Securing Iis 7.0 Web Server
Indian Computer Emergency Response Team
Enhancing Cyber Security in India
Securing IIS 7.0 Web Server
Department of Information Technology
Ministry of Communications and Information Technology
Government of India
Version: 3.1
SECURING IIS 7.0 WEB SERVER
Issue Date: 18 November 2010
Page 1 of 128
CERT-In Security Guide CISGu-2010-01Disclaimer:
This document is provided for informational purposes only, and is provided entirely “AS IS” basis.
Information in this document, including URL and other Internet Web Site references, is subject to change without
notice.
The products mentioned herein are the trademarks of their respective owners.
SECURING IIS 7.0 WEB SERVER
Page 2 of 128
CERT-In Security GuideCISGu-2010-01
Contents
1.
2.
3.
4.
5.
6.
7.
Page Number
Introduction..........................................................................................................................
7
1.1
Purpose and Scope...................................................................................................
7
1.2
Audience andAssumptions.......................................................................................
8
Background.......................................................................................................................... .. 8
2.1
Web Site Security Issues...........................................................................................
9
2.2
Security of a WebServer...........................................................................................
9
2.3
Steps required for securing any public web server.....................................................
9
Planning and Managing Web Servers..................................................................................... 10
3.1
Web Server Platforms...............................................................................................10
Security and IIS 7.0......................................................................................................... ........ 12
4.1
IIS 7.0 Design Principles..............................................................................................
12
4.2
IIS 7.0 Design Principle 1: Secure by default design.....................................................
12
4.2.1 KeyFeatures introduced in IIS7.0...................................................................
12
4.2.2 Security Changes in IIS 7.0..............................................................................
13
Securing the Web Server Operating System............................................................................ 15
5.1
Managing WindowsSecurity......................................................................................
15
5.1.1 Working with User and Group Accounts.........................................................
16
5.1.2 Managing the IIS Service Logon Accounts.......................................................
17
5.1.3 Managing the Internet Guest Account...........................................................
18
5.2
Working withFile and Folder Permissions...................................................................
19
5.2.1 File and Folder Permission Essentials..............................................................
19
5.2.2 Viewing File and Folder permissions................................................................
20
5.2.3 Setting File and FolderPermissions..................................................................
21
5.3
Enforcement of Security Configurations through Policies..............................................
22
5.3.1 Local Security Policy........................................................................................
22
5.3.2 Group Policy..................................................................................................
22
5.3.2.1...
Regístrate para leer el documento completo.