Stone Steps Forums
Home All Threads   Register Log In
HomeStone Steps WebalizerSecurity
1 < >
May 24 2007 16:26 EDT #1Andrew Ely
Simple IIS security on webalizer output
Having never previously password protected an IIS page or site before this is what I decided to do.
*I am sure there are more secure and more complex ways of doing this I opted to do it this way for simplicity and thus easier maintenance later on. As much as we don't want everyone in the world looking at this output and possibly even gleaning tidbits about network internals from it, it does not represent a huge glaring security concern. (if you are THAT concerned, use ignore statements to exclude hits from developers and testers within your network so those addresses arent displayed)

-Create a single user in either the local users mmc page or your active directory users and computers screen (depending on whether or not you work on a domain)

-Remove this user from the "users" group, this way it has no access to the local filesystem other than where you explicitly say so.

-Make absolutely sure that the account you created does not have the right to remotely connect through RDP. Creating a group for this account and others like it then explicitly denying access to other things that may be deployed on the server is a good idea.

-Disable permission inheritance on the directory containing the webalizer output so you can remove unnecessary permissions and change the ones that need to be. Give the web user you created read permissions on the directory nothing else. Just make sure when you are done that whatever account used to run your webalizer process still has write permission on this directory.

-In the IIS configuration screen, right click > properties for the site or directory. Go to the Directory Security tab and click Edit next to authentication control. Here, uncheck anonymous access and check the box(or click the radial button depending on your OS) for integrated security.

-You do not have to worry about well-behaved search engines indexing ssw output anyway because this line
<meta name="robots" content="noindex, nofollow">
is included in the main page which will deter them.
Still it is a good idea to disable directory browsing if it is enabled.(its somewhere in the properties dialogue for your site)

Have questions, comments or glaring problems to point out? Please repond
Hope this helps somebody
Andy
May 24 2007 23:40 EDT #2Stone Steps
I've been working with IIS for many years and I don't have much to add :) This is very good and thorough advice, Andy. Thank you.

Andre
1 < >
Format Codes
{b}bold{/b} bold
{i}italic{/i} italic
{u}undelined{/u} underlined
{strike}line-through{/strike} line-through
{color=blue}blue{/color} blue
{size=1.1}1.1em{/size} 1.1em
{samp}sample{/samp} sample
{pre}formatted
text{/pre}		 
formatted 
text
{noparse}{b}{/noparse} {b}
{q}inline quote{/q} inline quote
{blockquote}block quote{/blockquote}
block quote

Valid HTML 4.01 Valid CSS!

Copyright © 2002-2007 Stone Steps Inc. All rights reserved. Terms of Use