This chapter covers:
Overview of Internet Information Server
Installing Internet Information Server
Using the Microsoft Management Console
Securing IIS WWW Server
Securing IIS FTP Server
Securing SMTP and NNTP services
Explanation of known vulnerabilities
Although not part of the core security services in Windows .NET Server, because of popular demand for this information we have included a chapter on securing Microsoft's Internet Information Server (IIS). IIS is the single most hacked software application ever. Because of its high visibility, an enterprise Web site is a choice target for hackers with a political or egotistical agenda.
Do not ever install IIS on a machine that is also a domain controller; this can result in severe system compromise by hackers.
In Windows .NET, IIS has evolved into a robust Web server with a host of useful, built-in features. IIS can handle millions of Web site hits per day while at the same time serving dynamic and interactive media to your site visitors. Through its enhanced security and support of scripting languages such as ASP and PHP, IIS is growing in popularity.
Although the most popular Web server software is still Apache, Microsoft's IIS is rapidly growing in popularity and taking market share away from Apache. IIS not only provides worldwide Web services, but it also handles file transfer requests (FTP Server), mail requests (SMTP Server), and newsgroup requests (NNTP Server). In addition, because IIS is a Microsoft Corporation product, it comes with many extras such as data links, Visual Interdev support for large multidepartment programming projects, FrontPage support for live Web authoring, index services for quicker online searches, and much more. With Microsoft's big push for XML, .NET, and the global use of Passport authentication systems, IIS is destined for greatness.
Apache is a very secure, open-source UNIX alternative that also runs flawlessly on Windows platforms. If you would like to try an alternative to IIS, you can get the Apache server for free at http://www.apache.org.