Chapter 14. Securing Internet Information Server (IIS)

Not only can your application be vulnerable to attack — the infrastructure around it, if badly configured, also can provide places for a hacker to probe and exploit. Over the years, Internet Information Server (IIS) and the Windows operating system have improved security immensely, but configuration is extremely important. This chapter provides an overview of some of the security configuration settings for IIS7. If your applications are hosted by large companies, or by a hosting provider, it is unlikely that you will have to configure Windows or IIS. However, every developer should at least be aware of the security facilities provided by the infrastructure.

In this chapter, you will learn about the following:

  • How to install and configure IIS7 securely

  • How to configure application pools

  • How to set a trust level for ASP.NET applications

  • How to query IIS logs with Log Parser

  • How to filter potentially harmful requests

  • How to request a Secure Sockets Layer (SSL) certificate

  • How to use Windows to set up a development certificate authority (CA)

If you are configuring your own infrastructure, then you should document every step you make during configuration as well as scheduling regular backups. Remember, however, that if your Web site is attacked successfully, you may not notice immediately, and so you could be backing up a compromised site. Careful documentation of the initial configuration and any subsequent changes will help you in the event ...

Get Beginning ASP.NET Security now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.