This topic includes overviews of the five main security elements that Internet Information Services 5.0 provides: authentication, access control, encryption, auditing, and certificates. This section also includes information about how to configure security for your Web server, an introduction to the new task wizards in IIS, and comments on the standards supported by IIS security. The following topics are included:
IIS 5.0 includes three new security task wizards. The Certificates Wizard makes obtaining and managing server certificates easier. The CTL Wizard makes creating and managing certificate trust lists easier. These two wizards replace the procedures previously used in IIS for these tasks. The Permissions Wizard makes setting permissions on directories and files easier. (Permissions can still be set by the procedures used in NTFS and earlier versions of IIS.) For more information, see Using the New Security Task Wizards.
Internet Information Services provides security features that are fully integrated with Windows. Five methods of authentication are supported so that you can confirm the identity of anyone requesting access to your Web sites:
You can use these methods to grant access to public areas of your site, while preventing unauthorized access to your private files and directories. See Authentication to learn more about the different ways that you can use authentication on your Web server.
With NTFS access permissions, the foundation of your Web server's security, you can define the level of file and directory access granted to Windows users and groups. For example, if a business decided to publish its catalog on your Web server, you would need to create a Windows user account for that business and then configure permissions for the specific Web site, directory, or file. The permissions would enable only the server administrator and the owner of the business to update the Web site's contents. Public users would be allowed to view the Web site, but cannot alter its contents. For more details about setting NTFS permissions, see Setting NTFS Permissions for a Directory or File.
WebDAV is an extension of the HTTP 1.1 protocol that facilitates file and directory manipulation over an HTTP connection. Through the use of WebDAV "verbs," or commands, properties can be added to and read from files and directories. Files and directories can also be remotely created, deleted, moved, or copied. Additional access control can be configured through both Web server permissions and NTFS. For more information, see About Access Control or WebDAV Publishing.
Certificates are digital identification documents that allow both servers and clients to authenticate each other. They are required for the server and client's browser to set up an SSL connection over which encrypted information can be sent. The certificate-based SSL features in IIS consist of a server certificate, a client certificate, and various digital keys. You can create these certificates with Microsoft Certificate Services or obtain them from a mutually trusted, third-party organization called a certification authority (CA). For more information on setting up certificates and keys, see Setting Up SSL on Your Server.
Server certificates provide a way for users to confirm your Web site's identity. A server certificate contains detailed identification information, such as the name of the organization affiliated with the server content, the name of the organization that issued the certificate, and a public key used in establishing an encrypted connection. This information helps to assure users of the authenticity of Web server content and the integrity of the secure HTTP connection. For more information, see About Certificates.
With SSL, your Web server also has the option of authenticating users by checking the contents of their client certificates. A typical client certificate contains detailed identification information about a user and the organization that issued the certificate and a public key. You can use client certificate authentication, along with SSL encryption, to implement a highly secure method for verifying the identity of your users. For more information, see About Certificates.
You can enable users to exchange private information with your server, such as credit card numbers or phone numbers, in a secure way by using encryption. Encryption "scrambles" the information before it is sent, and decryption "unscrambles" it after it is received. The foundation for this encryption in IIS is the SSL 3.0 protocol which provides a secure way of establishing an encrypted communication link with users. SSL confirms the authenticity of your Web site and, optionally, the identity of users accessing restricted Web sites.
Certificates include keys used in establishing an SSL secure connection. A key is a unique value used to authenticate the server and the client in establishing an SSL connection. A public key and a private key form an SSL key pair. Your Web server utilizes the key pair to negotiate a secure connection with the user's Web browser to determine the level of encryption required for securing communications.
For this type of connection, both your Web server and the user's browser must be equipped with compatible encryption and decryption capabilities. During the exchange an encryption, or session, key is created. Both your server and the Web browser use the session key to encrypt and decrypt transmitted information. The session key's degree of encryption, or strength, is measured in bits. The greater the number of bits comprising the session key, the greater the level of encryption and security. Although these greater encryption key strengths offer greater security, they also require more server resources to implement. Your Web server's session key is typically 40 bits long, but can be 128 bits long depending upon the level of security you require. For more information, see Encryption.
You can use security auditing techniques to monitor a broad range of user and Web server security activity. It is recommended that you routinely audit your server configuration to detect areas where resources may be susceptible to unauthorized access and tampering. You can use the integrated Windows utilities, or the logging features built into IIS 5.0, or use Active Server Pages (ASP) applications to create your own auditing logs. For more information, see Auditing.
Many of the security features in IIS implement Internet community standards. These standards help to facilitate uniformity and cross-platform utilization of applications and information. Microsoft is committed to working with the Internet and computer communities both in assisting to structure good standards, but also in its implementation of those standards. For more information on the standards implemented by the IIS security features, follow the appropriate link in the following list:
Fortezza (http://www.armadillo.huntsville.al.us/) The U.S. government security standard, commonly called Fortezza, is supported in IIS 5.0. This standard satisfies the Defense Message System security architecture with a cryptographic mechanism that provides message confidentiality, integrity, authentication, non-repudiation, and access control to messages, components, and systems. These features are implemented both with server and browser software and with PCMCIA card hardware. Fortezza is a widely used mechanism within the U.S. government.
Secure Sockets Layer (SSL 3.0) (http://home.netscape.com/eng/ssl3/index.html) is a public key-based security protocol implemented by the Secure Channel (Schannel) security provider. SSL security protocols are used widely by Internet browsers and servers for authentication, message integrity, and confidentiality.
Basic Authentication (http://www.w3.org/) is a part of the HTTP 1.0 specification that sends password over networks in Base64 encoded format. Most browsers support this specification.
Digest Authentication (http://www.ics.uci.edu/pub/ietf/http/rfc2069.txt) is a new feature of IIS 5.0 that sends authentication information over networks as a hash and is compatible with proxy servers.
PKCS #7 (http://www.rsa.com/standards/) describes the format of encrypted data such as digital signatures or digital envelopes that securely contain information. Both of these are involved in the certificate features of IIS.
PKCS #10 (http://www.rsa.com/standards/) describes the format of requests for certificates that are submitted to certification authorities.
For additional information about Windows and network security issues, visit the Microsoft security Web site at http://www.microsoft.com/security/ or Windows Security at http://www.microsoft.com/ntserver/security/.
Before configuring your Web server security, determine the level of security that you will require to protect your Web and FTP sites. For example, if you intend create a Web site that allows special users to access private information, such as financial or medical records, then you will require a robust security configuration. This configuration should be able to reliably authenticate designated users and restrict access to only those users.
Much of your Web server's security relies on your Windows security configuration. If you do not properly configure your Windows security features, you cannot secure your Web server.
If you have not done so already, carry out the following:
For more information, consult the Windows documentation. The Microsoft Windows 2000 Server Resource Kit is also an excellent source for security information.
As part of your security configuration, you should also convert your hard disk partition to an NTFS partition. NTFS hard disk partitions offer precise file and directory access control, and save information more efficiently than File Allocation Table (FAT) partitions. You can use the Windows Convert utility to convert a hard disk partition to NTFS. For more information, consult your Windows documentation.
Next, determine which files and directories will be publicly available to users visiting your Web and FTP sites. Keep public and restricted content in separate directories.
To get started configuring your Web server's security, see About Access Control for information about properly configuring anonymous Web server access.