"We have just installed Application X onto IIS and would like to know what steps we need to take to make IIS secure." This is one of the most common questions faced in the security arena, and this hasn't changed from when IIS ran on NT to the present day. The question, however, presupposes that there is some set of discrete steps that can be undertaken to secure IIS, and that there is some finite end point that can be described as "secure."
Certainly there are a lot of products and organizations that claim to make your server secure or secure your application or secure your organization. As a security implementer (or even just someone with a dilettante interest), to what extent should you place credence in such claims?
This introductory chapter on security covers the following topics:
The basic principles of network and computer security.
New or improved technologies in Windows Server 2008 that can enhance your overall network security.
Configuring IIS 7.0 to enhance the security of your web server.
Additional items (such as application layer security) that you will need to consider when evaluating overall environmental security.
Beyond this chapter, the next two chapters delve into more specific security areas. Chapter 14 deals with Authentication and Authorization, and Chapter 15 deals with SSL and TLS. These chapters should be read together to get a good understanding of the security technologies and infrastructure that are most important when managing ...