Securing IIS by Don Kiely

	Sign In Sign-Up

As more organizations put their business on the Web, the security of their Web server becomes increasingly important. These servers are a constant target for malicious hackers' probing to see how they might put them to good (bad) use. Windows NT and 2000's Internet Information Server (IIS) has a number of features available for locking down security, and many things to consider. Some are built into Windows NT/2000, others are part of IIS, and still others are features you have to implement within a Web site. First and foremost, user passwords must be sufficiently difficult to crack, and you should enforce policies governing the makeup of passwords. But many malicious hackers use password-cracking programs, which run through a variety of combinations and use some clever methods. (If you don't believe me, download L0phtCrack from http://www.l0pht.com and see just how secure the passwords are on your system.) Any real words in the dictionary, including those not used in polite company, make the worst passwords because many cracking programs target them. The most difficult passwords to crack consist of random combinations of uppercase and lowercase letters, numbers, and symbols. And the longer the password the harder it is to crack. But long, alphanumeric, mixed passwords are more likely to be written down by users and sticky notes don't require a cracking program. By default, users connecting to your Web server authenticate anonymously, gaining permissions to your system through the IUSR_[computername] account. Because this account is created by default on all installations of IIS, you should consider changing the name of this account, which then requires a malicious hacker to crack both the user name and password rather than giving them one half the solution. When you change the account make sure to update the name of the anonymous user account in all of your Internet services listed in the Internet Service Manager. Configure system account policies to force users to change their passwords periodically. You can also limit the number of times someone can attempt to log on with incorrect information before the account is locked out, which prevents password-cracking programs from endlessly trying different logon information. You can also set minimum password lengths and maintain a password history to force users to come up with unique passwords. But one word of caution: this can be an easy way for a malicious hacker to lock out the Administrative account! Good security design mandates that you limit the number of accounts that have administrative privileges. The more accounts that have administrator rights, the higher the risk that sensitive data will be compromised. Next week, I'll cover some of the things you can do on the Web server to enhance security. Resources Use Microsoft's Internet Information Server as a Java servlet engine Run Java servlets with Microsoft's IIS -- without sacrificing portability. http://www.javaworld.com/javaworld/jw-06-2000/jw-0616-iis.html Securing your Web server Stop the wrong people from accessing your site! Make sure your site is secure from prying eyes and malicious intent. http://www.sunworld.com/swol-06-1996/swol-06-webmaster.html Securing your Web server, Part 2 How to fine tune access to each directory on your server. http://www.sunworld.com/swol-07-1996/swol-07-webmaster.html