Quantcast
Channel: .Net Scraps - IIS 7
Viewing all articles
Browse latest Browse all 30

IIS 7 / IIS 7.5 Security Best Practices (nothing official about it)

0
0

We have IIS 7 released for quite some time now and we haven’t seen any best practices document released by Microsoft IIS 7 team. IIS 6 have good document in place and even though IIS 7 is secure by default, we need some document to keep us in-check.

Here are few I prepared for myself:

Installing IIS 7 / 7.5

  1. Install IIS 7 / 7.5 with minimum required components.
  2. If a feature is not required e.g. Basic Authentication or Directory Browsing, do not install it.
  3. If you are using scripts to automate Web Sites creation in IIS, make sure you use the new IIS 7 Scripting module rather than sticking to the old IIS 6 modules which requires IIS 6 Management Compatibility installed.
  4. Always have Tracing feature installed under Health and Diagnostics such that you can enable/disable Tracing on the Web Site level whenever required to troubleshoot the issue.

    NOTE: Disable Tracing on the Web Site when troubleshooting is done. Tracing is an overhead and can cause Performance issues.
  5. Move inetpub folder from C drive to a non-system drive. You can use the tool moveiis7root from thomad

    NOTE: In case of SharePoint 2010 installation, since IIS 7 / 7.5 is a prerequisite. You need to first install default IIS 7 / 7.5 with IIS 6 Management Compatibility features and then use the moveiis7root tool to move the inetpub folder. You cannot move the folder after SharePoint is installed. When you run the prerequisite installation step when installing SharePoint 2010, SharePoint will detect the IIS installation location and enable additional features whatever is required.
  6. Please create a backup of the configuration file by firing the command: appcmd.exe add backup "<backup_name>" from the folder C:\Windows\System32\inetsrv.

    NOTE: IIS 7 does not creates auto backup of the configuration changes, so it is recommended to create a backup of the configuration file before making any changes at IIS level.

Application Pool

  1. Application Pool should run under ApplicationPoolIdentity or Service Account (domain account). Never configure the Application Pool to run under Local System account.
  2. Service Account should not be a part of Administrators Group.
  3. Service Account should not have 'Act as part of the operating system' privilege

Configuration

  1. Connection time-out should not be more than 120 seconds. If your application gives "Connection timed out" you will need to troubleshoot the issue rather than increasing the timeout value.
  2. I have written some blogs on steps to configure IIS 7 features, these can be helpful if you are not used to IIS 7 UI.
  3. Make sure Custom Errors is set to "Detailed errors for local requests and custom error pages for remote requests". Sometimes accessing the Web Site locally does not give the same error seen when accessed remotely hence Tracing at the application level can be a good option.

    NOTE: Tracing is resource intensive and can cause Performance issues, make sure you turn it off once you are done troubleshooting the issue.
  4. Make sure your application web.config has Debug="false" and Trace="false". If you are looking for problems caused by debug="true", check this out.

Permissions

  1. Windows Server 2008 / 2008 R2 comes with default secure NTFS permissions. If you need to add additional permissions for a particular User/Group make sure you document the same.
  2. It is highly recommended you do not use Service Accounts to login on the server. Login on the server using your account and make the necessary configuration changes.

I will keep adding more to this document as I come across more such configurations which can be added in a Best Practices document.

Hope this helps,
Vivek Kumbhar




Viewing all articles
Browse latest Browse all 30

Latest Images

Trending Articles





Latest Images