Managing Web Server Security in Windows Server 2008 R2

  • 7/15/2011

Chapter Review

To further practice and reinforce the skills you learned in this chapter, you can perform the following tasks:

  • Review the chapter summary.

  • Review the list of key terms introduced in this chapter.

  • Complete the case scenarios. These scenarios set up real-world situations involving the topics of this chapter and ask you to create a solution.

  • Complete the suggested practices.

  • Take a practice test.

Chapter Summary

  • Web server administrators should focus on implementing defense in depth and reducing the attack surface of IIS by using features such as request handler mappings.

  • IIS allows for managing remote administration by configuring users, permissions, and feature delegation for the management service.

  • Server administrators can control access to the web server by using authentication settings, URL authorization rules, server certificates, and IP Address And Domain Restrictions.

Key Terms

Do you know what these key terms mean? You can check your answers by looking up the terms in the glossary at the end of the book.

  • ASP.NET impersonation

  • attack surface

  • certificate authority (CA)

  • Client Certificate Authentication

  • defense in depth

  • domain restrictions (IIS)

  • feature delegation (IIS)

  • handler mappings (IIS)

  • IIS Management Service

  • IIS Manager credentials

  • Internet certificate request (IIS)

  • IP address restrictions (IIS)

  • modules (IIS)

  • .NET trust levels

  • request handlers

  • self-signed certificate

  • server certificates

  • URL authorization rules

Case Scenarios

In these case scenarios, you apply the information that you have learned about securing IIS.

Case Scenario 1: Configuring Remote Management for IIS

You are a systems administrator responsible for managing four web servers running Windows Server 2008 R2. You would like to use a single instance of IIS Manager to connect to all the servers. In addition, three other systems administrators need to manage the servers. One of these administrators is a consultant, and she does not have a Windows domain or local user account. You would like to create a username and password for her that is limited to managing IIS. You want all administrators other than you to be able to view but not change settings for the Default Document and Directory Browsing features.

  1. What is the easiest method of managing settings for all the web servers by using IIS Manager?

  2. How can you set up a username and password for a remote systems administrator?

  3. How can you prevent the other users from modifying the Default Document and Directory Browsing features when using IIS Manager?

Case Scenario 2: Increasing Website Security

You are a systems administrator responsible for implementing and managing security for a production web server running Windows Server 2008 R2. The server is accessible from the Internet and contains eight websites. Each site contains at least one web application. A web application named Customer Database contains an ASP.NET 2.0 web application that needs to access a remote database server. Another website, named Service Desk, contains static content, most of which should be available to all users. However, a folder called Admin should be available only to specific users. Finally, you have a new requirement for an application named Contoso Central that specifies that all connections should use an encrypted connection.

  1. Which .NET trust level should you configure for the Customer Database application?

  2. How can you configure security for the Admin folder within the Service Desk application?

  3. How can you require encryption security for connections to the Contoso Central application?