Install the Base OS and Secure
You should install the base operating system before you install IIS. This gives you time to secure the operating system and configure the Windows Firewall to restrict access to the system while you configure IIS.
Install the System
Once you have installed and service packed the system you should immediatly go to Microsoft Update to complete the patching process.
On no account leave any new system connected to the weekend overnight, or over a weekend unless you have installed the latest system patches. If you do not have time to bring the system up-to-date before departing, disconnect the machine from the network.
You should configure the Windows firewall to allow access to port 80 for webbased services, but limit the access to the port to your own IP address range until you have finished testing.
Install and Secure IIS
Once you are happy your system is up-to-date, install IIS from Add/Remove programs, Windows Components. Make sure you only install the parts of IIS you will be using, i.e. if you have no need for FTP or SMTP do not install those components.
Re-visit Microsoft Update to make sure that there are no outstanding patches.
You should move the Inetpub folder from the default of the C drive to a different partition. You can keep the file and folder names the same, but you should move them.
Microsoft Baseline Security Analyser
You should download, install and run Microsoft Baseline Security Analyser (MBSA) on the system. This will check for missing patches, non-existant passwords on user accounts and basic security issues.
You should immediatly resolve any issues before releasing the system for use.
You can download MBSA from the MBSA home page; http://www.microsoft.com/technet/security/tools/mbsahome.mspx
For Raven/Shibboleth information see the raven wiki;
You should enable the Windows firewall or other suitable product on your network or on the system. In particualr you should restrict access to a site if can, i.e. if you do not want anyone out side of the cam network to access your site then restrict by IP range to this. If people require access to your services while out side of the CUDN then you should consider, the VPDN for thier use or setting up VLANs to allow secure access and keep unwanted people away from your servers.
If you just want to run an externally acessable web server then use the firewall to restrict port access to all other ports, web traffic will only need 80 or 443(SSL).
You should also enable the firewall before connecting to the network during the patching process
Basic Windows FireWall Manual Configuration
You can for ease of use run with Security Configuration Wizard on your system when it is fully configured, however for a quick method to secure your web server manualy the following can be used as a basic guide.
- Open the Control Panel and Select Windows Firewal
- Click Yes to enable Windows firewall/Internet Connection Sharing (ICS)
- Select the On radio button to enable the firewall
Although the firewall is enabled, there will be no access to your web site as you need to add an exception for this. You can configure this by application or port, this example will use port for better security.
- Click on the Exceptions tab in the Windows Firewall Control panel
- Select Add Port
- Enter a descriptive name for the port (Standard Web traffic)
- Put in a port number (80 for HTTP)
- Make sure the correct protocol is selected (TCP in this case)
- Click Change Scope
NOTE : For the scope you should choose between;
- My Network (subnet only)
- Custom list
My network will use the currently configured IP subnet settings for a range, ie. a 131.111 address would have a mask of 255.255.0.0, which would give access to any address within that range. This might be too wide for your needs.
A custom list will allow you to specify a range of IPs and Subnets, which is better to restrict to any IP's that you may use rather than a cam wide range.
Pick which system is best for your needs and required access.
- Once you have specified a scope click OK until you return to the Exceptions tab again
- Either Add more exceptions or Click OK and close the TCP/IP properties.
For basic https and https services you will need to add the following ports;
- http 80 TCP
- https (default) 443 TCP
Restricting Access by Domain or IP address (in IIS)
IIS provides a means of restricting access to a site or sites, you should use this inaddition to any firewall restrictions you have in place.
By default anyone who tries to connect to the web site will be given access. If you have an Intranet server (ie internal only access), you can choose to deny access to everyone except for those in the exceptions list. You can give access by individual machine, by a range of machines (subnet) or by domain.
In IIS Manager, display the web site properties.
- Select Directory Security tab
In the middle section (IP address and domain name restrictions)
- Select Denied Access
To allow access to the site
- Click Add
Choose from either;
- Single computer
- Group of computers
- Domain name
Note : A Domain name restriction/lookup has he highest negative performance hit of all the types, you will be better off using group of computers and an IP range.
Note:This facility is not available in PWS or IIS (5.1) on Windows XP.
SLL is available for IIS if you require secure communications. To do this see iisssl