In this series of two articles, we will review some key hardening mechanisms for a corporate intranet hosted IIS 7.5 or IIS 7.0 web server running on Windows server 2008. These best practices would mitigate the risk of unauthorized access to the IIS 7.5 or IIS 7.0 installation.
Microsoft IIS 7 has an inherently stronger security design as compared to its predecessors. A default installation of IIS 7 , will only provide minimal functionality and any additional one, if needed, will have to be explicitly selected and installed by the user.
This ‘minimal installation by default’ approach reduces the ‘attack surface area’ of our website. The less functionality one installs, the less exposed one is to attack from hackers and malicious code.
Let’s dive into some of the key security best practices that we can implement to strengthen IIS 7 security:
Secure Windows Server Installation
If the underlying OS is vulnerable, it will also render the IIS web server installation vulnerable to unauthorized access. Therefore, for optimal security, and if viable, we may wish to run IIS 7 out of a secure Windows 2008 installation. In Windows Server 2008 or Windows Server 2008 R2 environment, this can be achieved by deploying Server Core Installation.
Essentially, the server core option installs only the minimal components which are required for running a specific server role. This is very important from reducing the ‘attack service area’ perspective that we discussed earlier. Apart from the security aspect, a minimal installation will also decrease overhead in administering and maintainance activities.
A server running a Server Core installation of Windows Server 2008 supports various server roles such as DNS server, Web server, File server etc. For an exhaustive list of supported roles, visit: http://go.microsoft.com/fwlink/?LinkId=99832
Note that the server core installation does not include the Graphical User Interface functionality .Therefore, to manage it locally you can use the command shell or do the same remotely through MMC ( Microsoft Management Console) installed on another system. Additionally, since ASP.NET and .NET Framework related features are not supported by the server core installation, therefore if any of your web applications use these features you should not go for this type of installation.
For detailed procedures on installing (IIS) web server role with a Windows Server 2008 Server Core installation, visit Server Core Installation Option of Windows Server 2008 Step-By-Step Guide.
Configuring The Authentication Mechanism
If you don’t need public access to your website, you can leverage Windows authentication mode to restrict access to authorized individuals. Configuring windows authentication on your web server integrates it with Windows and Active Directory Domain Services .Each individual who wishes to access to your website will need to authenticate to your web server/integrated Active directory first.