Securing Iis 7.0 Web Server

CERT-In Security Guide CISGu-2010-01

Indian Computer Emergency Response Team
Enhancing Cyber Security in India

Securing IIS 7.0 Web Server

Department of Information Technology
Ministry of Communications and Information Technology
Government of India
Version: 3.1

SECURING IIS 7.0 WEB SERVER

Issue Date: 18 November 2010

Page 1 of 128

CERT-In Security Guide CISGu-2010-01Disclaimer:
This document is provided for informational purposes only, and is provided entirely “AS IS” basis.
Information in this document, including URL and other Internet Web Site references, is subject to change without
notice.
The products mentioned herein are the trademarks of their respective owners.

SECURING IIS 7.0 WEB SERVER

Page 2 of 128

CERT-In Security GuideCISGu-2010-01

Contents
1.

2.

3.
4.

5.

6.

7.

Page Number
Introduction..........................................................................................................................
7
1.1
Purpose and Scope...................................................................................................
7
1.2
Audience andAssumptions.......................................................................................
8
Background.......................................................................................................................... .. 8
2.1
Web Site Security Issues...........................................................................................
9
2.2
Security of a WebServer...........................................................................................
9
2.3
Steps required for securing any public web server.....................................................
9
Planning and Managing Web Servers..................................................................................... 10
3.1
Web Server Platforms...............................................................................................10
Security and IIS 7.0......................................................................................................... ........ 12
4.1
IIS 7.0 Design Principles..............................................................................................
12
4.2
IIS 7.0 Design Principle 1: Secure by default design.....................................................
12
4.2.1 KeyFeatures introduced in IIS7.0...................................................................
12
4.2.2 Security Changes in IIS 7.0..............................................................................
13
Securing the Web Server Operating System............................................................................ 15
5.1
Managing WindowsSecurity......................................................................................
15
5.1.1 Working with User and Group Accounts.........................................................
16
5.1.2 Managing the IIS Service Logon Accounts.......................................................
17
5.1.3 Managing the Internet Guest Account...........................................................
18
5.2
Working withFile and Folder Permissions...................................................................
19
5.2.1 File and Folder Permission Essentials..............................................................
19
5.2.2 Viewing File and Folder permissions................................................................
20
5.2.3 Setting File and FolderPermissions..................................................................
21
5.3
Enforcement of Security Configurations through Policies..............................................
22
5.3.1 Local Security Policy........................................................................................
22
5.3.2 Group Policy..................................................................................................
22
5.3.2.1...