[Web4lib] Internet Information Server Reading Recommendations
Bret Parker
Bret.Parker at ci.stockton.ca.us
Tue Sep 13 20:17:59 EDT 2005
Reading the recent emails on IIS 6.0 configuration, I wanted to post my recommended reading list. My list is heavily weighted towards one side of the equation. Others may wish to add their own.
URLs:
How To Pages for Microsoft IIS
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/featured/iis/default.mspx
IIS 6.0 Support Pages from Microsoft
http://support.microsoft.com/ph/2097/en-us/
Or specifically, Security Guidance Center [at Microsoft] for IIS
http://www.microsoft.com/technet/security/prodtech/IIS.mspx
SANS InfoSec Reading Room - Windows 2000 Issues
http://www.sans.org/rr/whitepapers/win2k/
The Reading Room has fine papers such as this:
"What Does it Take to Harden an IIS Web Server"
http://www.sans.org/rr/whitepapers/win2k/217.php
While the steps provided may seem tedious to follow, the measure of reliability they add to running a server is well worth the trouble.
A good book for doing this that is a bit dated, for IIS 5.0, but many of the tips may still apply. Try to see if you can get your hands of either of these books and then try to make the bridge on your own from 5.0 to 6.0:
Jason Fossen, Securing IIS 5.0 [ SANS Institute course book], 2001.
Stefan Norberg, Securing Windows NT/2000 Servers for the Internet, O'Reilly, 2001.
Also, somewhat dated, but a little newer:
NIST Special Publication 800-44, Guidelines on Securing Public Web Servers (September 2002)
http://csrc.nist.gov/publications/nistpubs/800-44/sp800-44.pdf
The whole process changed quite a bit after Microsoft began offering the Baseline Security Analyzer. This is a FREE download from Microsoft: http://www.microsoft.com/technet/security/tools/mbsahome.mspx
More information about the Web4lib
mailing list