The following quick-start guide provides a detailed overview of how to configure security for IIS 6.0.

Reduce the Attack Surface of the Web Server

1.       Enable only essential Windows Server 2003 components and services.

2.       Enable only essential IIS 6.0 components and services.

3.       Enable only essential Web service extensions.

4.       Enable only essential Multipurpose Internet Mail Extensions (MIME) types.

5.       Configure Windows Server 2003 security settings.

Prevent Unauthorized Access to Web Sites and Applications

1.       Store content on a dedicated disk volume.

2.       Set IIS Web site permissions.

3.       Set IP address and domain name restrictions.

4.       Set the NTFS file system permissions.

Isolate Web Sites and Applications

1.       Evaluate the effects of impersonation on application compatibility:

2·         Identify the impersonation behavior for ASP applications.

3·         Select the impersonation behavior for ASP.NET applications.

4.       Configure Web sites and applications for isolation.

Configure User Authentication

1.       Configure Web site authentication.

2·         Select the Web site authentication method.

3·         Configure the Web site authentication method.

4.       Configure File Transfer Protocol (FTP) site authentication.

Encrypt Confidential Data Exchanged with Clients

1.       Use Secure Sockets Layer (SSL) to encrypt confidential data.

2.       Use Internet Protocol security (IPSec) or virtual private network (VPN) with remote administration.

Maintain Web Site and Application Security

1.       Obtain and apply current security patches.

2.       Enable Windows Server 2003 security logs.

3.       Enable file access auditing for Web site content.

4.       Configure IIS logs.

5.       Review security policies, processes, and procedures.

 Note:To secure the Web sites and applications in a Web farm, use the process described in this chapter to configure security for each server in the Web farm.