Other IIS Security Features

There are a couple of other ways you can control access to your Web server, though they are generally less useful—however you may find that they fit in with your applications. In particular, the first of these can be used when you implement an Extranet, where you only want to permit access for a selected set of customers.

Limiting Access By IP Address

If you only want to allow particular users or groups of users to access your site, you can use the IP Address and Domain Restrictions dialog to grant access only to specific IP addresses, and deny all others. Alternatively, though generally less useful, is to deny access to specific IP addresses and allow access to all others:

However, recall that (as we discussed earlier) many Web users dial into the Internet via an ISP who allocates IP addresses on demand, and so this type of user's IP address will be different each time they visit your site.

Using Non-Default Port Numbers

The default port that the WWW service listens on is port 80 (and port 443 for SSL/PCT requests). You can set IIS to listen on other ports as well, and remove port 80 if required. This way visitors will have to know and specify as part of the URL the correct port number in order to gain access to your site, for example

http://yoursite.com:8671/default.htm

. You change the default port allocations in the Properties dialog for that directory, or use the Advanced dialog to set up multiple ports:

This isn't going to do much good if you then publish the full URL, but may be useful if you want to hide your site from casual browsers, or from search engines and agents that generate random IP numbers to see if any servers respond. Anyone can search the publicly available lists of domain name allocations to find you site's IP address anyway, but using a non-standard port makes it that bit harder to gain access.

Good Practice With IIS

There are some general points that you should keep in mind when setting up IIS:

Disable any Internet services that you don’t need, for example Telnet, Gopher, and—where appropriate—FTP. FTP is not able to encrypt logon passwords, so it always presents a security risk. If you need to enable FTP, make sure you remove Execute permission (in the NT Explorer Properties | Security | Permissions dialog) for any FTP-accessible directories to prevent programs that are uploaded from being run on your server.
Review any virtual roots (aliases) that are set up to ensure that they don’t allow access to files in directories or subdirectories below the target directory, unless this is appropriate. Normally, visitors will be unable to access any directories outside the virtual Web and FTP roots (by default \InetPub\WWWRoot
and \InetPub\FTPRoot
), but a virtual directory can point anywhere.
Disable Execute permission on all WWW directories unless they include DLLs or other CGI executable files that need to be executed as part of your application. You might even want to disable Script permission for directories that don’t include scripts. Make sure that Write permission (which is off by default) has not been turned on, and that Directory Browsing is not enabled.
Keep scripts and executable files in separate directories and remove the Read access permission from this directory. If scripts contain sensitive information, such as data source passwords and connection strings, you might even want to create server components (as shown in Chapter 2) to encapsulate the information and carry out the task instead.
Decide whether you need to use the IP filtering feature to grant or deny access to specific visitors, and if you should use a non-default port number to make your Web server less visible to casual visitors.
Apply the appropriate Windows NT permissions to each directory in your site, and even to specific files, for each account group and the IUSR account (using the NT User Manager program). If the IUSR account does not have access permission for a file it will force visitors to identify themselves with usernames and passwords that NT does recognize.
In IIS 3, there was only one option for Execute permission in a virtual directory (or Alias). This had to be set (ticked) for ASP and other scripts to be executed, and this allowed executable programs to run as well. In IIS4 there are two options available in the Properties dialog for any directory (not just virtual directories). The Script option allows ASP and other scripts to run, while the Execute option allows executable programs such as
```
.exe
```
and .dll
files to run.
For a detailed explanation of the security features implemented in Internet Information Server see the topic Security in the Server Administration section of the IIS documentation.