Microsoft IIS 6.0 Administrator's Pocket Consultant (IT-Administrator's Pocket Consultant)
Reduce the Surface of Attack on the IIS web server
Professional IIS 7
* Enable only "MUST" Windows Server 2003 components and services.
* Enable only "MUST"l IIS 6.0 components and services.
* Enable only "MUST" IIS Web service extensions.
* Configure Windows Server 2003 security settings.
Prevent IIS websites from Unauthorized Access Unauthorised Access: Physical Penetration Testing For IT Security Teams
* Store content on a dedicated disk volume. (other then system drive)
* Set IIS Web site permissions.
* Set IP address and domain name restrictions.
* Set the NTFS file system permissions.
Isolate Web Sites and Applications
1. Evaluate the effects of impersonation on application compatibility:
* Identify the impersonation behavior for ASP applications.
* Select the impersonation behavior for ASP.NET applications.
2. Configure Web sites and applications for isolation.
Configure User Authentication Authentication: From Passwords to Public Keys
1. Assess Web site authentication.
* Select the Web site authentication method.
* Configure the Web site authentication method.
2. Configure File Transfer Protocol (FTP) site authentication.
Encrypt Confidential Data Exchanged with Clients
* Use Secure Sockets Layer (SSL) to encrypt confidential data.
* Use Internet Protocol security (IPsec) or virtual private network (VPN) with remote administration.
Maintain Web Site and Application Security
* Obtain and apply current security patches.
* Enable Windows Server 2003 security logs.
* Enable file access auditing for Web site content.
* Configure IIS logs.
* Review security policies, processes, and procedures.
