Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Microsoft Windows Server 2008: Data Protection Feature Available on Full Install Available on Server Core Install Yes Yes Yes IIS Client Certificate Mapping Au- Yes thentication Uniform Resource Location (URL) Yes Authorization Request Filtering Yes is an overview of the security features available across Windows Server 2008, both Full and Server Core in- stallations. Protecting your Web application may require one or more tactics to ensure that the application is accessed only by authorized users: # Transport Security Focused on privacy of data being transmitted between the user and the server # Authentication Provides a method for determining the user's identity # Authorization Evaluates a set of rules to determine if the user is allowed to make the request This section will take you further into each tactic and the details behind them. There have been few key changes that support more secure communication, authentication, and authorization: # IIS_IUSRS Group Replaces the IIS_WPG group from previous releases to service as a security group to which permissions are assigned that will be required by all the application pool identities. # Built-in IUSR Account Replaces the IUSR_MachineName from previous releases with a built-in account that uses a constant security identifier (SID) across servers that helps to maintain consistent access control lists (ACL). Use of the built-in account eliminates the need to have a password assigned to this account as well. For IIS installations on domain controllers it will prevent the IUSR account from becoming a user-ac- cessible domain account. # Inheritance and Merging of IP Restriction Rules Allows more flexible ways to apply authorization rules based on a single computer, group of computers, a domain, all IP addresses, and/or any unlisted entries. # Request Filtering The URLScan tool, which previously shipped as an add-on tool, is now incorporated in the HTTP protocol handler. # Native URL Authorization A more efficient, globally accessible way to secure specific files and paths without having to rely on third-party tools or ASP.NET. Transport Security Protecting the privacy of the data being transmitted is the primary focus of transport security. There are a number of options within the Windows Server 2008 infrastructure to protect the privacy. You may want to wrap all data being transmitted, for example, through a virtual private network or IPSec tunnel. With this as the extreme at one end, IIS provides a more moderate and widely used method for protecting data using Secure Socket Layers (SSL) and Transport Layer Security (TLS). TLS is the more commonly deployed standard today and provides the ability to fall back to SSL 3.0 if the client does not support TLS. SSL/TLS uses digital certificates to encrypt the communication. At a high level the process works as follows: 1 The client makes a request to the Web server for a secure connection. 2 The server sends back its public encryption key. 3 The client checks the key to ensure: 149