Understanding Web Server Security
IIS
7.0 includes an array of features and options to support different
types of Web services and applications. Using the Server Manager
utility simplifies the process of installing IIS and its related
features and options. As a systems administrator, you will be
responsible for deploying IIS based on different needs and
requirements. Therefore, it is important to understand the design of
IIS before learning methods for installing the Web Server and
Application Server roles. This section will provide details about
deployment options for the IIS platform.
More Info: Other features of IIS
In
addition to supporting Web applications, the IIS platform also provides
server components for the File Transfer Protocol (FTP) and the Simple
Mail Transfer Protocol (SMTP).
Web Standards and Protocols
To
understand the purpose and function of the IIS platform, you must first
understand the protocols and standards used by Web Applications. Hypertext Transfer Protocol (HTTP) is the primary protocol that communicates with Web services. HTTP is designed to provide a request–response
model for communicating among computers across a network. HTTP traffic
is accessed by using Transmission Control Protocol/Internet Protocol
(TCP/IP)–based network connections. Due to the importance of Web-based
traffic, most organizations allow their users to access the Internet by
using TCP port 80, the default HTTP port. The HTTP protocol is
stateless; that is, it provides no built-in mechanism to keep track of
conversations between clients and servers. Each request must include
details that identify the requester and any other data that might be
required to complete a transaction.
Web
standards and protocols also include methods for securing data as it is
passed among computers. By default, HTTP traffic is transmitted using a
plaintext stream that can be decoded easily. Although this is
acceptable when users are accessing public content, many Web sites and
applications need to transmit information securely between clients and
servers. The most common example is that of a payment-processing site
that accepts credit card information over the Internet. The HTTP Secure (HTTPS)
protocol is designed to provide support for encryption of HTTP-based
traffic. By default, HTTPS connections use TCP port 443 for
communications, although any other port can be used as well. The most
commonly used encryption mechanisms are Secure Sockets Layer (SSL) and Transport Layer Security (TLS). Other encryption mechanisms can also be used, especially in intranet environments.
Web
standards and protocols provide a consistent method of exchanging
information among computers. The Hypertext Markup Language (HTML) is
the primary specification for Web pages. The tag-based format of HTML
pages enables developers to use a variety of technologies to create
their content in a way that is accessible by different Web browsers.
The development tools can range from text editors such as Microsoft
Windows Notepad to full-featured development environments such as the
Microsoft Visual Studio platform.
The
HTTP and HTML specifications were designed to provide basic
communication and presentation services. Modern Web applications
include features that enable complex application functionality to be
presented using these standards. Web developers can use development
platforms such as ASP.NET (a component of the Microsoft .NET Framework)
to build active Web sites. These sites can keep track of user sessions
and can provide access to databases and other information that is
stored within the environment.
More Info: Further details about Internet standards
For more information about specific Internet and Web-based standards, see the World Wide Web Consortium (W3C) Web site at http://www.w3.org and the Internet Engineering Task Force (IETF) Web site at http://www.ietf.org. Both sites include the official specifications and descriptions for basic Internet protocols.
Web Server Usage Scenarios
The
primary advantage of using Web-based content and applications is
accessibility from a broad range of client computers. Unlike standard
applications, there is generally no need to install or configure any
software on users’ computers. Because modern operating systems include
or support standards-based Web browsers such as Windows Internet
Explorer, most users already have the basic client tools they need to
access content. IT staff and software developers can use various
technologies to present content and deploy applications to both
internal and external users.
The IIS platform has been designed to support a variety of scenarios. Some examples include:
Public Web sites
Many businesses have relatively simple needs for communicating
information on the Internet. For example, a small business might want
to provide contact information and details about its services on a
simple Web site.
Online shopping
The Internet has become a commercial marketplace that enables vendors
to display and sell a wide variety of products. Online sites include
shopping-cart functionality, order processing, and customer support
features.
Intranet scenarios
The Web provides a simple method for all users within an organization
to access and present content. Company tasks such as creating expense
reports or verifying benefits can often be performed online without the
need to contact internal staff.
Enterprise applications
A common challenge with enterprise line-of-business applications is the
need to deploy and manage client-side installations. To alleviate some
of these problems, many organizations have created internal
applications that are designed to be accessed through a Web browser.
The applications can range from basic single-function sites to
distributed enterprise-wide systems.
Internet applications
Users can access their e-mail and create documents, for example,
without installing applications on their computers. Distributed
organizations and teams can also take advantage of secure access to
corporate applications by using the Internet while traveling or working
from remote locations.
Extranet scenarios
Businesses commonly partner with other organizations to obtain
services. An extranet scenario is one in which users from outside the
organization are able to access information. Security is an important
concern, but Web-based applications are a good choice because they
provide a standard method by which users can access the information
they need.
Web hosting
Many companies have focused on offering the service of hosting Web
sites for their customers. These hosting companies tend to run large
numbers of Web sites on a single physical server, so ensuring security,
performance, and reliability are key concerns.
Most
organizations will deploy IIS in several roles within the organization.
It is important to note that requirements related to features and
options will vary based on the specific needs of each deployment.
You’ll learn more about the specific features and services that the IIS platform supports later in this lesson.
New Features in IIS
The
IIS platform is one of the most popular Web servers in use for both
public and private Web sites. IIS 7.0 in Windows Server 2008 includes
numerous new features that provide increased performance and
functionality in a broad range of areas. The major areas of improvement
include:
Administration
One of the primary challenges of working with previous versions of IIS
was dealing with a large number of property pages and dialog boxes. IIS
7.0 includes new administration tools that are designed to manage the
many available options and settings more effectively. The user
interface has been designed to be both powerful and accessible for both
Web developers and systems administrators.
Security By default, the Web Server (IIS)
server role is enabled with only a basic set of functionalities. Even
the binary files for unused features are not available for access in
the standard operating system locations. Systems administrators must
enable additional services and features explicitly. This helps reduce
the attack surface of IIS while also simplifying manageability. In
addition, functionality for automatically detecting common hacking
attempts is included with the product itself. (This feature was
commonly enabled in the past by installing the URLScan utility.)
Diagnostics and troubleshooting
Because organizations depend on Web services as a mission-critical
component of their infrastructure, it’s important to detect and resolve
any Web-based errors quickly. IIS 7.0 includes new features that make
it easier to pinpoint problems and obtain the details necessary to
address them.
Centralized configuration management
Many organizations support dozens or even hundreds of IIS
installations. To meet scalability and performance requirements, it is
often necessary to deploy numerous Web servers that essentially have
the same configuration settings. In previous versions of IIS, it was
difficult to manage these configurations without connecting to each
server. IIS 7.0 provides a simplified method by which administrators
can share configuration information across server farms. Further, a
consistent set of user accounts, including globally unique identifiers
(GUIDs) and permissions, are used for IIS security accounts. This means
administrators can depend on specific account names and settings when
scripting and automating common processes. IIS 7.0 also includes
greatly improved command-line support.
Support for delegation
It is often necessary to divide Web server administration tasks for
security or management reasons. IIS 7.0 provides the ability to
implement granular security configuration permissions to support
Web-hosting environments and enterprise-level configurations.
Backward compatibility
The vast majority of Web sites and applications that were created for
previous versions of IIS will remain compatible with IIS 7.0. In
addition, IIS 6.0 management tools are provided for those applications
that depend on them.
Overall,
IIS 7.0 has been designed to address the most common issues encountered
with previous versions of IIS.
More Info: IIS in Windows Vista
Microsoft
first made the IIS 7.0 platform available in the Windows Vista
operating system. Because the core architecture of IIS in Windows Vista
is similar to that in Windows Server 2008, Web developers can use
similar environments on both their development workstations and their
production servers. It is important to note that there are some feature
and licensing differences between the two platforms. For more
information, see the Microsoft Internet Information Services Web site
at http://www.microsoft.com/iis/.