CYA: Securing IIS 6.0: Cover Your A** By Getting It Right the First Time

Your A** is Covered if You

  • Familiarize yourself with the available authentication methods, and the benefits and drawbacks of each. For basic authentication, evaluate the need for SSL to secure transmission of user credentials. For digest and IWA, ensure that your client browsers support these authentication mechanisms, and your server and network support the prerequisites for using these authentication mechanisms.

  • Configure user accounts with the minimum privileges required for IIS web functionality.

  • Are aware of which user account settings must to be configured so that you can isolate web applications from each other if required.

  • Are familiar with the URLScan tool from Microsoft, and how it can help secure your Web server by providing an additional defensive layer.

  • Configure appropriate application settings to protect your web applications from information disclosure attacks. You should develop custom application error pages that inform your developers of errors while hiding configuration information from malicious attackers. You should secure include files that may contain sensitive configuration information about your application.

  • Be aware of the new Authorization Manager functionality included with Windows 2003, and how it allows for role-based authorization, as compared with the traditional ACE authorization method traditionally used to secure access to resources.

UNLIMITED FREE
ACCESS
TO THE WORLD'S BEST IDEAS

SUBMIT
Already a GlobalSpec user? Log in.

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

Customize Your GlobalSpec Experience

Category: Data Security Software
Finish!
Privacy Policy

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.