Configuring Request Restrictions
In
addition to specifying the paths and filenames to which specific
request handlers will be mapped, you can further secure IIS through
request restrictions. To see the available options, click Request
Restrictions in the dialog box when you are adding a mapping. Three
tabs organize the request restrictions options: Mapping, Verbs, and
Access.
You can use
the Mapping tab to specify additional details related to whether files,
folders, or both will be included in the mapping. The default setting
is for the handler to handle requests automatically for both files and
folders. You can choose either files or folders to limit whether the
handler will respond to default documents or explicit file requests.
You can use the Verbs tab, shown in Figure 17,
to specify which HTTP request verbs the handler will respond to.
Although the most common types of verbs are GET and POST, some
applications might use other verbs (such as HEAD) to request other
details from the Web server. By default, all verb types will be sent to
the request handler. If you want to use different handlers for
different verbs, or if you want the handler mapping to apply only to
specific types of requests, you can specify this by using the One Of
The Following Verbs option.
Finally,
the Access tab specifies the access permissions that will be granted to
the request handler. To improve security, minimize the types of access
the handler will have. The default setting is Script, which is
acceptable for most types of executable handlers. Other options include
None, Read, Write, and Execute.
Configuring Feature Permissions
Feature
permissions specify which types of actions a request handler can take.
You can configure these options by double-clicking Handler Mappings and
clicking Edit Feature Permissions in the Actions pane, as shown in Figure 18.
The three permission options are:
Read Enables the handler to read files that are stored within the file system.
Script Enables the handler to perform basic scripting-related tasks on the server.
Execute
Enables the handler to run executable program code (such as .dll or
.exe) files on the computer when processing a request. For Execute to
be enabled, Script permissions must also be assigned.
By default, the Read and Script feature permissions are enabled for new handler mappings.
Practice: Managing IIS Security Settings
This
practice will walk you through the steps required to manage security
for a computer running Windows Server 2008 that has the Web Server
(IIS) role installed. Specifically, you’ll learn how to enable remote
administration and the effects of configuring handler mappings to
increase security. The steps assume that you have already installed the
Web Server (IIS) role, using the default options on
Server2.contoso.com, and that you are familiar with the process of
adding role services.
▸ Exercise 1 Configure and Manage Remote Administration
In
this exercise, you will use the IIS Management Service features to
enable a user to connect to the computer. First, you will need to
install the IIS Management Service role service. Then, you will create
a new user based on IIS Manager credentials and configure permissions
to access the Default Web Site. Finally, you will connect to IIS, using
the new user account to verify that the permissions and feature
delegation settings are in effect. The final steps can be performed
locally on Server2, or you can use another computer, running either
Windows Vista or Windows Server 2008, that has the IIS 7.0 Manager
console installed. The steps assume that you will perform the tasks
locally on Server2.
1. | Log on to Server2 as a user who has Administrator permissions.
|
2. | Using
Server Manager, add the IIS Management Service role service to the Web
Server (IIS) server role. When you are finished, close Server Manager.
|
3. | Open IIS Manager and connect to the local server (Server 2).
|
4. | Click the server object in the left pane, and then double-click the Management Service icon in Features View.
|
5. | On
the Management Service page, you should see a message stating that the
service has not been started. This is necessary to make configuration
changes. Select the Enable Remote Connections option.
|
6. | In
the Identity Credentials section, choose Windows Credentials Or IIS
Manager Credentials. This will enable you to create IIS Manager users
later. Leave all other settings at their default values. Note that
Management Service will respond on port 8172 by default.
|
7. | Start
Management Server by clicking Start in the Actions pane. Note that you
are unable to modify settings while the service is running.
|
8. | Return to Features View by clicking the Back button in the top toolbar.
|
9. | Double-click
IIS Manager Users to view a list of users who have been allowed to
access the system. Note that, by default, there will be no users in the
list.
|
10. | Click
Add User in the Actions pane to create a new IIS Manager user. Use the
username WebAdmin01 and the password 1w3b!admin. (Always use strong
passwords.) Click OK to create the new user and verify that it appears
in the list of IIS Manager Users.
|
11. | In
the left pane of IIS Manager, click the Default Web Site object. Then,
click IIS Manager Permissions in the Management section of the Features
View.
|
12. | Click the Allow User action. For the type of user, select IIS Manager, and then type WebAdmin01 in the textbox.
Note that you can also use the Select button to select from all the users who have been defined on the server.
|
13. | Click OK.
|
14. | In
IIS Manager, click the Server2 object, and then double-click Feature
Delegation in the Management section of Features View. In the Group By
drop-down list, select Delegation. Note which features are set to Read
Only in the list. In later steps, you will attempt to change SSL
Settings to verify that feature delegation is working.
|
15. | In IIS Manager, click the Start Page item in the left pane. In the center pane, click the Connect To A Site link.
|
16. | For Server Name, type Server2.contoso.com For Site Name, type Default Web Site Click Next.
|
17. | For Username, type WebAdmin01 and type 1w3b!admin for Password. Click Next.
|
18. | For the name of the connection, type Default Web Site – Test to specify that this is a test connection. Click Finish.
Once the connection is complete, you will see a new item called Default
Web Site – Test in the left pane of IIS Manager. You can click this
connection to administer the site, just as you would with the default
local connection. However, note that the new connection shows only the
contents of Default Web Site. You will have only the permissions that
have been assigned to the WebAdmin01 user.
|
19. | To verify the feature delegation settings, click the SSL Settings item in the IIS section of the Features View.
Note the message stating that the feature is set to Read Only in the
Actions pane. Also, verify that you are unable to make changes to these
settings.
|
20. | Optionally, you can remove the new connection in IIS Manager by right-clicking it and selecting Remove Connection.
|
21. | When you are finished, close IIS Manager.
|
▸ Exercise 2 Manage Handler Mappings
In
this practice exercise, you will learn how to configure and manage
handler mappings for a Web application. Initially, you will verify that
content is being presented correctly to Web users. Then, you will
disable a request handler mapping and verify that the content is no
longer accessible. Finally, you will revert the handler mappings to
their inherited settings to restore access to the content.
1. | Log on to Server2 as a user who has Administrator permissions.
|
2. | Using Windows Explorer, navigate to the %SystemDrive%\Inetpub\Wwwroot folder. Make a copy of the Iisstart.htm file and name it Iisstart.test
Note that you might need to disable the Hide Extensions For Well Known
File Types option on the View tab of the Folder Options dialog box by
selecting Folder And Search Options on the Organize menu.
|
3. | When you are finished, close Windows Explorer.
|
4. | Open IIS Manager and connect to the local server.
|
5. | In the left pane of IIS Manager, select Default Web Site. In the Actions pane, click the Browse *:80(http)
command. This will launch Internet Explorer and connect to the default
content for the site. Note that the default document (in this case,
Iisstart.htm) is displayed and that the page contains a .png image type.
|
6. | In Internet Explorer, modify the URL to request the iisstart.test page. An example of the full URL would be http://Server1/iisstart.test.
Note that, although the file exists, you will receive an HTTP Error
404.3. The error states that no handler is available to process the
request.
|
7. | When you are finished, close Internet Explorer.
|
8. | In
IIS Manager, double-click the Handler Mappings item. You will see a
list of all the default handlers that have been registered on the
system.
|
9. | Click the Add Module Mapping link to create a new mapping. For Request Path, type *.test. For Module, select StaticFileModule. For Name, type Test Page Handler. Leave the other settings at their default values, and then click OK to create the mappings.
This will enable the Web server to process files that have the .test extension.
|
10. | Open Internet Explorer and navigate to the Iisstart.test page, using the same URL you used in step 5.
Note that this time, you will see a blank page and that an error
message does not appear. This indicates that the new handler mapping
you created is functioning properly.
|
11. | Close Internet Explorer.
|
12. | In
IIS Manager, return to the Handler Mappings section for Default Web
Site, and then click Revert To Inherited in the Actions pane. Click Yes
to confirm the changes.
This will restore the default handler
mappings and will remove the Test Handler Mapping that you created in a
previous step.
|
13. | When you are finished, close IIS Manager. |