Nine steps to secure your IIS7 server

In this article we will focus on some tips you can use in your environment to secure IIS7 servers and the application they’re hosting.


1. The first step you need to take when securing your web server is to harden the OS that hosts it. If you’re using Windows Server 2008 R2, then the server core installation version will give you just what you need – all the functionality, but with the reduced attack surface. If you’re using the regular version of Windows Server, try to install the IIS role with just the features that you currently need. You can always come back and install more features if you need them. Be aware that you’re just making the attack surface larger when you add features that you don’t use.




2. The use of firewalls can really help you in securing your Web server, especially if it’s an Internet-faced one. The firewall can make sure that the server is receiving only valid packets that it has to service. Firewalls serve as a first point of defense for your server when an outside attacker is trying to perform a malicious activity. With the use of Intrusion Prevention Systems (IPS), you can further secure your organization, and the IIS server in particular. If your organization is not large enough to require a specific hardware Firewall device, you can always take advantage of the Windows Server 2008’s integrated Firewall with advanced Security.


3. With IIS7 you have control over which IPs and Domains can access the content of your Web server. For example, you can grant access to just your organizational internal domain or add an outside partner organization’s domain, plus the home IP of the administrator and the boss or any other organization or person you wish to have the access.


4. IIS7 allows you to further filter the requests it will process by request filtering. You can use this feature to apply rules for specific requests, such as for dealing with files with certain extensions or for dealing with a particular phrase in the URL.


5. When a valid packet has entered the IIS for processing, it should also be coming from an authorized person. IIS7 allows you to use a process called URL authorization for this. Specific pages and/or sites of the web server can be authorized to different users. By default, the users should first authenticate themselves and based on their verified identity they are then allowed or not allowed to enter the page/site they request. This is different than previous versions of IIS where the administrator had to set permissions on the file system level. Using URL authorization IIS7 supports more granular ways to authorize its users.


6. One of the best ways to secure your IIS server is by using certificates for SSL communication between the users and the web server. If the server has to be publicly available, you should request a certificate from a trusted Certificate Authority like GoDaddy or Verisign. These certificates are trusted from any browser, on any computer, and are the easiest, but more expensive way, to use SSL. If the IIS server will only be used internally from your organization, you can use your own PKI to issue a certificate for the web server that will be trusted throughout your environment. However, internal users might have issues when accessing the content from a different computer where the root certificate for your environment is not installed. If your IIS server will be used only in a testing environment, you can take advantage of the self signed certificates that can be generated within the IIS management tools. In previous versions of IIS this functionality was not integrated as it is with IIS7, and you had to download a tool from Microsoft to create your self signed certificates. Now, the procedure is much easier.


7. Logging is a great way to help yourself in the future. It is useful for searching the source of an attack or the reason for a server’s misbehavior. Ensure you’ve turned this setting on from the very start, to assist your detective work in more stressful times!


8. If you feel comfortable with your IIS infrastructure already and you’ve set up all the security solutions applicable, test them. Use the tools Microsoft provide for making sure your organization’s policies are following the guru’s best practices. The most commonly used tools for these kind of tests are SCW and SCM. Here is some information on them: – Security Configuration Wizard (SCW) – will run different checks depending on whether the server is an IIS server only or it is hosting other roles too. After the test, SCW will give you a report and recommendations on how to enhance the security of your server. – Security Compliance Manager (SCM) – is the most recent Microsoft utility for doing security tests on your server. After the configurations of the server are compared to predefined templates, the changes can be deployed via Group Policy. SCM uses updated libraries and is a bit more sophisticated tool than SCW. Make sure you run these tools after the initial setup of the server and on a regular basis.


9. The logging feature of IIS mentioned above will log events related to the IIS role, but it is important for you to monitor these logs for specific events that may indicate a problem with the server or the hosted applications. It is also important for you monitor the server itself for uptime, availability, and performance issues. Monitoring can also be required for IIS servers that are an object of a SLA agreement, no matter if it’s an internal (for the company) or external (with a client) SLA. Theoretically, this kind of monitoring can be done manually by a server administrator, but it will be much more efficient and reliable to dedicate this task to a monitoring solution like Monitis.


Find out how you can monitor an IIS server with VBScript via Monitis on the following link: