Introduction

Internet Information Services (IIS) is one of the most popular solutions for private and commercial Web servers on the Internet today. Because of its popularity, and the overall prevalence of Windows-based machines on the Internet, IIS has become a favorite target of hackers and virus/worm authors. One of the major goals of Microsoft s Secure Computing Initiative was to improve the security of Microsoft software in three areas: by default, by design, and by deployment. IIS 6.0, the version of the Web server software that s bundled with Windows Server 2003, is one of the first major services to reflect this initiative. As opposed to previous releases of the server operating system where IIS was turned on by default, an administrator now needs to install and enable IIS on a Windows Server 2003 machine, and manually enable support for technologies such as Active Server Pages (ASP) and the Network News Transfer Protocol (NNTP). In this chapter, we ll look at the steps needed to create a secure IIS deployment for your enterprise network.

The first major topic that we ll discuss is user authentication within IIS. Gone are the days when the majority of Web servers provided nothing but static content where users were content to browse information anonymously and go merrily on their way. Improvements in e-commerce, customized Web content and the like have increased expectations for an interactive Web experience, and this kind of expectation requires some level of user authentication to protect users privacy and personal information. We ll look at...