Windows Server 2003 Security Infrastructures
This nuts and bolts guide is a must-read for anyone wants to know about Windows Server 2003 security and leverage the operating systems' security infrastructure.
TABLE OF CONTENTS Windows Server 2003 Security Infrastructures
Chapter 6: IIS Authentication
This chapter focuses on the Internet Information Services (IIS) 6.0 authentication methods. Microsoft has made radical changes to its Web server in Windows Server 2003. Some of these changes and their impact on the over- all security quality of the Web server are explored in Section 6.1. The rest of the chapter focuses on the authentication methods supported in IIS 6.0.
6.1 Secure by default in IIS 6.0
Windows Server 2003 is Microsoft s first enterprise operating system that ships with the label secure by default. One of the most visible effects of this is that IIS is now an optional service and is not installed by a default Windows Server 2003 installation. [1] This really makes sense if you keep in mind the numerous IIS security exploits that have occurred over the past years. Domain administrators can even prevent other administrators from installing IIS 6.0 on a server in a Windows Server 2003 domain using the following GPO setting: Prevent IIS installation, which is located in the Computer Configuration\Administrative Templates\Windows Components\ Internet Information Server GPO container. Note that this setting will not prevent an administrator from installing an IIS 5.0 or earlier Web server on a Windows Server 2003 machine.
Like Windows Server 2003, when IIS 6.0 is installed, it will be in a locked-down state. By default, IIS 6.0 is only capable of providing static Web page support ( static meaning: plain html files). The dynamic content (for example, active server pages) that can be served by IIS is...
Copyright Hewlett-Packard Development Co., L.P. 2004 under license agreement with Books24x7
