HostedDB - Dedicated UNIX Servers

Implementing Microsft Internet Information Server


by Paolo Pappalardo

The Windows NT environment, along with IIS, has several specific security issues that are of interest to the administrator. The first thing that you should examine more closely is the architecture and integration of your IIS and your firewall. There are specific security issues just for the combination of NT and IIS. Furthermore, there are the issues of the specific security capability of IIS as they relate exclusively to NT. As always, the rule of "a pound of prevention is worth an ounce of cure" is valid; it is the last topic of this chapter.

IIS and Firewall Architecture

The concept of a firewall is fairly straightforward. Any problems are in the area of security policy development. Always remember that the harder you make it to break into a system, the more difficult it is to use and administer. Because IIS is tightly integrated with the NT security system, it is at least as good as the NT system itself. On top of that, IIS adds extra capabilities, such as IP inclusion/restriction for the three basic services (World Wide Web, FTP, and Gopher). Even though it provides good security, IIS still is not a solid firewall.

A firewall should be able to do complete packet filtering. This is where each basic IP message is questioned and permitted to pass to the internal or external system, based on a series of rules. Currently, the number of different firewall systems to chose from is still low. Those that are in place require a great deal of overhead. One example is the firewall system for NT by Raptor Software. This product cannot run concurrently with Remote Access Service, and it requires at least a Pentium processor and 32MB of RAM. Likewise, a firewall should be completely independent of the internal system, which requires an extra, independent processing system.

A good firewall consists of several forms of filtering. Therefore, some people argue that NT security and the limited packet filtering provided by IIS constitute a firewall. The problem with this point of view is that IIS does not involve the absolute ability to control access, but rather is one of management. It is difficult to maintain an effective security policy if two separate systems implement the security policies of your organization.

IIS Inside the Firewall

When the IIS server runs inside the firewall, as in Figure 6.1, users have unrestricted access to the IIS services. People outside the firewall are controlled by the firewall. This is useful if your IIS provides access to corporate data. Use this structure if you want to restrict access to a specific site on the Internet. It is difficult, however, to set the rules for the firewall to let in only the right people. This system is more appropriate for private Web sites.


Figure 6.1. IIS inside the firewall.

IIS Outside the Firewall

When the IIS server is outside the firewall, as in Figure 6.2, corporate users are restricted. Avoid this setup if you are using IIS to look at sensitive corporate data. It is a good setup, though, for extended corporate/customer support.


Figure 6.2. IIS outside the firewall.

Proxy Servers

Along with a firewall, a proxy server provides additional security. The proxy server acts on behalf of either a server or client. It takes packet requests and process them through a firewall, if one is present, and passes the results back to the original requestor. This handing off provides a shield to the client that uses the proxy server by masking and filtering requests. This looks like a firewall, but a firewall does not provide alias identities to its users—only filtering. A single computer might run multiple servers, with each server connection identified by a port number. A proxy server, like an HTTP server or an FTP server, occupies a port. Typically, a connection uses standardized port numbers for each protocol. For example, HTTP is 80, and FTP is 21. Unlike common server protocols, however, the proxy server has no default port.

Many of today's proxy servers also provide caching capabilities. The caching capability gives the end user the impression of wider bandwidth. This is because it takes information that has been passed and saves it in cache. When the user requests the information again, it is provided via the cache instead of going onto the Internet. Proxy servers also can be used in exclusive intranet situations in which the use of the caching capability has more significance. There are currently no proxy servers for the NT system.

Secure Sockets Layer Security

Secure Sockets Layer (SSL) security is enabled and disabled by using Internet Service Manager. SSL is a protocol submitted to the W3C working group on security for consideration as a standard security approach for World Wide Web clients and servers on the Internet. SSL provides a security handshake that is used to initiate the TCP/IP connection. This handshake results in the client and server agreeing on the level of security that they will use, and it fulfills any authentication requirements for the connection. From then on, SSL's only role is to encrypt and decrypt the information that is being passed between the client and server via the Internet.

To enable SSL security on a Microsoft Internet information server, follow these steps:

  1. Generate a key pair file and a request file.

  2. Request a certificate from a certification authority. Currently, the only known certification authority is Verisign, which is located at http://www.verisign.com.

  3. Install the certificate on your server.

  4. Activate SSL security on a World Wide Web service directory.

Keep in these important points when you enable SSL security:

Using SSL is not the same as validation. It just ensures that when you send something via the Internet, nobody can eavesdrop on the information being passed back and forth. It does not guarantee that the information being passed is authentic, especially in the case of credit card numbers. Transactions that provide for the transfer of money between a client and a server and are currently in the final stages of development.

Using NT Security Features for Your Internet Information Server

As many people know, Windows NT has many inherent security features, such as account authentication, user and password configuration, and permissions. When coupled with IIS, you will find them a very strong combination.

Account Authentication

As Figure 6.3 shows, IIS offers three forms of account authentication The first is anonymous, which actually means no authentication. The second is basic authentication. It is used with the secure socket layer and encrypts user names and passwords before they are put on the Internet. This form of authentication is the most common and is supported by most browsers. The third form of account authentication is Windows NT Challenge/Response. It is a higher level of authentication that automatically encrypts user names and passwords. Although it is not as widely supported, it is built into Internet Explorer 2.0.


Figure 6.3. IIS account authentication.

Use of the Windows NT Challenge/Response level is relatively limited. So if you check it, you can be sure that some World Wide Web users will not get through. With respect to IIS, therefore, the best place to secure files and maintain authentication is through File Manager.

Setting User Names and Passwords

To set user names and passwords, start with the dialog box for domain users (see Figure 6.4). This is where you set up new users and assign their passwords. It also is where you change user names and passwords. Double-click the user name to bring up the user's individual dialog box. Figure 6.5 shows the generic user Guest account. It is currently disabled. This is where my clients disable my account when the project that I am working on is done. This is better than deleting the account, for I might have to revisit the site later. The password, once typed, is always hidden. Therefore, if the user looses it and you, who typed in the password in the first place, do not remember it, a new password must be entered.


Figure 6.4. The Domain Users dialog box.


Figure 6.5. The generic guest account.

With respect to IIS, the installation procedure automatically installs a generic Internet user for those coming to your system via the World Wide Web, FTP, or Gopher services. This user and its password must match what is set in the dialog boxes for the IIS installation. If the passwords, which are hidden by the asterisks, get out of sync, you can have security and access problems in which people cannot access your site as you want.

Select the User Rights option under the Policies menu (refer to Figure 6.4) to adjust deeper sets of security clearances. It is important that the Internet user account have log on locally rights. Otherwise, you can experience inadvertent security problems when you do advanced database integration. The IIS installation program does not set this automatically.

Specifying Permissions for Directories and Files

You specify permissions for directories and files through File Manager (see Figure 6.6). Notice the icon of a key at the far right of the tool bar. By highlighting a file, series of files, or directories, you can have highly granular control over your files. This is where IIS offers a significant advantage over other products. It is fully integrated with the NT security system. You do not have to maintain separate sets of clearances for your system. You can use it to set private sections and pages on the Web. Remember, though, if you set up a secure area on the Web, make sure that all the associated objects used in the secure area have their permissions set accordingly. If you lock the main .HTM file in the directory but nothing else, a user can go beyond that doorway and into the secure area. You have secured the .HTM files, but not the associated .IDC or .HTX files. As a result, someone can access the .IDC file directly, instead of using the link that you intended.


Figure 6.6. The File Manager.

IP Level security

IP level security is straightforward (see Figure 6.7). You can grant access to all computers except for those with specific IP address, or you can deny access to all computers except for those with specific IP addresses. Securing a system at the IP level can provide an extremely high level of security, but it is a double-edged sword. You can inadvertently lock out the general public, which is not consistent with World Wide Web practices. Likewise, security is difficult to test. You cannot test whether unauthorized people have gained access to a system unless you catch them as they come in.


Figure 6.7. Setting IP level security.

This is something like a firewall for the IIS. If the system is used as an intranet, specific IP addresses can come through. You can use masking to ensure that all the IP addresses inside your system get through. This is very useful, though, because most people signing onto the Internet from outside your system are assigned a temporary IP address. Therefore, you can lock out only users from a specific Internet access provider (IAP), not specific users. For example, you can prevent another company from signing onto your system, but an individual from that company can still sign in with a different IAP.

Security Capabilities of IIS and Its Integration with NT Security

Integration normally is the result of merging two independent systems, the IIS system and the main NT system. I apply the Usage Log and Performance Monitor for this task. The Usage Log lets me know where I "came from" with respect to IIS, and the Performance monitor gives me feedback as to the effects of the integration of IIS to NT.

The Usage Log

All HTTP services provide a log. The IIS is no exception. The log provides many different functions. Among them is the ability to track the usage of your pages for marketing purposes. This enables you to know whether you are providing the kinds of information and services that your market wants. There are several formats for HTTP logs, and they all are similar in structure. Figure 6.8 shows an example of the IIS log. The file is basically a comma-separated text file of 15 columns. The differences come from what is in each column. If you put in the results of other HTTP server log files, they would be practically indistinguishable from one another.


Figure 6.8. IIS HTTP log file.

From the standpoint of security, this is what each column means for the IIS service:

Column   Meaning

1 The IP address of the client looking at your service

2 The user name that was given. It appears only for requests that require authentication.

3 The date in month/day/year format

4 The time in 24-hour format

5 Identifies the HTTP server that answered the request

6 The name of the server

7 The IP address for the server. This system is multihomed, so multiple IP addresses appear.

8 The amount of time, in milliseconds, required to download the page

9 Caching information

10 Caching information

11 The numeric code of the response from the HTTP server.

12 Status codes

13 The operation performed

14 The directory and page accessed

15 Not applicable to IIS

This format is useful because it enables third-party vendors to provide tools for evaluating the data that is generated. For example, the Windows NT Users Group of Indianapolis (http://www.wintugi.org) uses the Web Trend software package by Software, Inc. Figures 6.9 and 6.10 are examples of what the log files can tell you about how effective your Web site is.


Figure 6.9. Processed HTTP log files, example 1.


Figure 6.10. Processed HTTP log files, example 2.

Because not all products are set to read the format provided by Microsoft for their HTTP service, there are conversion utilities. These utilities are found in the \ADMIN directory installed with IIS. They enable you to convert to other formats used by CERN, EMWAC, Purveyor, and so on.

You can output the log files in various ways. The most popular way is as a text file, but you also can send it directly to an ODBC-compliant database (see Figure 6.11). You can use the database output to do more detailed analysis.


Figure 6.11. The ODBC Administrator.

The Performance Monitor

The Performance Monitor is a tool that you can configure to look at almost every parameter that runs across you system (see Figure 6.12). Use it as indicator for something that might be amiss. The values that it can watch are

Bytes Received/sec

The rate at which data bytes are received by the HTTP server

Bytes Sent/sec

The rate at which data bytes are sent by the HTTP server

Bytes Total/sec

The sum of Bytes Received/sec and Bytes Sent/sec. This is the total rate of bytes transferred by the HTTP Server.

CGI Requests

Custom gateway executables that the administrator can install to add forms processing or other dynamic data sources

Connection Attempts

Connection attempts that have been made to the HTTP server

Connections/sec

The number of HTTP requests being handled per second

Current Anonymous Users

The number of anonymous users currently connected to the HTTP Server

Current CGI Requests

The current number of CGI requests that are being processed simultaneously by the HTTP server, including WAIS index queries

Current Connections

The current number of connections to the HTTP server

Current ISAPI Extension Requests

The current number of extension requests that are being processed simultaneously by the HTTP server

Current Non-Anonymous Users

The number of non-anonymous users currently connected to the HTTP server

Files Received

The number of files received by the HTTP server

Files Sent

The number of files sent by the HTTP server

Files Total

The sum of Files Received and Files Sent. This is the total number of files transferred by the HTTP server.

Get Requests

The number of HTTP requests using the GET method. Get requests generally are used for basic file retrievals or image maps, although they can be used with forms.

Head Requests

The number of HTTP requests using the HEAD method. Head requests generally indicate that a client is querying the state of a document they have already seen in order to determine if it needs to be refreshed.

ISAPI Extension Requests

Custom gateway dynamic link libraries that the administrator can install to add forms processing or other dynamic data sources

Logon Attempts

The number of logon attempts that have been made by the HTTP server

Maximum Anonymous Users

The maximum number of anonymous users who have been connected simultaneously to the HTTP server

Maximum CGI Requests

The maximum number of CGI requests that have been processed simultaneously by the HTTP server, including WAIS index queries

Maximum Connections

The maximum number of simultaneous connections to the HTTP server

Maximum ISAPI Extension Requests

The maximum number of extension requests that have been processed simultaneously by the HTTP server

Maximum Non-Anonymous Users

The maximum number of non-anonymous users simultaneously connected to the HTTP server.

Not Found Errors

The number of requests that the HTTP server could not satisfy because the requested documents could not be found. Not Found errors are generally reported to the client as HTTP 404 error codes.

Other Request Methods

The number of HTTP requests that are not GET, HEAD, or POST methods, including DELETE, LINK, PUT, and other methods supported by gateway applications.

Post Requests

The number of HTTP requests using the POST method. Post requests generally are used for forms or gateway requests.

Total Anonymous Users

The total number of anonymous users who have ever connected to the HTTP server

Total Non-Anonymous Users

The total number of non-anonymous users who have ever connected to the HTTP server

To select these different parameters, use the Add to Chart option under the Edit menu (see Figure 6.13).


Figure 6.12. Performance Monitor Chart.


Figure 6.13. Performance Monitor Chart Options dialog box.

Prevent Unauthorized Access to the Network

For the most part, I concentrate on three aspects when looking to set up a barrier to unauthorized access. The first is where a user would come into the system via the RAS connection. I also look to the way an account has its privileges set up and a third way is using the File Manager and directly setting up security at the individual file or directory level.

Use Remote Access Administrator for Dial-Up Client Authentication

Remote Access Service (RAS) is more than just a tool for exchanging files and collecting mail. Using it is the same, in effect, as being locally connected to the LAN. This requires more safeguards. The first place to set up RAS users is through the RAS Administrator, shown in Figure 6.14. Select the Permissions option under the Users menu. By default, users are not permitted to sign on via RAS. You need to check the Grant Dialin Permission to User box (see Figure 6.15). The other choices—No Call Back, Set by Caller, and Preset—are graceful security enhancement features. After a user has been authenticated, RAS can hang up and call him back, either at a preset telephone number or at one at the caller's choice.


Figure 6.14. RAS Administrative dialog box.


Figure 6.15. RAS Security options.

You can use a combination of the Event Viewer (found in the Administrative Tools Group) and Figure 6.16 as further confirmation of who has logged on. Figure 6.16 is the status of the com port that is being used by RAS.


Figure 6.16. RAS COM Port Status dialog box.

Specify the IIS User Account Privileges with User Manager for Domains

Look at User Manager for Domains, and open up the properties for the Internet account that was installed by IIS (see Figures 6.17 and 6.18). There are some practices that you do with this account that you do not want to do with other accounts because they are weak security links.


Figure 6.17. Internet User Properties dialog box.


Figure 6.18. Internet User "Groups" dialog box.

For example, requiring users to change their passwords when they log in for the first time is a simple and standard security procedure. For users coming in via the Web, however, there is no place to make this change. Likewise, no one is ever asked for a password associated with the Internet Guest account. Therefore, I leave it blank. In case I am wrong—not knowing how to change a password is not the same as knowing absolutely that it cannot be done—I check the box that indicates that the users cannot change their passwords. Because it is possible never to know what a password is and because it is entered in the IIS manager separately, I have set up the password to have an infinite life.

The Account Disabled option is useful for accounts for consultants and temps, but not for Internet users; leave it blank. The same is true for the Account Locked Out option. The user groups to which the Internet guest belongs are straightforward (refer to Figure 6.18).

User rights are more important (see Figure 6.19). The privileges that Internet users should have are


Figure 6.19. User Rights dialog box.

Specify Directory and File Permissions with File Manager

The installation procedure for IIS is good. If you move any files to different directories, though, do not forget to ensure that the IIS directory properties reflects those changes. The individual files are where you include or exclude Internet users. Setting these permissions at the individual file level is where you control whether users are asked for authentication.

If you use IIS in conjunction with *.IDC or *.HTX files, don't forget to individually secure those files too (see Figure 6.20). These files control receiving and sending data over the Web. If users know the names of these files, they can type them in directly instead of going through the designated link. In other words, you might lock the door but leave a window open.


Figure 6.20. Individual file permissions dialog box.

Summary

In this section, I talked about just a few of the ways that security can be addressed. This is not an exclusive list. Looking at the overall design through your architecture gives you your game plan. Knowing your system's capabilities for integrating security is critical for an effective design, and stopping the barbarians at the gate definitely will make your task much more manageable. The problem regarding security is trying to plan against an unknown assailant using unknown techniques trying to break into an unpredictable section of you system.

Sometimes the next step can be a little unclear. If I look at this task as if I were working on a car, I would say the car is running, but I'm not sure if it's running at peak performance. To get peak performance, I start looking to do a bit fine-tuning.