Internet Information Server Security Basics
Out of the box, Internet Information Server (IIS) 5.0 is not set up for maximum security but rather maximum usability. To start with, authoring is enabled. This is intentional, to work with Front Page Server Extensions, but causes problems with installing BizTalk Server 2002 as well as raising security risks if not needed, but left unattended. Maintaining the number of security bulletins and hot fixes needed for IIS could almost be a full-time job; however, tools are becoming available that help notify administrators that risks have been discovered and the steps to rectify them. IIS is necessary in the use of BizTalk because BizTalk does not contain its own Web server.
Disabling Authoring in IIS 5.0
This section demonstrates the steps to disable authoring in IIS 5.0. This is required by BizTalk Server 2002 to avoid issues saving settings to the BizTalk Server Repository. The following are step-by-step instructions for how to disable authoring in IIS 5.0:
1. |
From the Start menu, select Administrative Tools and then Internet Services Manager. |
2. |
Click the (+) beside the name of the local IIS server. |
3. |
Right-click Default Web Site and select Properties. |
4. |
Click the Server Extensions tab and make sure that the Enable Authoring check box is clear. |
IIS now supports such authentication methods as digest authentication, which is preferred by many because it never actually transmits a username or password, rather a hash of the two to a server for validation. Through use of a special certificate, available to banks and other financial institutions, IIS 5 can also use server-gated cryptography. This allows financial institutions to exchange information with 128-bit encryption. There are many business cases for use of BizTalk Server 2002 to communicate with financial institutions. Microsoft also added several wizards to the existing management tools to assist with permissions and certificate management on the server.
One unique feature of IIS 5 is the capability to encode your Active Server Page (ASP) scripts. This is designed not as a complete security solution but as an aide to protect developers from having their scripts copied and pasted for use in other sites that may not have permission to do so. When created, the script is standard ASCII text; however, the code is made unreadable by an encoding scheme determined by the developer. Scripts are decoded at runtime by their specific engine. This is currently available for both VBScript and Jscript Versions 5.0. There are many considerations in using script encoding including—surprise—browser incompatibilities, so when considering your options, consider your audience.