Windows Server 2008 : Configuring IIS Security (part 9)

12/12/2010 9:08:04 AM

Configuring Request Restrictions

In addition to specifying the paths and filenames to which specific request handlers will be mapped, you can further secure IIS through request restrictions. To see the available options, click Request Restrictions in the dialog box when you are adding a mapping. Three tabs organize the request restrictions options: Mapping, Verbs, and Access.

You can use the Mapping tab to specify additional details related to whether files, folders, or both will be included in the mapping. The default setting is for the handler to handle requests automatically for both files and folders. You can choose either files or folders to limit whether the handler will respond to default documents or explicit file requests.

You can use the Verbs tab, shown in Figure 17 , to specify which HTTP request verbs the handler will respond to. Although the most common types of verbs are GET and POST, some applications might use other verbs (such as HEAD) to request other details from the Web server. By default, all verb types will be sent to the request handler. If you want to use different handlers for different verbs, or if you want the handler mapping to apply only to specific types of requests, you can specify this by using the One Of The Following Verbs option.

Figure 17. Viewing Verb Request Restrictions options for a handler mapping

Finally, the Access tab specifies the access permissions that will be granted to the request handler. To improve security, minimize the types of access the handler will have. The default setting is Script, which is acceptable for most types of executable handlers. Other options include None, Read, Write, and Execute.

Configuring Feature Permissions

Feature permissions specify which types of actions a request handler can take. You can configure these options by double-clicking Handler Mappings and clicking Edit Feature Permissions in the Actions pane, as shown in Figure 18.

Figure 18. Configuring Feature Permissions for a request handler

The three permission options are:

Read Enables the handler to read files that are stored within the file system.
Script Enables the handler to perform basic scripting-related tasks on the server.
Execute Enables the handler to run executable program code (such as .dll or .exe) files on the computer when processing a request. For Execute to be enabled, Script permissions must also be assigned.

By default, the Read and Script feature permissions are enabled for new handler mappings.

Practice: Managing IIS Security Settings

This practice will walk you through the steps required to manage security for a computer running Windows Server 2008 that has the Web Server (IIS) role installed. Specifically, you’ll learn how to enable remote administration and the effects of configuring handler mappings to increase security. The steps assume that you have already installed the Web Server (IIS) role, using the default options on Server2.contoso.com, and that you are familiar with the process of adding role services.

▸ Exercise 1 Configure and Manage Remote Administration

In this exercise, you will use the IIS Management Service features to enable a user to connect to the computer. First, you will need to install the IIS Management Service role service. Then, you will create a new user based on IIS Manager credentials and configure permissions to access the Default Web Site. Finally, you will connect to IIS, using the new user account to verify that the permissions and feature delegation settings are in effect. The final steps can be performed locally on Server2, or you can use another computer, running either Windows Vista or Windows Server 2008, that has the IIS 7.0 Manager console installed. The steps assume that you will perform the tasks locally on Server2.

1.	Log on to Server2 as a user who has Administrator permissions.
2.	Using Server Manager, add the IIS Management Service role service to the Web Server (IIS) server role. When you are finished, close Server Manager.
3.	Open IIS Manager and connect to the local server (Server 2).
4.	Click the server object in the left pane, and then double-click the Management Service icon in Features View.
5.	On the Management Service page, you should see a message stating that the service has not been started. This is necessary to make configuration changes. Select the Enable Remote Connections option.
6.	In the Identity Credentials section, choose Windows Credentials Or IIS Manager Credentials. This will enable you to create IIS Manager users later. Leave all other settings at their default values. Note that Management Service will respond on port 8172 by default.
7.	Start Management Server by clicking Start in the Actions pane. Note that you are unable to modify settings while the service is running.
8.	Return to Features View by clicking the Back button in the top toolbar.
9.	Double-click IIS Manager Users to view a list of users who have been allowed to access the system. Note that, by default, there will be no users in the list.
10.	Click Add User in the Actions pane to create a new IIS Manager user. Use the username WebAdmin01 and the password 1w3b!admin. (Always use strong passwords.) Click OK to create the new user and verify that it appears in the list of IIS Manager Users.
11.	In the left pane of IIS Manager, click the Default Web Site object. Then, click IIS Manager Permissions in the Management section of the Features View.
12.	Click the Allow User action. For the type of user, select IIS Manager, and then type WebAdmin01 in the textbox. Note that you can also use the Select button to select from all the users who have been defined on the server.
13.	Click OK.
14.	In IIS Manager, click the Server2 object, and then double-click Feature Delegation in the Management section of Features View. In the Group By drop-down list, select Delegation. Note which features are set to Read Only in the list. In later steps, you will attempt to change SSL Settings to verify that feature delegation is working.
15.	In IIS Manager, click the Start Page item in the left pane. In the center pane, click the Connect To A Site link.
16.	For Server Name, type Server2.contoso.com For Site Name, type Default Web Site Click Next.
17.	For Username, type WebAdmin01 and type 1w3b!admin for Password. Click Next.
18.	For the name of the connection, type Default Web Site – Test to specify that this is a test connection. Click Finish. Once the connection is complete, you will see a new item called Default Web Site – Test in the left pane of IIS Manager. You can click this connection to administer the site, just as you would with the default local connection. However, note that the new connection shows only the contents of Default Web Site. You will have only the permissions that have been assigned to the WebAdmin01 user.
19.	To verify the feature delegation settings, click the SSL Settings item in the IIS section of the Features View. Note the message stating that the feature is set to Read Only in the Actions pane. Also, verify that you are unable to make changes to these settings.
20.	Optionally, you can remove the new connection in IIS Manager by right-clicking it and selecting Remove Connection.
21.	When you are finished, close IIS Manager.

▸ Exercise 2 Manage Handler Mappings

In this practice exercise, you will learn how to configure and manage handler mappings for a Web application. Initially, you will verify that content is being presented correctly to Web users. Then, you will disable a request handler mapping and verify that the content is no longer accessible. Finally, you will revert the handler mappings to their inherited settings to restore access to the content.

1.	Log on to Server2 as a user who has Administrator permissions.
2.	Using Windows Explorer, navigate to the %SystemDrive%\Inetpub\Wwwroot folder. Make a copy of the Iisstart.htm file and name it Iisstart.test Note that you might need to disable the Hide Extensions For Well Known File Types option on the View tab of the Folder Options dialog box by selecting Folder And Search Options on the Organize menu.
3.	When you are finished, close Windows Explorer.
4.	Open IIS Manager and connect to the local server.
5.	In the left pane of IIS Manager, select Default Web Site. In the Actions pane, click the Browse *:80(http) command. This will launch Internet Explorer and connect to the default content for the site. Note that the default document (in this case, Iisstart.htm) is displayed and that the page contains a .png image type.
6.	In Internet Explorer, modify the URL to request the iisstart.test page. An example of the full URL would be http://Server1/iisstart.test. Note that, although the file exists, you will receive an HTTP Error 404.3. The error states that no handler is available to process the request.
7.	When you are finished, close Internet Explorer.
8.	In IIS Manager, double-click the Handler Mappings item. You will see a list of all the default handlers that have been registered on the system.
9.	Click the Add Module Mapping link to create a new mapping. For Request Path, type *.test. For Module, select StaticFileModule. For Name, type Test Page Handler. Leave the other settings at their default values, and then click OK to create the mappings. This will enable the Web server to process files that have the .test extension.
10.	Open Internet Explorer and navigate to the Iisstart.test page, using the same URL you used in step 5. Note that this time, you will see a blank page and that an error message does not appear. This indicates that the new handler mapping you created is functioning properly.
11.	Close Internet Explorer.
12.	In IIS Manager, return to the Handler Mappings section for Default Web Site, and then click Revert To Inherited in the Actions pane. Click Yes to confirm the changes. This will restore the default handler mappings and will remove the Test Handler Mapping that you created in a previous step.
13.	When you are finished, close IIS Manager.