Securing Your IIS 8.0 Server

After securing the environment, you can now look to secure your IIS 8.0 server itself. There are several configuration options in IIS 8.0 that can be used to restrict access or deny certain types of requests without any knowledge of who the end user is. These configuration options are the focus of this security chapter.

Chapter 14, “Authentication and Authorization,” examines how to provide protected access to resources based on who the end user is. This covers authentication technologies (such as Basic, Digest, and Kerberos authentication) as well as authorization configuration (how to configure access to resources to permit only certain users access), and also information on the various identities that are used by IIS 8.0 internally to provide access to functionality.

Note

A security best practice is to install only those components that are required for the functionality you need to provide end users. Beginning with Windows Server 2003, IIS 6.0 has shipped in a locked-down state with only a minimal set of functionalities available in a default configuration. By not installing unnecessary functionality, your server cannot be compromised by possible vulnerabilities in components that you aren't using (or didn't even know were installed). This lock-down mentality should extend to administrator configuration as well. Only install those components that are required to deliver the services that end users need. This reduces the surface area that attackers ...

Get Professional Microsoft IIS 8 now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Professional Microsoft IIS 8 by Kenneth Schaefer, Jeff Cochran, Scott Forsyth, Dennis Glendenning, Benjamin Perkins

Securing Your IIS 8.0 Server

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly