IIS 7.5 and IIS 7.0 Security Best Practices – Part I

Step by step guide to installing and enabling windows authentication:

  1. To install Windows Authentication go to  Start > Server Manager, expand Roles, and then click on Web Server (IIS). In the right window pane click on Add role Services
  2. In the Add Role Services wizard, select Windows Authentication, and then click Next > Install > Close
  3. Now to enable Windows authentication,  go to Internet Information Services (IIS) Manager. In the Connections pane, click on the server name, and then in the Home pane, double-click Authentication.
  4. In the Authentication pane, click Windows Authentication and enable it and click on  Anonymous Authentication and disable it.

Note: The above procedure disables anonymous authentication for the entire IIS web server. Therefore, if any websites or web applications need anonymous authentication, we will need to selectively enable it for them.

Unique Binding Configuration

Unique binding configuration ensures that a web server only serves requests for a specific host name and not for all configured IP addresses. The latter is the default nature of IIS.

Unique binding mitigates the risk of an attack from a hacker running automated script or from a self propagating worm that is trying to scan an IP subnet and connecting to each IP address before launching an attack. Such a worm/automated script would first connect for e.g to an IP, and then to and so on before it hits your web server (in that subnet).

If a unique binding is configured, then any probe/connection attempt involving IP address such as to would fail since our web server configured with unique binding, will only respond if a specific hostname based URL request, such as http://testdrive.com (to which it’s bound to).

An attacking script or a worm can still send a probe and receive a response. However, it would need to have a more complex IP-hostname resolving code built in to do that. In essence, like most hardening techniques, unique binding increases the barrier to entry and makes an attack more difficult but not impossible.

Configuring unique binding

  1. Open Internet Information Services (IIS) Manager and select the name of the Web server. Under the Sites node, right-click on the website and select Edit Bindings.
  2. In the Edit Site Binding dialog box, select http in type list, and then click Edit. Select the required IP address for the server’s Web site, and then configure the Host header to match your required host name as shown in the following figure.

Once this configuration is in place, a worm or an automated script trying to connect to (or any IP address that the web server is bound to now) will be unable to do so. Instead, a domain name based query such as http://testdrive.com will be required to connect to our web server.

In the next article in the Securing IIS 7.0 series we will look at some very important additional measures for securing the web server!

Reference: Windows Server 2008 Security Guide (www.microsoft.com)

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>