CONTENTS

Microsoft Server 2003 and IIS 6.0

Tutorial Overview. This tutorial will guide you through the steps required to setup and secure both Microsoft Server 2003 R2 and IIS 6.0. In addition, to securing IIS you will be setting up SSL support for your web server. This tutorial is broken down into six sections. The first section is a brief overview of Server 2003, IIS 6.0, and the tools that will be used throughout this tutorial. The second section will cover to installation of the OS, IIS, and Certificate Services. The next section will cover the process to establish SSL on IIS, which focuses on the creation and management of certificates. The remaining three sections will cover the steps requires to secure Certificate Services, Server 2003, and IIS. These are the basic steps to secure each component. Depending on the configuration and intended use of each will determine the security measures required.  This tutorial is used in Security in E-Commerce IS2771.

Server 2003 R2. Server R2 is an update of Windows Server 2003 that provides many additional features and benefits. The R2 release builds upon the increased security, reliability, and performance provided by Windows Server 2003. This will be the OS that IIS 6.0 is installed on.

IIS 6.0. Internet Information Services 6.0 is a powerful Web server that provides a highly reliable, manageable, and scalable Web application infrastructure for all versions of Windows Server 2003. Microsoft packaged the default installations of their web servers with an array of sample scripts, file handlers and minimal file-system permissions to provide administrators the necessary flexibility and ease of use. However, this approach tended to increase the available attack surface and was the basis of several attacks against IIS. As a result, IIS 6.0 is designed to be more secure out-of-the-box than its precursors.

Certificate Services. Certificate Services provides customizable services for issuing and managing certificates that are used in software security systems that employ public key technology. Certificate Services is available on computers running Microsoft® Windows Server™ 2003. This will be used to manage the certificate that you will generate to operate SSL on IIS.

MBSA. Microsoft Baseline Security Analyzer is an easy-to-use tool designed to assist you in improving your security management process by using and to detect common security misconfigurations and missing security updates on your computer systems. You can use MBSA to scan both your OS and installed components from Microsoft.

SCW. Security Configuration Wizard is an attack-surface reduction tool for the Windows Server 2003 with Service Pack 1 family of products. SCW guides you through the security policy creation process, which is based on the minimum functionality required for a server's role or roles.