Windows Server Security

Web servers, by their very nature, are usually exposed to outsiders and thus are vulnerable to compromise and attack. Internet Information Services (IIS) version 6, included with Windows Server 2003, provides a number of new security features designed to increase web server security. One of these is URL authorization, which works in conjunction with Server 2003’s Authorization Manager. In this article, we’ll take a look at how URL authorization is implemented in IIS 6.0, the practicalities of using it in your web services environment, and how it enhances the security of your web sites and services.

There are many ways to hack a Web server. One cannot assume that database servers are unassailable fortresses. So what should one do if a Web server which derives data from a database needs to be made accessible? The most obvious answer to this question is to run like hell to a calmer job. Luckily there are other, more rational answers. This article attempts to show the reader how to find the answers.

When you think of version 6, the “next generation” of the Internet Protocol, your first thought is probably more available addresses. Indeed, the primary reason for developing a new version of IP was the anticipated critical shortage of addresses under the 32 bit addressing scheme of version 4. However, IPv6 provides for more than just an increase in the number of available addresses. It is also designed to provide for better performance and, even more important in today’s business world, better security of IP communications.

In Part I of the series we dealt with the installation of the IIS service whilst Part II covered issues related to configuring an IIS Server to handle encrypted connections. Until now, we used Internet Services Manager, a standard administration tool, to introduce changes in the IIS configuration settings. Part III is concerned with some new administration methods allowing one to modify IIS configuration settings that were previously unavailable.

The previous article showed you how to install, configure and, finally, how to connect your new Web Server to the Internet. Now you may be sure that the server runs securely. You have subscribed to Microsoft security bulletins not to omit any important patches. All you have to do now is to rest on your laurels. Are you sure about that?

IIS, an acronym for Internet Information Services is a web application server program that handles HTTP requests, ranking second in popularity (after Apache). Its popularity is mainly due to the fact that IIS sites are so easy to implement – just a few mouse-clicks away – from a total disaster.

Microsoft has made a number of changes to the default settings in Windows 2003 to make it more secure “out of the box.” In Part 2, we’ll examine the changes that have been made to the default settings for common services and changes in the authentication process, and we’ll discuss some areas in which some believe that Server 2003’s defaults are still too open.

In this article, we will discuss what every Microsoft Windows Administrator and Engineer should think about when trying to manage their environments in the scope of planning for Disaster Recovery and Business Continuity. This is Part II in a 4 part article series where we will cover many of the details administrators and engineers need to know about planning Disaster Recovery for Windows Systems, as well as for their networks in general.

Not only is Microsoft Boasting that Windows Server 2003 is very secure… they have also released prior to the selling of the actual operating system, the ‘free’ (yes you heard this right), security guide for the base operating system as well as many of the services that come with it, like IIS, File and Print services and more.

One big change, very noticeable in Windows Server 2003, is the difference in default settings. In this two-part article, we’ll look at how the out-of-the-box server differs in its defaults from previous versions and how the new defaults make the OS more secure (while at the same time causing frustration for some admins and users who find themselves unable to gain access that was available without any reconfiguration in earlier operating systems). In Part 1, we’ll focus on how the default permissions have changed, changes to the membership of the Everyone group, and ownership of objects.