that are load balanced to facilitate higher throughput of Web requests simultaneously. There are several tools available to deploy content to Web farms. Microsoft Content Management Server is a dedicated server that manages Web content. You can specify the source content directories and destination directories in a Gooey interface. You can also use the virtual directory concept to centralize important information and minimize deployment. You will be able to point all the Web farm machines to a single machine to avoid content deployment to all servers. This method will consume valuable network resources since all the servers need to obtain data form this single point. You might also need to provide for a backup server if this single content point goes offline. Next Slide:

Slide 11

Summary

We have reached the end of this lesson. Lets take a look at what we have covered. The first half of this lesson discussed user authentication for Internet Information Services, or I-I-S. I-I-S separates all user code from its W-W-W service. The user application functions as a separate Internet Server Application Programming Interface application. The separate I-S-A-P-I workspace is referred as a worker process. The second half of this lesson focused on security for I-I-S. I-I-S provides many services in Windows Server 2003. It supports Web, F-T-P, S-M-T-P, and N-N-T-P services. Web sites can be configured as Internet sites, intranet sites, or extranet sites. Some contents of intranet sites need to be available as content for extranet sites. Therefore, it is a tedious task to design security to address every one of these implementations.