Process for Securing Web Sites and Applications
- by Aamir Hasan
The following quick-start guide
provides a detailed overview of how
to configure security for IIS 6.0.
Reduce the Attack Surface of the
Web Server
1.
Enable only essential Windows Server 2003 components and services.
2.
Enable only essential IIS 6.0 components and services.
3.
Enable only essential Web service extensions.
4. Enable
only essential Multipurpose Internet Mail Extensions (MIME) types.
5.
Configure Windows Server 2003 security settings.
Prevent Unauthorized Access to Web Sites and Applications
1.
Store content on a dedicated disk volume.
2. Set IIS Web
site permissions.
3. Set IP address and domain name
restrictions.
4. Set the NTFS file system permissions.
Isolate Web Sites and Applications
1.
Evaluate the effects of impersonation on application compatibility:
2·
Identify the impersonation behavior for ASP applications.
3·
Select the impersonation behavior for ASP.NET applications.
4.
Configure Web sites and applications for isolation.
Configure User Authentication
1. Configure
Web site authentication.
2· Select the Web site
authentication method.
3· Configure the Web site
authentication method.
4. Configure File Transfer Protocol
(FTP) site authentication.
Encrypt Confidential Data Exchanged with Clients
1.
Use Secure Sockets Layer (SSL) to encrypt confidential data.
2.
Use Internet Protocol security (IPSec) or virtual private network (VPN)
with remote administration.
Maintain Web Site and Application Security
1.
Obtain and apply current security patches.
2. Enable
Windows Server 2003 security logs.
3. Enable file access
auditing for Web site content.
4. Configure IIS logs.
5.
Review security policies, processes, and procedures.
Note:To
secure the Web sites and
applications in a Web farm, use the process described in this chapter to
configure security for each server in the Web farm. Link:http://www.studentacad.com/post/2010/04/28/Process-for-Securing-Web-Sites-and-Applications.aspx