Contents
Overview 1
Identifying Potential Risks from
the Internet 2
Implementing IIS as an Internet
Web Server 9
Implementing IIS as an Intranet
Web Server 16
Implementing IIS as an Extranet
Web Server 24
Review 30

Module 9: Implementing
IIS 5.0

Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

 2001 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, MS-DOS, Outlook, PowerPoint,
SQL Server, Visual Basic, Visual InterDev, Visual SourceSafe, Visual Studio, Windows, Win32,
Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft
Corporation in the U.S.A. and/or other countries.

Other product and company names mentioned herein may be the trademarks of their respective
owners.


Module 9: Implementing IIS 5.0 iii

Instructor Notes

This module provides students with the knowledge and skills that are necessary
to implement Microsoft
®
Internet Information Services (IIS) 5.0 in different
scenarios that are based upon the specific role of the Web server.
After completing this module, students will be able to:

Identify potential risks from the Internet.

Implement IIS as an Internet Web server.

Implement IIS as an intranet Web server.

Implement IIS as an extranet Web server.

Materials and Preparation

This section provides the materials and preparation tasks that you need to teach
this module.
Required Materials
To teach this module, you need the Microsoft PowerPoint
®
file 2295A_09.ppt.
Preparation Tasks
To prepare for this module, you should read all of the materials for this module.
Other Activities
This section provides procedures for implementing interactive activities to
present or review information, such as games or role playing exercises.
Class Discussions

To prepare for the activities
1. Review the scenarios.
2. Review the discussion questions and answers.
3. Develop a possible list of alternative answers and their advantages and
disadvantages.

Presentation:
60 Minutes

Lab:
00 Minutes
iv Module 9: Implementing IIS 5.0

Module Strategy
Use the following strategy to present this module:

Identifying Potential Risks from the Internet

This section describes the risks that may be introduced to an internal
network by Internet users. Describe the risks from common attacks. Then,
describe the threats that are introduced by denial-of-service (DoS) attacks,
and explain that some DoS attacks can be prevented by installing the latest
Microsoft Windows
®
2000 hotfixes and service packs to update vulnerable
files.
Finally, describe how port scanning can pose a threat to an internal network
by attempting to contact every port number and expose services with known
weaknesses. Demonstrate that the nbtstat command reveals all Network
Basic Input/Output System (NetBIOS) names registered by the target
Internet Protocol (IP) address, and explain how to minimize the risk of
exposure from port scanning.

Implementing IIS as an Internet Web Server
This topic describes the considerations that are necessary for implementing
IIS as an Internet Web server. Describe the considerations for configuring
and administering Web sites, configuring applications, providing security,
monitoring and optimizing performance, enabling SMTP, and implementing
Microsoft FrontPage
®
on an Internet Web server.
When you have finished this topic, begin the class discussion for
implementing IIS as an Internet server. Read the scenario to the students,
and then divide the class into groups and assign each group a question. Give
the students time to consider their answers, and then lead a discussion based
on their responses.

Implementing IIS as an Intranet Web Server

This topic describes the considerations that are necessary for implementing
IIS as an intranet Web server. Describe the considerations for configuring
and administering Web sites, configuring applications, providing security,
monitoring and optimizing performance, enabling SMTP, and implementing
FrontPage on an intranet Web server.
When you have finished this topic, begin the class discussion for
implementing IIS as an intranet Web server. Read the scenario to the
students, and then divide the class into groups and assign each group a
question. Give the students time to consider their answers, and then lead a
discussion based on their responses.

Implementing IIS as an Extranet Web Server
This topic describes how to use an extranet to extend the network to trusted
partners. Describe the considerations for configuring and administering Web
sites, configuring applications, providing security, monitoring and
optimizing performance, enabling Simple Mail Transfer Protocol (SMTP),
and implementing FrontPage on an extranet Web server.
When you have finished this topic, begin the class discussion for
implementing IIS as an extranet server. Read the scenario to the students,
and then divide the class into groups and assign each group a question. Give
the students time to consider their answers, and then lead a discussion based
on their responses.

Module 9: Implementing IIS 5.0 v

Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.

There are no labs in this module, and as a result, there are no lab setup
requirements or configuration changes that affect replication or customization.


Module 9: Implementing IIS 5.0 1

Overview

Identifying Potential Risks from the Internet

Implementing IIS as an Internet Web Server

Implementing IIS as an Intranet Web Server

Implementing IIS as an Extranet Web Server

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
When you place a Web server on a network, there are many considerations that
determine how you evaluate network security, authentication, and configuration
of Microsoft
®
Internet Information Services (IIS) 5.0. In addition, there are
potential impacts on the network architecture. For example, if your Web server
is connected to both the Internet and your local network, you must take special
precautions to prevent Internet users from accessing your network. These
precautions often involve the use of firewalls or other devices to prevent

unauthorized access to your network.
In an intranet environment, your Web server acts as a central repository for
corporate data. Team collaboration tools are often used in an intranet to store
team project information. In this way, team members, other departments, and
management can all gain access to project information on the intranet.
You may also want to make a Web server available to business partners,
associates, or subsidiaries without making the Web server available to the
general public. To do this, you can create an extranet that enables only trusted
business partners to gain access to your network over the Internet.
Each of these situations requires different considerations for configuring IIS,
including administering Web sites, configuring applications, providing security,
monitoring and optimizing performance, enabling SMTP, and implementing
Microsoft FrontPage
®
.
After completing this module, you will be able to:

Identify potential risks from the Internet.

Implement IIS as an Internet Web server.

Implement IIS as an intranet Web server.

Implement IIS as an extranet Web server.

Topic Objective
To provide an overview of
the module topics and
objectives.
Lead-in

In this module, you will learn
how to implement IIS as an
Internet, intranet, and
extranet Web server.
2 Module 9: Implementing IIS 5.0






Identifying Potential Risks from the Internet

Common Attacks

Denial-of-Service Attacks

Port Scanning

Protecting IIS and Network Resources

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
When your Web server is accessible to both your local network and to the
Internet, you expose your private network to the Internet and grant network
access to a potentially unlimited number of users. An attacker can use any of
several techniques to gain access to confidential information or to affect the

functionality of your network. Therefore, you must take special precautions to
protect your private corporate network from attackers.
The first step in protecting your private network from public networks is to
identify risks that may be introduced by public network users. You must be able
to identify the following risks:

Risks to network security from common attacks.

Threats introduced by denial-of-service (DoS) attacks.

Threats introduced by port scanning.

Topic Objective
To analyze the common
threats that are introduced
when your private network is
connected to a public
network.
Lead-in
The first step in protecting
your private network from
public networks is to identify
risks that may be introduced
by public network users.
Module 9: Implementing IIS 5.0 3

Common Attacks

Social Engineering


Exploitation of Default Security Configurations

IP Spoofing

Exploitation of Excess Services

Exploitation of System
Back Doors

Session Takeover

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Common attacks include any attempt to circumvent the security of a network by
exploiting known weaknesses. Examples of common attacks include:

Social engineering. The attacker acquires access privileges by using simple
deception or impersonation. For example, the attacker telephones into an
organization and uses false names and references to impersonate a
legitimate network user.

Exploitation of default security configurations. The attacker accesses a
network by exploiting default accounts, passwords, or security
configurations that were not updated.

Internet Protocol (IP) spoofing. The attacker programmatically modifies the
source address of packets so that it appears as if the packets originated from

a trusted network or trusted computer.

Exploitation of excess services. The attacker exploits poorly monitored
services. Uninstall or disable any service that does not need to be deployed
on a specific server.

Most of the risks that are associated with Microsoft
Windows
®
2000 services and IIS are identified through Microsoft security
bulletins, which are available at


Exploitation of system back doors. The attacker exploits back door accounts
that were configured to allow administrative access to the network in the
event that the original administrative account is corrupted or compromised.
Audit all administrative group membership periodically to ensure that
unnecessary back door accounts are removed.

Session takeover. The attacker can exploit buffers, which are the spaces that
programmers allocate for variables in their programming. The attacker
overwrites an application’s buffer, resulting in an overflow of code. When
the overflow occurs, it may be possible for the attacker to execute
administrative functions at the security level of the application.
Topic Objective
To describe the risks to
network security from
common attacks.
Lead-in
There are several ways in

which an attacker can gain
unauthorized access to a
network.
Delivery Tip
Emphasize that leaving the
Administrator account with
the name “Administrator” is
a common example of a
poor security configuration.

Explain that the exploitation
of excess services can
include the installation of the
FTP service. Because FTP
sends passwords in
unencrypted (clear text)
form, the passwords may be
compromised.
Important
4 Module 9: Implementing IIS 5.0


Denial-of-Service Attacks
Disk Space
Err
or
Bandwidth
Err
or
Buffers

Err
or
CPU Cycles Usage
Err
or
Denial-of-Service
Attacks Affect:
Denial
Denial
-
-
of
of
-
-
Service
Service
Attacks Affect:
Attacks Affect:

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
A denial-of-service (DoS) attack is the intentional overwhelming of a network
with unnecessary traffic, which prevents a service or resource from performing
as expected. DoS attacks are not made to steal data or access resources, but
rather to disrupt network traffic. Typically, these attacks are based on known
weaknesses in the Transmission Control Protocol/Internet Protocol (TCP/IP)

protocol suite. By preventing services from running, a DoS attack exploits an
Internet host by overwhelming at least one of the following:

Disk space
The attacker consumes disk space by sending large quantities of data. For
example, if a File Transfer Protocol (FTP) server is configured to allow
uploads of data, the attacker could upload large volumes of data in an
attempt to consume all free disk space.

Bandwidth
The attacker consumes the available bandwidth on the network by sending
large quantities of data. For example, the attacker could send repeated
broadcast messages that diminish or eliminate the available bandwidth.
Bandwidth is also subject to distributed denial-of-service attacks (DDoS), in
which multiple computers (known as drones) attack the same target,
resulting in overuse of network bandwidth.
Topic Objective
To analyze the common
threats introduced by denial-
of-service attacks.
Lead-in
Denial-of-service attacks are
designed to overwhelm a
network with unnecessary
traffic.
Module 9: Implementing IIS 5.0 5


Buffers
The attacker sends excessive traffic to a specific port address. Programmers

often allocate space in their code—called a buffer—for variables. The
attacker overwrites the buffer in the code, which causes the application to
fail.

CPU cycles usage
The attacker causes the CPU to run at high levels, often shutting down the
system. For example, if scripting is enabled for a Web server, the attacker
might cause the Web server to execute a script that will cause heavy usage
of the CPU.


You can prevent some DoS attacks by installing the latest Windows 2000
hotfixes and service packs to update vulnerable files. You can download the
latest hotfix or service pack from the Microsoft TechNet Web site at


Note
6 Module 9: Implementing IIS 5.0


Port Scanning
Web Server
Port Service
20?… closed
21?… FTP
22?… closed
23?… closed
24?… closed
25?… SMTP
Port Scan

Attacker

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Port scanning is a method that an attacker uses to identify the services that are
running on a target computer. Port scanning itself is not a threat to security; the
threat is the ability to expose services with known weaknesses. For example, if
an attacker discovers the Network Basic Input/Output System (NetBIOS)
session service on a server, he or she can then use the nbtstat command to
determine the name of the computer, whether the computer is hosting a server
service, and potentially, the name of the user who is currently logged on to the
computer.
To minimize the risk of exposure from port scanning:

Stop all unnecessary services on computers that are exposed to the Internet.
This will reduce the number of active ports that may be exposed to a port
scanner.

Create firewall rules (the list of packet filters that are defined for a firewall
interface) that permit only defined protocols to reach every protected server.
Implementing firewall rules ensures that port scanning will reveal only the
ports that you intend to expose to the Internet.

Use firewall rules to alert a firewall administrator when port scanning has
been attempted. You can configure a rule to send an e-mail alert to an
administrator whenever a connection to a specific port is attempted.


Use the netstat command to display all open ports on computers that are
exposed to the Internet. Determine whether all open ports can be identified,
and confirm that they do not represent unauthorized services.


To determine what ports are used by specific services, view the text file
%SystemRoot%\system32\drivers\etc\services. Alternatively, to see a listing of
all protocol identification numbers and well-known port numbers, go to the
Web site at

Topic Objective
To analyze the threat of port
scanning to a network.
Lead-in
An attacker can identify the
services that are running on
a target computer by
attempting to contact every
port number.
Delivery Tip
Demonstrate that nbtstat—
an IP address command—
will reveal all NetBIOS
names registered by the
target IP address.
Tip
Module 9: Implementing IIS 5.0 7

Protecting IIS and Network Resources


Develop a Network Security Plan

Implement a Firewall

Monitor Network Traffic
Firewall
Private
Network
Private
Network
Internet
Internet

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Protecting IIS and other network resources from attacks requires that you
develop a security plan, implement network security technologies, such as a
firewall or proxy server, and monitor network traffic for unauthorized activity.
Developing a Security Plan
To provide network security, you must ensure that security standards and
policies are in place to protect the system from attacks and unauthorized use.
Securing a system involves implementing a set of procedures, practices, and
technologies to protect your network and your software and data.

For more information about how to create a security plan, see the
Security Planning article on the Microsoft TechNet Web site at



Implementing a Firewall
A firewall is a combination of hardware and software that protects private
network resources from users on other networks. A firewall allows only specific
forms of traffic to flow in and out of the internal network, thereby protecting
the internal network from intruders on the Internet. By implementing a firewall,
you create a single point of control from which you can secure and audit all
traffic entering your private network from the Internet.
Firewalls provide the following features to allow you to protect your private
network:

Network address translation (NAT). Protects the internal network addressing
scheme from being exposed on the Internet.

Static address mapping. Conceals the true addresses of resources on your
private network that are accessible to the Internet.

Packet filters. Define the protocols that are allowed to pass through the
firewall.
Topic Objective
To introduce strategies for
protecting IIS and network
resources.
Lead-in
To protect IIS and network
resources, you must
develop a network security
plan, implement network
security technologies, and
monitor network traffic.

Note
8 Module 9: Implementing IIS 5.0


You must also secure traffic to a Web and FTP server so that only traffic to the
defined ports for the Hypertext Transfer Protocol (HTTP) and FTP protocols is
allowed to pass to the server hosting the HTTP and FTP services.

For specific information on how to configure a firewall, refer to the
product documentation that is provided by your firewall software manufacturer.

Monitoring Network Traffic
In addition to implementing network security devices, you must also implement
a monitoring system to alert you to possible intruders, unauthorized changes to
content on your Web site, or system failures.
Intrusion detection systems monitor network traffic for suspicious patterns and
can prevent intruders from implementing port scans or attempting to connect to
services on your network.
Content alteration detection systems monitor the contents of your Web site and
issue alerts when content modifications are detected. The software will then
replace the modified content with the original content. In this way, any
unauthorized changes to your Web content can be quickly detected and
corrected.
In addition, you can implement certain services and software packages that will
check to ensure that your Web server, Web site, and Web applications are
running and alert an administrator when a system failure occurs.

For more information about implementing network security, see Course
2150A, Designing a Secure Microsoft Windows 2000 Network.


Note
Note