Not only can your application be vulnerable to attack — the infrastructure around it, if badly configured, also can provide places for a hacker to probe and exploit. Over the years, Internet Information Server (IIS) and the Windows operating system have improved security immensely, but configuration is extremely important. This chapter provides an overview of some of the security configuration settings for IIS7. If your applications are hosted by large companies, or by a hosting provider, it is unlikely that you will have to configure Windows or IIS. However, every developer should at least be aware of the security facilities provided by the infrastructure.
In this chapter, you will learn about the following:
How to install and configure IIS7 securely
How to configure application pools
How to set a trust level for ASP.NET applications
How to query IIS logs with Log Parser
How to filter potentially harmful requests
How to request a Secure Sockets Layer (SSL) certificate
How to use Windows to set up a development certificate authority (CA)
If you are configuring your own infrastructure, then you should document every step you make during configuration as well as scheduling regular backups. Remember, however, that if your Web site is attacked successfully, you may not notice immediately, and so you could be backing up a compromised site. Careful documentation of the initial configuration and any subsequent changes will help you in the event ...