Contents
Overview 1
Using IP Address and Domain Name
Restrictions 2
Configuring Access Permissions for a
Web Server 4
Configuring Authentication for a Web
Server 15
Multimedia: Overview of IIS Security 30
Lab A: Securing Web Resources Using
Permissions and Authentication 31
Using Client Certificates 45
Classroom Discussion 50
Securing Web Communications Using SSL 52
Lab B: Configuring and Managing an
Encrypted Connection Using SSL 57
Using Local Security Policies on a
Web Server 66
Configuring Security on an FTP Site 68
Configuring Auditing for IIS 70
Review 72

Module 5: Implementing
Security on a Web
Server

Information in this document is subject to change without notice. The names of companies,

products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

 2001 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, MS-DOS, Outlook, PowerPoint,
SQL Server, Visual Basic, Visual InterDev, Visual SourceSafe, Visual Studio, Windows, Win32,
Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft
Corporation in the U.S.A. and/or other countries.

Other product and company names mentioned herein may be the trademarks of their respective
owners.


Module 5: Implementing Security on a Web Server iii

Instructor Notes

This module provides students with the knowledge and skills necessary to
implement security on a Web server.
After completing this module, students will be able to:

 Configure Internet Protocol (IP) address and domain name restrictions for a
Web server.
 Configure access permissions for a Web server.
 Configure authentication for a Web server.
 Use client certificates.
 Secure Web communications by using Secure Sockets Layer (SSL).
 Use local security policies on a Web server.
 Configure security on a File Transfer Protocol (FTP) site.
 Configure auditing for Microsoft® Internet Information Services (IIS) 5.0.

Materials and Preparation
This section provides the materials and preparation tasks that you need to teach
this module.
Required Materials
To teach this module, you need the Microsoft PowerPoint® file 2295A_05.ppt.
Preparation Tasks
To prepare for this module, you should:
 Read all of the materials for this module.
 Complete the labs.
 View the multimedia “Overview of IIS Security.”

Presentation:
120 Minutes

Labs:
45 Minutes
iv Module 5: Implementing Security on a Web Server

Module Strategy
Use the following strategy to present this module:

 Using IP Address and Domain Name Restrictions
Discuss how IP address and domain name restrictions can be used to
increase security. For example, denying permissions to all IP addresses
except for the firewall or proxy server and database servers connected to IIS
can make it much more difficult to gain unauthorized access to the Web
server.
 Configuring Access Permissions for a Web Server
Discuss the need for security on a Web server. Emphasize that effective
security employs a variety of interdependent technologies. Explain the use
of IP addresses and domain name restrictions by using example scenarios
when possible. Discuss the differences between Web-based and the NTFS
file system permissions. When discussing the Permissions Wizard, create a
new test Web site and demonstrate the various ways to use the wizard. Also,
discuss the settings on the Security Settings page. Explain how NTFS is
essential to secure both IIS log files and Web Distributed Authoring and
Versioning (WebDAV) access.
 Configuring Authentication for a Web Server
Explain each of the authentication methods with an emphasis on
Anonymous, Basic, and Integrated Windows. Create a chart on a whiteboard
that illustrates the benefits, requirements, and restrictions of authentication
methods. Fill in the chart as you discuss each method. Discuss various
scenarios and the impacts of using combinations of authentication methods.
 Multimedia: Overview of IIS Security
Explain that the multimedia presentation provides an overview of the
various security features in IIS, when each security feature is used, and how
they work together to grant or deny access to Web server resources. After
the presentation, ask if there are any questions and discuss problem areas as
necessary.
 Using Client Certificates
Explain how to obtain client certificates and how to set up a Web site to

require their use. Demonstrate the one-to-one and one-to-many mapping
options in IIS as part of the client certificate mapping. Be sure to explain
that using certificate mapping in Active Directory
™
directory services is
preferable to implementing it in IIS.
Module 5: Implementing Security on a Web Server v

 Classroom Discussion
Engage students in a classroom discussion on the best way to secure the
Web site that is presented in the scenario. Have students go to Appendix A,
“Classroom Discussion,” in Course 2295A, Implementing and Supporting
Microsoft Internet Information Services 5.0, and use the table provided to
help them in the discussion. Explain that the worksheet contains choices that
will assist them in determining what types of Web-based permissions,
authentication, and NTFS permissions are needed to fulfill the requirements
of the scenario.
 Securing Web Communications Using SSL
Because of required prerequisites for this course, you should not need to
define certificates or go into detail about the mechanics of the Secure
Sockets Layer (SSL) protocol. Demonstrate using the Web Site Certificate
Wizard and emphasize that SSL cannot be employed on host header Web
sites. Demonstrate requiring an SSL connection and the errors that occur if
you then attempt an HTTP connection. Explain the problems with self-
signed certificates and the potential for browser security warnings.
Additionally, mention that the Security Wizard may interfere with
permissions that are managed by Microsoft FrontPage
® Server Extensions.
 Using Local Security Policies on a Web Server
Explain where to find the local security policies on the server. Focus on the

Log on Locally and Access This Computer from the Network user rights
and remind students how these policies relate to authentication. Load the
hisecweb.inf policy template in the Security Analysis and Configuration
Tool and review the template settings.
 Configuring Security on an FTP Site
Show how to configure authentication for an FTP site. Explain that FTP
communications are in clear text and the SSL cannot be used.
 Configuring Auditing for IIS
Review standard auditing procedures in Microsoft Windows® 2000 with an
emphasis on events that are relevant to a Web server. Include the
importance of budgeting time for log reviews in Information Technology
(IT) departments.


Module 5: Implementing Security on a Web Server 1

Overview
 Using IP Address and Domain Name Restrictions
 Configuring Access Permissions for a Web Server
 Configuring Authentication for a Web Server
 Using Client Certificates
 Securing Web Communications Using SSL
 Using Local Security Policies on a Web Server
 Configuring Security on an FTP Site
 Configuring Auditing for IIS

*****************************
ILLEGAL FOR NON-TRAINER USE******************************
Having the correct security settings on your Web servers can safeguard against
security threats such as unauthorized individuals trying to gain access to

restricted information and well-intentioned users who might accidentally alter
or delete important files. Balancing the need for security with ease of use and
the demand on server resources is one of the key tasks of a Web server
administrator.
Security in Microsoft
® Internet Information Services (IIS) 5.0 is an interaction
of permissions, policies, authentication methods, and secure communications
protocols. By configuring security correctly on your Web server, you can
ensure that your servers are protected from unauthorized access.
After completing this lesson, you will be able to:
 Use Internet Protocol (IP) address and domain name restrictions for a Web
server.
 Configure access permissions for a Web server.
 Configure authentication for a Web server.
 Explain client certificate mapping.
 Secure Web communications by using Secure Sockets Layer (SSL).
 Use local security policies on a Web server.
 Configure security on a File Transfer Protocol (FTP) site.
 Configure auditing for IIS.

Topic Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
how to secure your Web
servers from unauthorized
access.
2 Module 5: Implementing Security on a Web Server


Using IP Address and Domain Name Restrictions

*****************************
ILLEGAL FOR NON-TRAINER USE******************************
You can configure IIS to grant or deny access to specific IP addresses, a
network address, or a Domain Name System (DNS) name. If you configure IIS
to grant access to all IP addresses except those that you list as exceptions, then
access is denied to any computer with an IP address that is included in the
exception list. Conversely, if IIS is configured to deny all IP addresses, access
is denied to all remote users except those whose IP addresses have been
specifically granted access.

When using a domain name restriction, IIS must perform a DNS
reverse lookup on every user’s request for access to determine if the requesting
IP address belongs to a restricted domain. The reverse lookup will have a
significant negative effect on server performance. Also, if the restricted domain
does not have reverse lookup enabled, the user may gain access to the Web
server.

Topic Objective
To explain how you can
restrict access by using IP
address and domain name
restrictions.
Lead-in
You can restrict access by
using IP address and
domain name restrictions.
Im

p
ortan
t

Module 5: Implementing Security on a Web Server 3

When a Web user passes through a proxy server or firewall, the user’s IP
address is replaced by the IP address of the proxy server or firewall. Therefore,
the incoming connection to your Web server will be that of the proxy server or
firewall. Consequently, you can increase security by using IP address
restrictions to ensure that IIS will accept only connections from the proxy
server or firewall.
To restrict access by using IP address or domain name restrictions:
1. Click Start, point to Programs, point to Administrative Tools, and then
click Internet Services Manager.
In Administrative Tools, the IIS console is called Internet Services
Manager; however, when you open the console, it is called Internet
Information Services, also known as the IIS snap-in.
2. In the IIS snap-in, right-click the Web site that you want to configure, and
then click Properties.
3. On the Directory Security tab, in the IP Address and Domain Name
Restrictions box, click Edit.
4. In the IP Address Access Restrictions box, click Denied Access.
This option restricts access to all computers that you do not name in the
Except those listed below list.
5. Click Add, and then, in the Grant Access On dialog box, type the IP
address of the computer to which you will be granting access. If you do not
know the IP address and want to search by DNS name, click DNS Lookup,
type the name of the computer, and then click OK.
6. Repeat step 5 for each IP address to which you want to grant access. Click

OK to close the IP Address and Domain Name Restrictions dialog box,
and then click OK.

4 Module 5: Implementing Security on a Web Server



 Configuring Access Permissions for a Web Server
 Using Web-Based Permissions
 Using NTFS Permissions
 Special Users and Groups
 Using the Permissions Wizard
 Securing Permissions for WebDav
 Setting Permissions on Log Files

*****************************
ILLEGAL FOR NON-TRAINER USE******************************
Permissions are the access rights that you give a specific user, or group of
users, that allow them to gain access to and manipulate data on a server. By
effectively managing permissions, you can control a user’s actions on Web
server content.
IIS uses several types of permissions and restrictions to determine if a user is
allowed to gain access to resources on the Web server. IIS uses both its own
permissions, including some Transmission Control Protocol/Internet Protocol
(TCP/IP) application-level permissions, known as Web-based permissions, and
the Microsoft Windows
® 2000 NTFS file system permissions. IIS includes a
Permissions Wizard to set both Web-based and NTFS permissions for files that
are associated with a Web site.


Permissions should not be confused with authentication. Authentication
determines the identity of a user. Permissions determine what a valid user can
access.

In addition to securing Web sites, it is also important that you set appropriate
permissions on system resources such as log files, and that you configure
permissions for Web Distributed Authoring and Versioning (WebDAV) by
effectively using a combination of Web-based and NTFS permissions.
Topic Objective
To understand the various
methods for setting
permissions on a Web
server and how these
methods work together.
Lead-in
There are several methods
for controlling access to IIS,
and these methods work
together to create a secure
Web server.
Note
Module 5: Implementing Security on a Web Server 5

Using Web-Based Permissions
General Access
Permissions
General Access
Permissions
Execute
Permissions

Execute
Permissions

*****************************
ILLEGAL FOR NON-TRAINER USE******************************
To better control security, IIS enables you to configure access permissions on
your Web server for specific Web sites, directories, and files. These
permissions can be categorized into two general groups:
 General access permissions
 Execute permissions

These permissions together are called Web-based permissions because they are
applied at the Web server level, which equates to the application layer of
TCP/IP. As a result, Web-based permissions are enforced equally to all users
who are granted access to the Web server, directory, or file. For example, you
cannot grant Write permissions to one group and Read permissions to another
group by using Web-based permissions.
Using General Access Permissions
General access permissions can be set at the Web site, directory, and file levels.
These permissions are:
 Read. When enabled, users can gain access to static files, such as .html or
.txt files, by using a Web browser or Web folder. Disabling Read
permissions effectively prevents anyone from viewing your Web site’s .htm
files.
 Write. When enabled, users can change file content and properties on a Web
site. This is most commonly accomplished by using a Web folder or a
browser capable of posting to a Web site.
Topic Objective
To explain how to use Web-
based permissions.

Lead-in
Web-based permissions are
one type of permissions that
you can use in IIS.
6 Module 5: Implementing Security on a Web Server


Read and Write permissions affect only requests to static files such
as .htm or .txt files. They have no effect on scripts or executable files. In other
words, disabling the Web-based Read permissions does not prevent Microsoft
Active Server Pages (ASP) scripts or executable files from running. Also,
disabling the Write permission does not prevent ASP pages or executables from
writing to the Web site.

 Directory browsing. Typically, when you first gain access to a Web server
the default document is displayed. If the default document is not defined or
is absent, an error is returned to the client computer. However, if Directory
browsing is enabled, the directory listing for the home folder will be shown
instead of an error. To display the contents of a Web site by using a Web
folder, or WebDAV, you must enable Directory browsing.
 Script Source Access. This option is available only if either the Read or
Write permissions are enabled. If Read permissions are enabled, a user can
read the source code and if Write permissions are enabled, a user can write
to the source code. For example, to write an ASP page to a Web site from a
Web folder, you must enable both Write permissions and Script Source
Access. Additionally, Script Source Access controls whether or not users
can copy scripts from or write to the Web site by using WebDAV.

When you select Script Source Access, users may be able to view
sensitive information, such as a user name and password, from the scripts in

an ASP page, Perl, or other script-based application.


Using Execute Permissions
You can set Execute permissions on a per-Web-site and per-directory basis.
Thus, you can control whether programs and scripts are allowed to run in a
specific Web or directory. Execute permission settings are:
 None. This option does not enable any programs or scripts to run in the
specified Web or directory.
 Scripts only. This option enables applications that are mapped to a script
engine to run in the specified directory without having the Execute
permission set. The Scripts only permission is significantly more secure
than the Scripts and Executables permission. For example, you can run ASP
pages from a Web site or directory that is secured by using the Scripts only
permission, but you cannot execute .exe or .dll files.
 Scripts and Executables. This option enables any application to run in the
specified directory, including applications that are mapped to script engines,
Windows binaries, and .dll and .exe files. It is suggested that you use this
option with care because, when this option is enabled, a user who has Write
access can upload and execute potentially harmful programs.

To set Web-based permissions on your Web server, open the IIS snap-in, right-
click the server on which you want to add Web-based permissions, and then
click Properties. On the Home Directory tab, select the permissions that you
want.
Importan
t

Caution
Module 5: Implementing Security on a Web Server 7


Using NTFS Permissions
 Use NTFS Permissions to Define Specific Users and
Groups That Can Gain Access to Web Content
 Create Security Areas
 Secure Your Web Server When Setting NTFS
Permissions

*****************************
ILLEGAL FOR NON-TRAINER USE******************************
IIS provides added security by relying on the NTFS permissions that are
provided in Windows 2000. Unlike Web-based permissions, which apply to all
users equally, you can use NTFS permissions to define which users and groups
can gain access to Web content and how those users are allowed to manipulate
that content.
For example, you can group Web server content into directories, or security
areas, and then apply NTFS permissions to the directories so that users have the
minimum permissions that they need. Additionally, you can use built-in user
accounts and groups in Windows 2000 to assist you in granting the minimum
permissions possible.
Before a user can gain access to any resources on a Web server, IIS first ensures
that the user has the appropriate Web-based permissions, and then
Windows 2000 verifies that the user has the correct NTFS permissions.

When a user attempts to log on to your Web server, Web-based
permissions are applied before NTFS permissions. When you combine Web-
based and NTFS permissions, the most restrictive permissions apply.

Creating Security Areas
Effective application of NTFS permissions is one of the key elements of

security in IIS. The essential rule for a Web server, particularly one that is
accessible from the Internet, is to give users only the minimum permissions for
the type of access that they need. To help provide minimum permissions, you
can group Web server content into directories, such as Scripts, Programs, and
Graphics, and then grant permissions on each of those directories accordingly.
Thus, each directory acts as a security area. For example, permission to execute
programs would be limited to only those folders that contain programs.
The following table illustrates a sample Web site structure and NTFS
permissions for each zone.
Topic Objective
To explain how to use NTFS
permissions in IIS.
Lead-in
You can also use NTFS
permissions in
Windows 2000 to secure
your Web server.
Note
8 Module 5: Implementing Security on a Web Server


Folder type

File type
Web-based
permissions
Sample NTFS
permissions

Home folder

(C:\Inetpub\Wwwr
oot\Myserver)
Static content (.txt,
.gif, .jpg, .html)
Read
Execute: None
Everyone (Read)
Administrators
(Full Control)
System (Full
Control)
Scripts
Home
folder\scripts
Script files (.asp)
Include files (.inc,
.shtm, .shtml)
Read
Execute: Scripts
only
Everyone (Read)
Administrators
(Full Control)
System (Full
Control)
Programs CGI (.exe, .dll,
.cmd, .pl)
Read
Execute: Scripts
and Executables

Everyone
(Execute)
Administrators
(Full Control)
System (Full
Control)

Any section of the server’s file structure that does not require access for users
needs to have Full Control permissions for only Administrator and System
accounts.
Effectively using NTFS permissions on a Web server is not often as simple as
applying the most restrictive permissions to a folder. There are other
considerations that must be managed to implement a secure and functioning
Web server. For example, it is common for an HTML file or ASP page to have
a link or reference to another file that is located on another drive or server, or in
another folder. This situation creates a chain of potentially scattered files, which
requires the user to have appropriate NTFS permissions on each file.

The minimum system requirements for the Winnt, Winnt\System32, and
Winnt\System32\Inetsrv folders are the Read and Execute (RX) permissions
because IIS may need to access these resources on behalf of the user.

Securing Your Web Server When Setting NTFS
Permissions
There are some special considerations for setting NTFS permissions on any
server running Windows 2000 that will help you to secure your Web server. For
example, grant the Administrators group and the System account Full Control
permissions to all disk resources unless you have special security concerns.
Also, the file system automatically gives the users in the Everyone group Full
Control permissions to all new drives. When you create new directories, those

directories will inherit the Everyone group Full Control permissions. Be certain
to change this setting to one that offers better security. In addition, if you
remove the Everyone group from a resource, replace it with another user or
group. Finally, do not remove all access to a resource because it will become a
block of unusable space on your hard drive. However, the owner of the resource
will still be able to change permissions and provide access at a later time.
Note
Module 5: Implementing Security on a Web Server 9

Special Users and Groups
 IUSR_computer_name
 IWAM_computer_name
 Interactive
 Network

*****************************
ILLEGAL FOR NON-TRAINER USE******************************
When you install Windows 2000 with IIS, several special user accounts and
groups are created that can assist you in granting the minimum permissions
possible.
Windows 2000 includes several built-in group accounts that assist you in
granting the minimum permissions possible. These include the Interactive and
Network groups. Additionally, when IIS is installed, the IUSR_computer_name
and IWAM_computer_name user accounts are created for use by IIS.
IUSR_computer_name
You may not want to require users who gain access to your public Web sites to
provide a user name and password before making a connection to the server.
Therefore, a special account is created when you install IIS called the Internet
Guest Account. The Internet Guest Account is named IUSR_computer_name
(where computer_name is the name of the computer on which IIS is running),

and it is used to provide anonymous access to a Web site, directory, or file.
Anonymous authentication is enabled by default.
Managing NTFS permissions for the Internet Guest Account is critical to the
security of your Web server and network. The Internet Guest Account should be
permitted only the minimum permissions necessary to gain access to the Web
server. Anonymous authentication is covered in detail in Using Anonymous
Authentication in this module.
IWAM_computer_name
The IWAM_computer_name account is also created by IIS and is used solely
for programs that run in Medium or High application protection. In some cases,
you will need to provide appropriate NTFS permissions to server resources for
this account. For example, if there is a program gaining access to a database on
behalf of a user and that program is running in Medium or High application
protection, you will need to provide appropriate NTFS permissions to this
account.
Topic Objective
To explain the special users
and groups that are created
by Windows 2000 to help
assign permissions.
Lead-in
Windows 2000 contains
several built-in user
accounts and groups that
can assist you in granting
the minimum permissions
possible.
10 Module 5: Implementing Security on a Web Server

Interactive

The Interactive group is a built-in, automatically maintained group in
Windows 2000 that consists of all users who are logged on locally. A local
logon is one that appears to the server to have occurred on the server itself
instead of remotely. Before a user or group can perform a local logon, they
must have the Log on Locally user right. The Interactive group enables you to
restrict or permit access to all users that are authenticated by Basic
authentication.
Network
The Network group is a built-in, automatically maintained group in
Windows 2000 that consists of all users who are logged on to the server over
the network. Before a user or group can perform a network logon, they must
have the Access This Computer from the Network user right. The Network
group enables you to control access for all users that are authenticated by Digest
or Integrated Windows authentication.
Module 5: Implementing Security on a Web Server 11

Using the Permissions Wizard

*****************************
ILLEGAL FOR NON-TRAINER USE******************************
Setting combination NTFS permissions, Web-based permissions, and
authentication can be overwhelming. The Permissions Wizard helps simplify
the process of setting permissions. The Permissions Wizard will set the
permission on the root of a Web or FTP site according to the settings that you
designate or according to a predefined template. By using a predefined
template, you can easily bring the security settings of a Web or FTP site and its
contents to a known security configuration. The predefined templates are:
 Public Web Site. This configuration is intended for public use over the
Internet. It uses Anonymous authentication and enables users to view all
files and gain access to ASP pages or applications on your Web server. It

also gives administrators complete control over the site.
 Secure Web Site. This configuration is used for corporate extranets, which
are intranets that you gain access to over the Internet. Information on this
site is restricted. It uses either Basic, Digest, or Integrated Windows
authentication if specific types of browsers or proxy servers are used. It also
gives administrators complete control over the site.

When using the wizard, record the security settings on the virtual directories,
file system directories, and files before changing them. Therefore, if you need
to restore these settings, it will be an easier process. After you change the
security settings for the files and directories, you will not be able to undo the
changes. Also, the Permissions Wizard changes both Web-based and NTFS
permissions for the directories and files that are involved. If you have security
concerns regarding these resources, set the Web-based and NTFS permissions
manually, rather than by using the wizard.
The choices given in the wizard are limited to make it simple to use. However,
you may want to create your own templates. To do this, you must use the IIS
Permissions Wizard Template Maker, which is available in the Microsoft
Windows 2000 Server Resource Kit. Review the security settings for both Web
sites and file systems if you have any special security needs.
Topic Objective
To explain how the
Permissions Wizard works.
Lead-in
The Permissions Wizard
enables you to easily reset
or modify permissions on a
Web site.
Delivery Tip
Create a new test Web site

and use it to demonstrate
the Permissions Wizard and
how it works. Also, discuss
the settings on the Security
page. Do not use a Web site
or folder that is created
during setup.
12 Module 5: Implementing Security on a Web Server

To use the Permissions Wizard:
1. Open the IIS snap-in, right-click the Web or FTP site that you want to
configure, point to All Tasks, and then click Permissions Wizard.
2. In the Permissions Wizard, click Next.
3. On the Security Settings page, click Inherit all Security Settings or Select
new Security Settings from a Template, and then click Next.
4. Follow the steps of the wizard, and when you get to the Security Summary
page, review your security settings.
5. Click Next, and then click Finish.

If you run the Permissions Wizard for a Web site and choose to inherit all
security settings, users might be denied access to the Web site. To restore users’
access to the Web site, open the Home Directory property page for the Web
site, and then select Read and Scripts only permissions. When prompted,
designate that all virtual directories and files inherit these settings.
Module 5: Implementing Security on a Web Server 13

Securing Permissions for WebDAV
Control WebDAV Access by Controlling:
Control WebDAV Access by Controlling:
Control WebDAV Access by Controlling:

 Web-based permissions
 NTFS permissions
 Authentication

*****************************
ILLEGAL FOR NON-TRAINER USE******************************
Web Distributed Authoring and Versioning (WebDAV) extends the HTTP 1.1
protocol to enable users to publish, lock, and manage resources on a Web site.
Accessing a Web site by using WebDAV enables you to manage the files on a
remote Web server as if the files were located locally on your desktop.
Furthermore, because WebDAV is an extension of Hypertext Transfer Protocol
(HTTP), it is often not blocked at firewalls. Typically, when a user gains access
to a Web server by using Web folders, that access occurs by using WebDAV.

WebDAV capability is enabled by default.

Controlling WebDAV access is essentially the same as controlling normal
access to Web server content by using Web-based permissions, authentication,
and NTFS permissions.
The difficulty with controlling WebDAV security lies in Web-based
permissions. If you have a group of developers who want to use WebDAV to
publish content to a Web site, you must enable the Web-based Write
permissions for the Web site. Web-based permissions cannot be granted to a
single user or group like NTFS permissions, so if the NTFS default permission
of Everyone Full Control is in effect, anyone gaining access to a WebDAV-
enabled application can write to the Web site.
If you have a Web site, virtual directory, or file that enables a user to make
changes by using WebDAV, you must manage security by using NTFS
permissions.
Topic Objective

To explain how to secure
permissions for WebDAV.
Lead-in
Controlling WebDAV access
is essentially the same as
controlling normal access to
Web server content by using
Web-based permissions,
authentication, and NTFS.
Note
14 Module 5: Implementing Security on a Web Server

Setting Permissions on Log Files
 Use Log Files to Monitor Web Server Activity
Including:
The IP address of the client
The time that the access occurred
The file name that is requested
 Place Log Files on a Different Volume Than the
Web Server Content
 Use Appropriate Permissions to Secure Log
Files

*****************************ILLEGAL FOR NON-TRAINER USE******************************
Log files record Web server activity including the IP address of the client
computer, the time that an access occurred, and the requested file name. It is
essential that you secure the IIS server log files because, if hackers gain access
to them, they can potentially delete or alter log files that recorded their actions,
leaving virtually no trace of who they are or the files to which they gained
access.

To prevent hackers from gaining access and to increase performance, it is a
good idea to place log files on a different volume than the Web server content
so that the log files can be more tightly secured. By default, log files that are
generated are located in %SystemRoot%\System32\LogFiles, but they can be
relocated to any local drive.
The following permissions will help to secure your log files:
 Administrators (Full Control)
 System (Full Control)
 Everyone (Read Write Change)

Topic Objective
To explain how to set
permissions on log files.
Lead-in
It is important to set
permissions correctly on log
files so that hackers cannot
delete or alter the log files
that recorded their actions.
For Your Information
Log files require Read,
Write, and Change
permissions for users. In
some cases, IIS writes the
log files in the security
context of the user.
Module 5: Implementing Security on a Web Server 15




 Configuring Authentication for a Web Server
 Using Anonymous Authentication
 Using Basic Authentication
 Making Basic Authentication More Secure
 Using Digest Authentication
 Using Integrated Windows Authentication
 Using Kerberos V5 Protocol vs. NTLM in Integrated
Windows Authentication
 Using Multiple Authentication Methods

*****************************
ILLEGAL FOR NON-TRAINER USE******************************
Before a user can gain access to a server running Windows 2000, that user must
be authenticated to a user account in Windows 2000. The first step in
authentication is presenting credentials, followed by system validation of those
credentials. After the credentials are validated, the user can gain access to the
resources for which they have been authenticated, provided that they have
sufficient NTFS permissions.
IIS supports several types of authentication including Anonymous, Basic,
Digest, and Integrated Windows, which includes the Kerberos V5 protocol.
When you configure authentication for a Web server, it is important to know
the advantages and limitations of each type of authentication so that you can
use the method that best meets your security needs.
Each of these methods provides a means by which a user can log on to the Web
server by using a Web browser. The user account is then used to check NTFS
permissions to determine if access will be permitted or denied. These
authentication options offer varying degrees of security and compatibility, and
they have different system requirements.
Topic Objective
To explain how to configure

authentication for a Web
server.
Lead-in
IIS supports several types of
authentication.
16 Module 5: Implementing Security on a Web Server

Web server authentication is a communication between the browser and the
server that uses HTTP headers and error messages.
The flow of communication follows these steps:
1. The Web browser makes a request to a Web server, and then the Web server
performs an authentication check. If the Web server does not permit
anonymous access, it sends back an error message, usually 401—Access
Denied.
2. The Web browser prompts the user for a user name and password, which is
used to construct a new request to the Web server that contains the
authentication information.
3. The Web server attempts to validate the user’s credentials. If successful, the
Web server makes the connection.
The browser determines what authentication method to use and prompts the
user for credentials when required. Determining the authentication method
is important because not all browsers support all authentication methods.

Module 5: Implementing Security on a Web Server 17

Using Anonymous Authentication
 No User Name or
Password
Required
 IIS Can

Authenticate
Anonymous Users

*****************************
ILLEGAL FOR NON-TRAINER USE******************************
Because the Internet is extremely anonymous, and it is uncommon to make
users authenticate before giving them access to public Web sites, IIS enables
you to configure Anonymous authentication. Anonymous authentication enables
users to gain access to the public areas of your Web site without being
prompted for a user name or password. Also, when using Anonymous
authentication, you do not need to create a user account for each user.
Authentication, like many of the features in IIS, can be set at the Web site,
directory, or file level.
How Anonymous authentication works:
• When you configure your Web site for anonymous access and a user
attempts to connect to your public site, IIS will automatically authenticate
the user by using the Internet Guest Account (IUSR_computer_name). The
Internet Guest Account has two characteristics: it is granted the Log on
Locally permission, and it is a member of both the Guests and Everyone
groups in Windows 2000.
By default, all Web sites are configured to use the same Internet Guest Account.
This configuration enables anonymous users who authenticate to one Web site
to be able to browse another Web site. However, IIS enables you to designate a
different Internet Guest Account for any Web, directory, or file.

Topic Objective
To explain Anonymous
authentication and how it
works.
Lead-in

Anonymous authentication
allows users to access your
Web site without a user
name or password.
18 Module 5: Implementing Security on a Web Server

The Internet Guest Account is part of the Guests and Everyone groups in
Windows 2000. Therefore, you should carefully review the file permissions that
you give to these groups to ensure that the permissions are appropriate for your
anonymous users. By using NTFS, you can specifically deny the Internet Guest
Account access to sensitive information if it is not appropriate for anonymous
users.

Because the name of the Internet Guest Account is always
IUSR_computer_name, it is known to hackers and can therefore be a security
risk. If you consider IUSR_computer_name a security risk, you can designate a
different account to use for anonymous logons and then deny the
IUSR_computer_name account access to Web resources. Designating a
different account to use for anonymous logons will also enable log files and
audit recordings to contain more specific information, and NTFS permissions to
be more specific. Also, the Internet Guest Account is persistent in IIS, so if you
delete or rename the account, it will be recreated the next time the server
restarts.

Caution
Module 5: Implementing Security on a Web Server 19

The Allow IIS to Control Password Option
Windows 2000 is designed with the ability to authenticate users who attempt to
access the server. However, Windows 2000 has the ability to delegate that

logon process to other services. This is known as subauthentication.
IIS has the ability to perform the subauthentication for the anonymous user.
You can control this capability by using the Allow IIS to Control Password
option.

The Allow IIS to Control Password option is enabled by default.

Enabling the Allow IIS to Control Password Option
When the Allow IIS to Control Password option is enabled, IIS authenticates
an anonymous request with the Internet Guest Account, also known as
IUSR_computer_name, and the anonymous user password that is stored in the
metabase. IIS then informs Windows 2000 that the authentication has occurred.
When you use the Allow IIS to Control Password option, the Internet Guest
Account is authenticated as a network logon, which requires the Access This
Computer from the Network user right. Enabling Allow IIS to Control
Password has a significant security benefit because users who gain access to a
server through a network logon cannot gain access to remote network resources.
This is because IIS does the authentication instead of the server running
Windows 2000; therefore, user access is limited to the resources on the IIS
server.

The Internet Guest Account must have either the Log On Locally or
Access This Computer from the Network user right. The user right that is
required depends on whether the Allow IIS to Control Password option is
enabled.

Disabling the Allow IIS to Control Password Option
Conversely, if you disable Allow IIS to Control Password, IIS does not
perform the subauthentication, but instead allows Windows 2000 to
authenticate the user. This is a local logon and requires the Log On Locally user

right. IIS grants the Log On Locally right to the IUSR_computer_name
account.
Because the anonymous user is authenticated as a local logon, the anonymous
user credentials can be forwarded to other servers for authentication. In other
words, Allow IIS to Control Password enables you to control whether or not
your anonymous users have access to network resources.
Note
Note