IIS 101: Protecting Your Web Servers

When you run a public Web site on the Internet, you open yourself up to hackers, crackers, corporate spies, and the like who see you as a potential target. The only 100 percent foolproof way to avoid Web site attacks—staying off the Internet—doesn't let you provide good customer service. So, how do you stay online while minimizing your risks? You need to protect your site.

When you set up IIS on the Internet, you make more than just a Web site accessible. For example, by default in IIS 4.0, FTP access is on with Anonymous log ons. You might also have the SMTP service running and publicly accessible. The key to avoiding risk is minimizing the different ways in which someone can take advantage of you. Companies today use many tactics to minimize their risk, including firewalls and proxy servers.

Protect by Blocking Access
You can protect your IIS server without having to make configuration changes on the server machine. For example, you can use firewalls or proxy servers that allow access only on certain ports. Some firewalls and proxy servers even monitor the traffic over these ports to ensure that they're receiving valid Web requests. You simply hide your IIS server behind one of these firewall packages, then let the firewall do the work of blocking access. If someone can access your server from outside only through port 80, you've immediately narrowed the methods such users have to get in to your server.

Of course, running a firewall or proxy server has downfalls. You need the added knowledge required to run them. Also, you must remember that the addition of a firewall or proxy server doesn't negate the need for constant updates on security holes. In addition to checking Microsoft's site, you need to check your firewall or proxy server vendor's Web site.

Firewalls and proxy servers are different. Internal users can access the Internet through either, but firewalls can analyze all inbound and outbound traffic across a connection and allow or disallow access based on a rule set that you put in place. Proxy servers offer limited firewall capabilities, but their main focus is usually on managing outbound rather than inbound traffic. Microsoft's new Internet Security and Acceleration (ISA) Server 2000, the next generation of Microsoft Proxy Server, has a mix of proxy server features and firewall functionality. (You can find information about ISA Server at http://www.microsoft .com/isaserver.) A firewall can be both a hardware solution in the form of a network device such as Cisco Secure PIX 500 Firewalls or a software package such as Check Point Firewall-1 that runs on a server.

As an added security measure, consider locking down servers so that only the minimal necessary services are running (thereby decreasing the number of possible holes). For example, if you don't require services such as SMTP, FTP, or Microsoft FrontPage Server Extensions, disable or uninstall them.

Know Your System's Vulnerabilities
Far more important than the method of protection you choose is your awareness of your system's vulnerabilities. To keep up-to-date with patches, service packs, and security tools, be sure to check Microsoft's one-stop shop for IIS administrators at http://www.microsoft .com/technet/security/website/web.asp. In particular, the administration portion of this site has a lot of information about locking down your server and limiting the number of services available on public servers. For IIS 5.0, the Windows 2000 Internet Server Security Configuration Tool automatically makes changes on your system to help lock down the server and limit potential risks. (Be sure to test any template you plan to use from this tool in a nonproduction environment to make sure your security settings still let your server complete its required tasks.)

What's the Best Solution?
After you've learned the basics about firewalls and proxy servers, how do you decide what's right for you? I highly recommend that you use the Internet to research the different products available to you and evaluate how those products match your network's needs and your budget for protecting your Web server.