Microsoft KB Archive/324216

= How to secure IIS in a UNIX-to-Windows migration =

Article ID: 324216

Article Last Modified on 11/21/2006

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Small Business Server 2000 Standard Edition
 * Microsoft Internet Information Services 5.0

-



This article was previously published under Q324216





SUMMARY
1. Please add the following sentence to this article. You can assign strong NTFS permissions for your resources. The NTFS file system is more secure than the FAT or FAT32 file system. You can also assign the most restrictive Web permissions possible. For example, if the Web site is used only for viewing information, assign only Read permissions. If a directory or site contains applications, assign Scripts Only permissions instead of Scripts and Executables permissions. Do not assign Write and Script source access permissions or Scripts and Executables permissions. Use this combination with extreme caution. It could allow a user to upload potentially harmful executable files to the server and run them. 2) Add keyword kbSCRAPKeep. 3) For more info, please take a look at the Security Content Bug 33180. This article is one in a series of articles that provides detailed information about performing a UNIX-to-Windows migration. This article describes the basic procedure to migrate the security settings for your Web site from Apache and UNIX to Internet Information Services (IIS) and Windows.

The articles in this series include the following:

324215 How to prepare for a UNIX-to-Windows migration

323970 How to prepare the target server for a UNIX-to-Windows migration

324213 How to migrate Apache settings and configure IIS in a UNIX-to-Windows migration

324538 How to migrate Web site data in a UNIX-to-Windows migration

324216 How to secure IIS in a UNIX-to-Windows migration

324539 How to perform maintenance and ancillary tasks after a UNIX-to-Windows migration

324217 How to test and performance tune after a UNIX-to-Windows migration

Turn off Directory Browsing
If you use the Directory Browsing functionality, clients can view the folder contents instead of being served a default page or error page. Directory Browsing can be a potential security risk because it allows clients to see all of the pages in a specific folder, even if the pages do not form part of the Web site. If you use Apache, you use the Options directive to configure the Directory Browsing functionality. If you use IIS, this functionality is part of the folder specification. For more information about how to turn off Directory Browsing, click the following article number to view the article in the Microsoft Knowledge Base:

313075 How to configure Web server permissions for Web content in IIS

Configure authentication
Authentication is the process of requiring and identifying an individual user before they are granted access to an area of a Web site. Apache handles authentication through a number of different mechanisms, from local files to external databases. IIS handles its authentication by providing a conduit to the Windows 2000 directory service.

When you migrate data to IIS, you must migrate both the settings and the users to Windows 2000 Active Directory to configure authentication for these sites. For more information about how to configure authentication, click the following article numbers to view the articles in the Microsoft Knowledge Base:

301457 How to view or change authentication methods in IIS

310344 How to configure IIS 5.0 Web site authentication in Windows 2000

Restrict sites by user
If you use Apache and you want to restrict an individual user's access to a site or folder, you must implement an authentication system. You can use either a Directory directive or the .Htaccess file to limit the access of a specific group or of a list of users. If you use IIS, the authentication is built in to the program and you can limit access by using the same controls that are used to define security for a Windows folder. For more information about how to restrice access to a site or a folder on a user-by-user basis, click the following article number to view the article in the Microsoft Knowledge Base:

300985 How to configure user and group access on a an Intranet in Windows NT 4.0 or Windows 2000

Restrict site access by IP address or domain name
If you are using Apache, you can use the Allow directive and the Deny directive to limit access to a folder or a Web site based on the Internet Protocol (IP) address or domain. Typically, you use these directives to limit a Web site, for example, an intranet, for use for your own company users only. IIS provides a similar system for limiting access. For more information about how to limit Web site or folder access by a specific IP address or domain name, click the following article number to view the article in the Microsoft Knowledge Base:

324066 How to restrice site access by IP address or domain name

Migrate user and group information
Because IIS uses Active Directory for holding authentication information, you must migrate the user and group information from the different sources that are used in your Apache installation to IIS and Active Directory. You can use a variety of utilities to help migrate the user and group information. For example, you can use the adduser command to add users easily and to use Windows Services for UNIX. For more information about how to migrate user and group information, click the following article number to view the article in the Microsoft Knowledge Base:

324222 How to migrate user and group information

Set IIS permissions for specific objects
Apache uses the underlying UNIX file permissions and the settings in the .Htaccess file to limit access to specific elements. If you use IIS, you can set permissions for different objects in a Web site independently on their underlying file permissions. For more information about how to set IIS permissions for specific objects, click the following article number to view the article in the Microsoft Knowledge Base:

324068 How to set IIS permissions for specific objects

Set folder security for shared folders
If you are sharing your Web site as a folder so that it can be updated by other users who modify the source files, you must set security permissions for the files in the folder. For more information about how to set folder security for shared folders, click the following article number to view the article in the Microsoft Knowledge Base:

324067 How to set folder security for shared folders

Migrate .Htaccess data in a UNIX-to-Windows migration
Although IIS does not support the Apache .Htaccess file, you can emulate this file's effects on individual folders in IIS and provide some user-customizable options for managing this folder without compromising the security of your computer. For more information about how to migrate .Htaccess data to IIS, click the following article number to view the article in the Microsoft Knowledge Base:

324064 How to migrate .Htaccess data in a UNIX-to-Windows migration

Use the IIS Permissions Wizard
You can use the IIS Permissions Wizard to simplify and automate the process of setting permissions across a range of folders and objects. If you use this tool, you simulate the effects of the inherited security and authentication settings and users can easily copy around .Htaccess files to set parameters for a folder. For more information about how to use the IIS Permissions Wizard, click the following article number to view the article in the Microsoft Knowledge Base:

324070 How to use the IIS Permissions Wizard

Use the IIS Lockdown Tool
You can use the IIS Lockdown Tool to set the levels of security that you want to use to secure a full Web site and the associated files. You can also use this tool to quickly reproduce the settings on an Apache Web site without manually setting these values. For more information about how to use the IIS Lockdown Tool, click the following article number to view the article in the Microsoft Knowledge Base:

310725 How to run the IIS Lockdown Wizard unattended in IIS

Install an SSL certificate for a UNIX-to-Windows migration
To secure communications, you must install a Secure Sockets Layer (SSL) certificate in a site and transfer existing certificates from an Apache installation to IIS during a migration process. You can install a certificate directly in IIS without performing any additional migration steps. For more information about how to install an SSL certificate, click the following article number to view the article in the Microsoft Knowledge Base:

310178 How to install certificates on a Web server in Windows 2000

Set up HTTPS services
For more information about how to set up secure HTTPS service, click the following article number to view the article in the Microsoft Knowledge Base:

324069 How to set up an HTTPS Service in IIS



MORE INFORMATION
You can assign strong NTFS permissions for your resources. The NTFS file system is more secure than the FAT or FAT32 file system. You can also assign the most restrictive Web permissions possible. For example, if the Web site is used only for viewing information, assign only Read permissions. If a directory or site contains applications, assign Scripts Only permissions instead of Scripts and Executables permissions. Do not assign Write and Script source access permissions or Scripts and Executables permissions. Use this combination with extreme caution. It could allow a user to upload potentially harmful executable files to the server and run them.

