The Process: Designing Security For Iis

By Author: unknownmem
Total Articles: 128
Comment this article

IIS 6.0 is installed in a locked-down fashion. With this version of microsoft exams(http://www.mcsa-70-270.com)
, many security issues will be based around deciding what services, components, and configuration need to be done to enable an application to run or to create a useful Web site that fits a business need. In the rush to "just get it to work," services might be started and com-ponents might be added that are not needed.
Your job as a designer is not only to design security controls that need to be put into place but to ensure that the security that is already established is not modified without reason, One way to enforce this process is to design a security baseline for IIS that meets business needs and then require that any change to that baseline meet stringent requirements for security and business needs. To design security for IIS that meets business needs, follow these steps:
1. Understand the business needs. Do not design security in a vacuum. The first step is to understand the business needs. Remember that one of these needs, however, is to provide a Web server that has security that cannot ...
... be breached. Each section of this lesson and Lesson 2 provides explicit suggestions for how the dual requirements of meeting business needs and providing a secure Web server and sites can be met.
2.Design a reduced attack surface for the Web server. Harden the server running Windows Server 2003. Examine the default security of IIS, and select services and components that need to be enabled or implemented. Know what exists by default for both the Web server and for Windows Server 2003.
3.Design isolation and control for access to Webservers, Websites, applications, and server resources. Use ACLs and identities to isolate Web sites and protect server resources. Isolate applications in MCP certification(http://www.mcsa-70-270.com)
application pools. Application pools are a group of Web sites and applications that can use the same worker process. Each application pool serves as an isolation boundary—an application running outside of the application pool has no access to the processes or Web site running inside the application pool.
4.Design authentication for the needs of the Web site. Enable only the authentication types necessary. The design of authentication for IIS is taught in Lesson 2 of thi chapter.
5.Design how data will be protected in transit. Protect sensitive data—such as logon credentials, user identities, and credit card numbers—while it is in transit. Protect data transported between IIS and database servers.
6.Design a secure content management strategy. Provide a secure process for managing Web site content. Only authorized people should be able to add, change, or remove content.
7.Design monitoring and maintenance strategies for US. Design monitoring for security issues, performance issues, and reliability issues. Design a patching and updating process. Design remote administration.
8.Design security for databases used by Web sites and applications. Databases provide storage for and process data used in Web applications. Securing this data is often an exercise in securing the database.
9.Configure Web servers to isolate Web site and applications. Many Web Servers host more than one Web site, and many sites host many applications. Keeping sites and applications isolated from MCITP study guides free download(http://www.examshots.com/certification/MCITP:-Server-Administrator-36.html)
one another is an essential security technique.