IIS primarily functions as a server for Web
services. Due to the importance of securing Web-based content, there
are numerous security-related industry standards, which are supported
by IIS 7 and with which you should be familiar. In this lesson, you
will learn how to configure and manage security for the Web Server
(IIS) server role and its associated components. You will first learn
how to determine the permissions that administrators will have on Web
servers. You will learn ways to extend IIS administration capabilities
to other users and Web developers in your organization through remote
management and delegation settings. Then, you will learn how to
increase security by configuring request handlers and their associated settings to minimize risks related to the execution of unwanted or malicious code or content.
Understanding IIS 7 Security Accounts
When you add the Web Server (IIS) role to a computer running Windows Server 2008, the process makes
numerous changes and additions to the configuration of the server. In
earlier versions of IIS, each installation used service accounts that
were based on the name of the server. Because the accounts and their
security identifiers (SIDs) were different, copying Web content and
settings between Web servers required multiple steps.
In
IIS 7, a standard account named IUSRS and a local security group called
IIS_IUSRS are used on each Windows Server 2008 Web server computer.
Passwords for the accounts are managed internally, so administrators do
not need to keep track of them.
Tip
Web
services are programs that enable a server to store, create, and
deliver information by using standard protocols and methods such as the
Hypertext Transfer Protocol (HTTP). In the context of IIS 7, this
includes Web applications and static Web site content that is included
in the server configuration. When taking the exam, you should usually
think of “Web services” as any of the functionality provided by IIS.
Managing File System Permissions
To
implement security, Web server administrators must be able to define
which content should be protected. They must also be able to specify
which users or groups of users have access to protected content.
Permissions settings for Web content are managed through NTFS file
system permissions. These permissions can be administered directly,
using Windows Explorer, or by right-clicking a specific object in the
IIS Manager hierarchy and clicking Edit Permissions. As shown in Figure 1,
the permissions settings display which users or groups of users have
access to the content and which permissions they have. IIS uses these
permissions to determine whether credentials are required when
attempting to complete a request from a Web client.