Security |
The Resource Kit companion CD includes two IIS 5.0–specific security templates to be used with Security Configuration and Analysis in Windows 2000:
Once the policy is updated to meet your requirements, you can import the appropriate template into Security Configuration and Analysis and audit against it or apply the template. It is preferable to audit first, in order to see how misconfigured your servers are.
It is important to note that these templates are starting guidelines. Each will require a little updating in order to reflect your corporate security policy.
Table 9.6 lists some areas to which you should pay close attention:
Table 9.6 Updating Policies to Meet Corporate Requirements
Policy | Comment |
Allow storage of passwords under reversible encryption. | Enable only if you are using digest authentication. |
User Rights Assignment. | Update the following to include the IUSR_ and IWAM_ accounts:
|
Change Administrator account name to... | Consider changing the administrator account to some other name. |
Change Guest account name to... | Consider changing the Guest account to some other name. |
Enable digital signing of secure channel network traffic. | Enable, if you are in an intranet. |
Enable encryption of secure channel network traffic. | Enable, if you are in an intranet. |
Require secure channel traffic to be signed or encrypted. | Enable, if you are in an intranet. |
Send downlevel LanMan compatible password. | If you are using Windows throughout, set this to Not Compatible. |
You should also keep abreast of security issues as they arise by regularly checking http://www.microsoft.com/security/default.asp.