Tài liệu Module 9: Implementing IIS 5.0 docx

Describe the considerations for configuring and administering Web sites, configuring applications, providing security, monitoring and optimizing performance, enabling SMTP, and implement

to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2001 Microsoft Corporation All rights reserved

Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, MS-DOS, Outlook, PowerPoint, SQL Server, Visual Basic, Visual InterDev, Visual SourceSafe, Visual Studio, Windows, Win32, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries

Other product and company names mentioned herein may be the trademarks of their respective owners

Instructor Notes

This module provides students with the knowledge and skills that are necessary

to implement Microsoft® Internet Information Services (IIS) 5.0 in different

scenarios that are based upon the specific role of the Web server

After completing this module, students will be able to:

Identify potential risks from the Internet

Implement IIS as an Internet Web server

Implement IIS as an intranet Web server

Implement IIS as an extranet Web server

Materials and Preparation

This section provides the materials and preparation tasks that you need to teach this module

To prepare for the activities

1 Review the scenarios

2 Review the discussion questions and answers

3 Develop a possible list of alternative answers and their advantages and disadvantages

Presentation:

60 Minutes

Lab:

00 Minutes

Module Strategy

Use the following strategy to present this module:

Identifying Potential Risks from the Internet This section describes the risks that may be introduced to an internal network by Internet users Describe the risks from common attacks Then, describe the threats that are introduced by denial-of-service (DoS) attacks, and explain that some DoS attacks can be prevented by installing the latest Microsoft Windows® 2000 hotfixes and service packs to update vulnerable files

Finally, describe how port scanning can pose a threat to an internal network

by attempting to contact every port number and expose services with known

weaknesses Demonstrate that the nbtstat command reveals all Network

Basic Input/Output System (NetBIOS) names registered by the target Internet Protocol (IP) address, and explain how to minimize the risk of exposure from port scanning

Implementing IIS as an Internet Web Server This topic describes the considerations that are necessary for implementing IIS as an Internet Web server Describe the considerations for configuring and administering Web sites, configuring applications, providing security, monitoring and optimizing performance, enabling SMTP, and implementing Microsoft FrontPage® on an Internet Web server

When you have finished this topic, begin the class discussion for implementing IIS as an Internet server Read the scenario to the students, and then divide the class into groups and assign each group a question Give the students time to consider their answers, and then lead a discussion based

on their responses

Implementing IIS as an Intranet Web Server This topic describes the considerations that are necessary for implementing IIS as an intranet Web server Describe the considerations for configuring and administering Web sites, configuring applications, providing security, monitoring and optimizing performance, enabling SMTP, and implementing FrontPage on an intranet Web server

When you have finished this topic, begin the class discussion for implementing IIS as an intranet Web server Read the scenario to the students, and then divide the class into groups and assign each group a question Give the students time to consider their answers, and then lead a discussion based on their responses

Implementing IIS as an Extranet Web Server This topic describes how to use an extranet to extend the network to trusted partners Describe the considerations for configuring and administering Web sites, configuring applications, providing security, monitoring and

optimizing performance, enabling Simple Mail Transfer Protocol (SMTP), and implementing FrontPage on an extranet Web server

When you have finished this topic, begin the class discussion for implementing IIS as an extranet server Read the scenario to the students, and then divide the class into groups and assign each group a question Give the students time to consider their answers, and then lead a discussion based

on their responses

Customization Information

This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware

There are no labs in this module, and as a result, there are no lab setup requirements or configuration changes that affect replication or customization

Overview

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

When you place a Web server on a network, there are many considerations that determine how you evaluate network security, authentication, and configuration

of Microsoft® Internet Information Services (IIS) 5.0 In addition, there are potential impacts on the network architecture For example, if your Web server

is connected to both the Internet and your local network, you must take special precautions to prevent Internet users from accessing your network These precautions often involve the use of firewalls or other devices to prevent unauthorized access to your network

In an intranet environment, your Web server acts as a central repository for corporate data Team collaboration tools are often used in an intranet to store team project information In this way, team members, other departments, and management can all gain access to project information on the intranet

You may also want to make a Web server available to business partners, associates, or subsidiaries without making the Web server available to the general public To do this, you can create an extranet that enables only trusted business partners to gain access to your network over the Internet

Each of these situations requires different considerations for configuring IIS, including administering Web sites, configuring applications, providing security, monitoring and optimizing performance, enabling SMTP, and implementing Microsoft FrontPage®

After completing this module, you will be able to:

Identify potential risks from the Internet

Implement IIS as an Internet Web server

Implement IIS as an intranet Web server

Implement IIS as an extranet Web server

In this module, you will learn

how to implement IIS as an

Internet, intranet, and

extranet Web server

Identifying Potential Risks from the Internet

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

When your Web server is accessible to both your local network and to the Internet, you expose your private network to the Internet and grant network access to a potentially unlimited number of users An attacker can use any of several techniques to gain access to confidential information or to affect the functionality of your network Therefore, you must take special precautions to protect your private corporate network from attackers

The first step in protecting your private network from public networks is to identify risks that may be introduced by public network users You must be able

to identify the following risks:

Risks to network security from common attacks

Threats introduced by denial-of-service (DoS) attacks

Threats introduced by port scanning

Topic Objective

To analyze the common

threats that are introduced

when your private network is

connected to a public

network

Lead-in

The first step in protecting

your private network from

public networks is to identify

risks that may be introduced

by public network users

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Common attacks include any attempt to circumvent the security of a network by exploiting known weaknesses Examples of common attacks include:

Social engineering The attacker acquires access privileges by using simple

deception or impersonation For example, the attacker telephones into an organization and uses false names and references to impersonate a legitimate network user

Exploitation of default security configurations The attacker accesses a

network by exploiting default accounts, passwords, or security configurations that were not updated

Internet Protocol (IP) spoofing The attacker programmatically modifies the

source address of packets so that it appears as if the packets originated from

a trusted network or trusted computer

Exploitation of excess services The attacker exploits poorly monitored

services Uninstall or disable any service that does not need to be deployed

on a specific server

Most of the risks that are associated with Microsoft Windows® 2000 services and IIS are identified through Microsoft security bulletins, which are available at http://www.microsoft.com/technet/security

Exploitation of system back doors The attacker exploits back door accounts

that were configured to allow administrative access to the network in the event that the original administrative account is corrupted or compromised Audit all administrative group membership periodically to ensure that unnecessary back door accounts are removed

Session takeover The attacker can exploit buffers, which are the spaces that

programmers allocate for variables in their programming The attacker overwrites an application’s buffer, resulting in an overflow of code When the overflow occurs, it may be possible for the attacker to execute

administrative functions at the security level of the application

Topic Objective

To describe the risks to

network security from

common attacks

Lead-in

There are several ways in

which an attacker can gain

unauthorized access to a

network

Delivery Tip

Emphasize that leaving the

Administrator account with

the name “Administrator” is

a common example of a

poor security configuration

Explain that the exploitation

of excess services can

include the installation of the

FTP service Because FTP

sends passwords in

unencrypted (clear text)

form, the passwords may be

compromised

Important

Denial-of-Service Attacks

Disk SpaceError

BandwidthError

BuffersError

CPU Cycles UsageError

Denial-of-Service Attacks Affect:

Denial-of-Service Attacks Affect:

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

A denial-of-service (DoS) attack is the intentional overwhelming of a network with unnecessary traffic, which prevents a service or resource from performing

as expected DoS attacks are not made to steal data or access resources, but rather to disrupt network traffic Typically, these attacks are based on known weaknesses in the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite By preventing services from running, a DoS attack exploits an Internet host by overwhelming at least one of the following:

Disk space

The attacker consumes disk space by sending large quantities of data For example, if a File Transfer Protocol (FTP) server is configured to allow uploads of data, the attacker could upload large volumes of data in an

attempt to consume all free disk space

Bandwidth

The attacker consumes the available bandwidth on the network by sending large quantities of data For example, the attacker could send repeated broadcast messages that diminish or eliminate the available bandwidth Bandwidth is also subject to distributed denial-of-service attacks (DDoS), in which multiple computers (known as drones) attack the same target,

resulting in overuse of network bandwidth

Topic Objective

To analyze the common

threats introduced by

Buffers The attacker sends excessive traffic to a specific port address Programmers often allocate space in their code—called a buffer—for variables The attacker overwrites the buffer in the code, which causes the application to fail

CPU cycles usage

The attacker causes the CPU to run at high levels, often shutting down the system For example, if scripting is enabled for a Web server, the attacker might cause the Web server to execute a script that will cause heavy usage

of the CPU

You can prevent some DoS attacks by installing the latest Windows 2000 hotfixes and service packs to update vulnerable files You can download the latest hotfix or service pack from the Microsoft TechNet Web site at http://www.microsoft.com/technet/security

Note

Port Scanning

Web Server

Port Service 20?… closed 21?… FTP 22?… closed 23?… closed 24?… closed 25?… SMTP

Port ScanAttacker

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Port scanning is a method that an attacker uses to identify the services that are running on a target computer Port scanning itself is not a threat to security; the threat is the ability to expose services with known weaknesses For example, if

an attacker discovers the Network Basic Input/Output System (NetBIOS)

session service on a server, he or she can then use the nbtstat command to

determine the name of the computer, whether the computer is hosting a server service, and potentially, the name of the user who is currently logged on to the computer

To minimize the risk of exposure from port scanning:

Stop all unnecessary services on computers that are exposed to the Internet This will reduce the number of active ports that may be exposed to a port scanner

Create firewall rules (the list of packet filters that are defined for a firewall interface) that permit only defined protocols to reach every protected server Implementing firewall rules ensures that port scanning will reveal only the ports that you intend to expose to the Internet

Use firewall rules to alert a firewall administrator when port scanning has been attempted You can configure a rule to send an e-mail alert to an administrator whenever a connection to a specific port is attempted

Use the netstat command to display all open ports on computers that are

exposed to the Internet Determine whether all open ports can be identified, and confirm that they do not represent unauthorized services

To determine what ports are used by specific services, view the text file

%SystemRoot%\system32\drivers\etc\services Alternatively, to see a listing of all protocol identification numbers and well-known port numbers, go to the Web site at http://www.isi.edu/in-notes/iana/assignments/port-numbers

Topic Objective

To analyze the threat of port

scanning to a network

Lead-in

An attacker can identify the

services that are running on

will reveal all NetBIOS

names registered by the

target IP address

Tip

Protecting IIS and Network Resources

Firewall

Private Network

Private Network

Internet

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Protecting IIS and other network resources from attacks requires that you develop a security plan, implement network security technologies, such as a firewall or proxy server, and monitor network traffic for unauthorized activity

Developing a Security Plan

To provide network security, you must ensure that security standards and policies are in place to protect the system from attacks and unauthorized use Securing a system involves implementing a set of procedures, practices, and technologies to protect your network and your software and data

For more information about how to create a security plan, see the Security Planning article on the Microsoft TechNet Web site at

http://www.microsoft.com/technet/security/secplan.asp

Implementing a Firewall

A firewall is a combination of hardware and software that protects private network resources from users on other networks A firewall allows only specific forms of traffic to flow in and out of the internal network, thereby protecting the internal network from intruders on the Internet By implementing a firewall, you create a single point of control from which you can secure and audit all traffic entering your private network from the Internet

Firewalls provide the following features to allow you to protect your private network:

Network address translation (NAT) Protects the internal network addressing

scheme from being exposed on the Internet

Static address mapping Conceals the true addresses of resources on your

private network that are accessible to the Internet

Packet filters Define the protocols that are allowed to pass through the

firewall

Topic Objective

To introduce strategies for

protecting IIS and network

resources

Lead-in

To protect IIS and network

resources, you must

develop a network security

plan, implement network

security technologies, and

monitor network traffic

Note

You must also secure traffic to a Web and FTP server so that only traffic to the defined ports for the Hypertext Transfer Protocol (HTTP) and FTP protocols is allowed to pass to the server hosting the HTTP and FTP services

For specific information on how to configure a firewall, refer to the product documentation that is provided by your firewall software manufacturer

Monitoring Network Traffic

In addition to implementing network security devices, you must also implement

a monitoring system to alert you to possible intruders, unauthorized changes to content on your Web site, or system failures

Intrusion detection systems monitor network traffic for suspicious patterns and can prevent intruders from implementing port scans or attempting to connect to services on your network

Content alteration detection systems monitor the contents of your Web site and issue alerts when content modifications are detected The software will then replace the modified content with the original content In this way, any unauthorized changes to your Web content can be quickly detected and corrected

In addition, you can implement certain services and software packages that will check to ensure that your Web server, Web site, and Web applications are running and alert an administrator when a system failure occurs

For more information about implementing network security, see Course

2150A, Designing a Secure Microsoft Windows 2000 Network

Note

Note

Implementing IIS as an Internet Web Server

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Because the Internet is a public network, you must make special considerations for implementing IIS as an Internet Web server These considerations include various strategies for configuring and administering your Web site and for configuring the Web server, such as configuring applications, security, performance, e-mail authentication, and Web publishing

Topic Objective

To outline the topics that are

relevant to implementing IIS

as an Internet Web server

Lead-in

Configuring an Internet Web

server requires careful

planning and specific

strategies

Configuring IIS as an Internet Web Server

Consider How You Will:

Configure Web Sites Administer Web Sites Configure Applications Provide Security Monitor and Optimize Performance Enable SMTP

Implement FrontPage

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

When implementing an Internet Web server, you must consider various methods for configuring and administering Web sites, configuring applications, providing security, monitoring and optimizing performance, enabling SMTP, and implementing FrontPage

Configuring Web Sites

When you configure a Web site on an Internet Web server, secure the home directory with NTFS permissions before creating the Web site Do not start the Web site until you have configured all of the security measures that you want to implement on the Web server

In addition, use a script to create Web sites on server that will host a large number of sites By using a script, you can create Web sites that meet the same specifications on a local or remote server Additionally, a Web site can host Microsoft Active Server Pages (ASP) that automatically create and configure Web sites for users upon request

Administering Web Sites

Typically, you would choose not to install or remove the Administrative Web site on an IIS server that is accessible from the Internet If you require remote administration capabilities, you can use Terminal Services, which provides secure access to the Web server However, you may consider disabling all remote administration capabilities for an Internet Web server to reduce the likelihood of unauthorized access

Configuring Applications

For security purposes, an Internet Web server must run a minimum of applications Therefore, you must remove any unnecessary application mappings In addition, you can group executable content into folders or virtual directories to create security areas You can then assign those areas the rights to execute programs and scripts as required

Topic Objective

To describe the

considerations that are

necessary for configuring IIS

as an Internet Web server

Lead-in

There are several

considerations that you

must make when

configuring IIS as an

Internet Web server

Delivery Tip

Describe the considerations

for configuring and

administering Web sites,

Providing Security

To secure your Internet Web server, you must first consider how the server is connected to your internal network To implement and maintain optimal security on an Internet Web server, consider the following:

Do not allow direct access from your local area network (LAN) to an Internet Web server If an Internet Web server is connected to the LAN, install and configure a firewall to protect your internal network

Review security bulletins and apply hotfixes and service packs as they are released to prevent your system from being compromised by attacks from users on the Internet

Plan your Web directory structure to provide security areas and enforce the minimum Web-based and NTFS permissions

Enable Anonymous authentication, and review and monitor permissions for the Internet Guest Account Configure the server as a stand-alone server and not as a domain controller to ensure that the Internet Guest account is local

to the Web server and does not have domain-wide privileges

Use Basic authentication if you require authentication for some users over the Internet If you require users to use Microsoft Internet Explorer, install a certificate for your Web site to enable Secure Socket Layer (SSL)

encryption

Enable auditing to track access to your Internet Web server, and review the log files for suspicious activity and changes in typical usage patterns

For more information about securing Internet Web servers, see the

“Secure Internet Information Services 5 Checklist” on the Microsoft TechNet Web site at http://www.microsoft.com/TechNet/security/iis5chk.asp

For additional information about securing IIS, see Michael Howard, Designing

Secure Web-Based Applications for Microsoft Windows 2000 (Redmond, WA:

Microsoft Press, 2000)

Monitoring and Optimizing Performance

Tune and optimize your Internet Web server as required to ensure that it can meet increased demand placed on the server For example, if interest in your Web site increases, you must optimize the server to increase the number of simultaneous connections that it can support

To estimate how much traffic your Internet Web server and your network will support, use the System Monitor (Performance tool) to gather baseline information, and use the Web Application Stress Tool to perform stress testing

on your Web site If you determine that you require additional capacity to support an increase in traffic, you can place another Internet Web server on your network and use Network Load Balancing to support additional traffic across both Web servers

Note

Enabling SMTP

When you use a Simple Mail Transfer Protocol (SMTP) server to deliver e-mail messages over the Internet, enable authentication on inbound messages to ensure that the server is not used to deliver unsolicited e-mail messages In addition, regularly monitor the SMTP logs and the appropriate performance counters to track changes in usage patterns

Implementing FrontPage

Web hosting service providers often provide FrontPage-enabled Webs, and organizations often use third-party organizations to design and maintain their Web sites by using FrontPage Therefore, you must ensure that your Internet Web server can support Web site publishing by using FrontPage

Allow FrontPage to manage Web permissions if you want users to be able to administer their Web sites by using the FrontPage client If you want to control these permissions manually, you can find information on required permissions

in the online Microsoft FrontPage 2000 Server Extensions Resource Kit at

http://officeupdate.microsoft.com/frontpage/wpp/serk