Properly controlling access to your Web and FTP content is crucial for running a secure Web server. With Windows and the security features in IIS, you can effectively control how users access your Web and FTP content. You can control access on multiple levels, from entire Web and FTP sites to individual files.
Anonymous access, the most common Web site access control method, allows anyone to visit the public areas of your Web sites while preventing unauthorized users from gaining access to your Web server's critical administrative features and private information.
For example, if you imagine your Web server as a museum, enabling Anonymous access is like inviting the public to visit the museum's public galleries and exhibits. However, you would probably lock particular rooms, such as offices and laboratories, that you did not want the public to visit. Similarly, when you configure Anonymous access for your Web server, you can apply NTFS permissions to prevent ordinary users from accessing private files and directories. For more information about NTFS permissions, read the paragraph below detailing NTFS Permissions.
By default, your Web server will log on all users through use of the anonymous account. During installation, your server creates a special anonymous user account called IUSR_computername. For example, if your computer name is SalesDept1, then the anonymous account name is IUSR_SalesDept1. Each Web site on your server can use either the same or different anonymous user logon accounts. With the Windows Local User and Groups utility, you can create a new anonymous logon user account. For more information, see About Authentication.
Distributed Authoring and Versioning (WebDAV) is an extension of the HTTP 1.1 standard for exposing any storage media, such as a file system, over an HTTP connection. With the IIS 5.0 implementation of WebDAV, you can allow remote authors to move, search, or delete files and directories and their properties on your server. WebDAV is configured by using Web server permission settings. For more information, see WebDAV Publishing.
You can set WebDAV permissions for:
WebDAV operates on both File Allocation Table (FAT) and NTFS. For more detailed information on the WebDAV specification drafts, see Extensions for Distributed Authoring on the World Wide Web (http://www.ics.uci.edu/~ejw/authoring/protocol/draft-ietf-webdav-protocol-06.html) or The Internet Engineering Task Force (http://www.ietf.org/). For more information about NTFS, see Securing Your Files with NTFS.
Note WebDAV is an implementation of the HTTP 1.1 proposed draft and is therefore not available for non-HTTP services, such as FTP sites.
You can control user access to your Web server content by properly configuring your Windows file system and Web server security features. When a user attempts to access your Web server, the server carries out several access control processes to identify the user and determine the allowed level of access.
The following is an outline of the process:
You can configure your Web server to prevent specific computers, groups of computers, or entire networks from accessing your Web server content. When a user initially tries to access your Web server content, the server checks the IP address of the users computer against the servers IP address restriction settings. For more information, see Granting and Denying Access to Computers.
You can configure your Web server's access permissions for specific sites, directories, and files. These permissions apply to all users regardless of their specific access rights. For example, you can disable the Read permissions for a particular Web site to prevent user access while you update the site's content so that when a user attempts to access the Web site, your server returns an "Access Forbidden" error message. However, when you enable the Read permission you allow all users to view your Web site, unless NTFS permissions restrict which users can view the site. For more information, see Setting Web Server Permissions.
The Web permission levels include:
Note Web server permission settings affect which HTTP verbs can be used for a site, virtual directory, or file.
Internet Information Services relies on NTFS permissions for securing individual files and directories from unauthorized access. Unlike Web server permissions, which apply to all users, you can use NTFS permissions to precisely define which users can access your content and how those users are allowed to manipulate that content.
NTFS permission levels include:
Important Setting No Access permissions for the IUSR_computername account for a resource will result in anonymous users being denied access to that resource.
You define a list of permissions, also known as an discretionary access control list (DACL), for individual files or directories. When you define this list, you select a particular Windows user account or user group, and then specify an access permission for that user or group.
The following table illustrates the contents of the permission list for the imaginary Microsoft Word document, MYSERVER:\Administration\Accounts.doc:
Windows 2000 User Account or User Groups | Permissions |
---|---|
MYSERVER\Administrators | Full Control |
MYSERVER\JeffSmith | Change |
MYSERVER\Guests | No Access |
Aside from members of the Administrator group, only the account named JeffSmith has permission to make changes to Accounts.doc. Ordinary users logged on as members of the Windows Guests user group would be explicitly denied access to this file.
After you set NTFS permissions, your Web server needs a way to identify, or authenticate, users prior to granting access to restricted files. You can configure your servers authentication features to require users to log on with a valid Windows account user name and password. For more information, see About Authentication.
Important Incorrectly set NTFS DACLs may cause the browser to prompt the user for user information. For example the user may be not have access to a file (because of the DACLs) and IIS will issue an access denied error which may cause the browser to prompt the user to enter a different user name and password.
Note Making your server secure involves removing unnecessary users and groups, or groups that are too general for your purposes. However, removing the Everyone group from the DACLs on your Web resources without further modification will cause even non-anonymous access to fail. If you want to have non-anonymous access work correctly you must have the following permissions plus any specific users or users groups:
For procedural information, see Securing Your Files with NTFS and Setting NTFS Permissions for a Directory or File.
You can reduce the likelihood of your Web server becoming susceptible to a security threat by using the following guidelines. When you implement them with a judicious access control policy and properly configured security features, you can achieve a reliable security configuration.
Note For highly sensitive security applications, such as those involving the financial and banking industries, you should seek the assistance of a professional security consulting firm. A consulting firm can assist in setting up proper security policies and procedures.
To properly safeguard Web server content, your security policy should include the following guidelines:
Unauthorized individuals can gain access to your Web server by stealing or guessing user account passwords. You must make sure that all passwords, especially those used for protecting administrative privileges, are difficult to guess. To select strong passwords, use the following guidelines:
Be sure to limit the access to your Web servers Administrators group. Members of the Administrators group have complete control over your entire Web server and its security features. Use the following practices for controlling membership of the Administrators group:
Use the Windows Group Policy utility to specify user rights policies for Windows user groups. User rights policies define the Web server and Windows administrative actions that a user can perform. For example, you can establish a policy that ensures that public users do not have the right to remotely shut down your Web server. As a rule, try to establish very restrictive user rights policies. Avoid accidentally giving users the ability to alter your Web server and its resources. For more information, see the Windows documentation or the Microsoft Windows 2000 Server Resource Kit.
For more information on Web server security, see the IIS Resource Guide volume of the Microsoft Windows 2000 Server Resource Kit.