Managing Web Server Security in Windows Server 2008 R2
- 7/15/2011
Suggested Practices
To help you successfully master the exam objectives presented in this chapter, complete the following tasks. The practices in this section enable you to apply the methods you have learned to secure IIS-based web servers, websites, and web applications.
Practice 1 Create a new website by using IIS Manager. The content of the website can contain copies of the Iisstart.htm file or other HTML files you have available. Place some of the files within folders and create scenarios in which you want to protect content. Apply file system permissions, authentication settings, and URL authorization rules to ensure that only certain users can access the site. For example, create a new subfolder within a web application called SecureDocuments. Place the appropriate limitations to ensure that users must provide credentials to access the content. Also, test the effects of changing handler mappings. For example, remove the StaticFile handler mapping for a website and test the effects by using Internet Explorer. You can also add your own custom handler mappings for new file types (such as files that have a .secure extension).
Practice 2 Add the Management Service role service to a web server running Windows Server 2008 R2. Practice using a variety of security features to support web server administrators with different levels of restrictions. Options to test include:
Creating IIS Manager users.
Assigning IIS Manager Permissions settings to control which websites and web applications administrators can access.
Assigning permissions to non-administrator users who have Windows accounts.
Creating IP address restrictions to control which computers can administer IIS.
Using feature delegation to control which settings can be modified by using IIS Manager.
To test settings most efficiently, it is recommended that you use a remote computer running Windows 7 or Windows Server 2008 R2 that has IIS 7 Manager installed.
Practice 3 View the following webcasts and resources for more information about IIS:
The webcast entitled, “Secure, Simplified Web Publishing Using Internet Information Services 7.0 (Level 300),” by Robert McMurray, available on the companion CD in the Webcasts folder. Alternatively, you can find this webcast by visiting http://msevents.microsoft.com and searching for event ID 1032352159.
The webcast entitled, “Securing and Tuning Internet Information Services 7.0 (Level 300),” by Nazim Lala, available on the companion CD in the Webcasts folder. Alternatively, you can find this webcast by visiting http://msevents.microsoft.com and searching for event ID 1032352141.
The Microsoft Internet Information Services website at http://www.microsoft.com/iis.
The IIS.NET website at http://www.iis.net.
IIS 7 webcasts at http://learn.iis.net/Videos.
IIS 7 virtual labs at http://technet.microsoft.com/en-us/virtuallabs/bb499672.