KnowledgeBase Archive

An Archive of Early Microsoft KnowledgeBase Articles

View on GitHub

Q311184: HOW TO: Perform Security Planning for IIS 5.0

Article: Q311184
Product(s): Internet Information Server
Version(s): 5.0
Operating System(s): 
Keyword(s): kbAudITPro kbHOWTOmaster
Last Modified: 19-APR-2002

-------------------------------------------------------------------------------
The information in this article applies to:

- Microsoft Internet Information Services version 5.0 
-------------------------------------------------------------------------------


IN THIS TASK
------------

- SUMMARY

   - Assessing Security Threats
- Security Policies

- REFERENCES

SUMMARY
=======

This article describes how to assess security threats and suggests how to
implement security polices. A member of the Administrators group who is familiar
with your existing network security should make recommendations about Internet
Information Services (IIS) security polices.

Assessing Security Threats
--------------------------

To plan the security of your Web site effectively, you must:

- Keep pace with changes in business that might require new security measures.
  For example, e-commerce requires encryption of private information that is
  sent over the Internet.

- Identify and assess threats to the security of your online assets. For
  example, if you open your corporate intranet to access by employees from
  their homes, their user IDs and passwords are assets that become vulnerable
  to the threat of exposure on the Internet.

- Prioritize threats according to potential exposure and recovery costs. For
  example, if customers can purchase services from your Web site, determine
  which assets would be exposed and what the cost would be to secure them.

In the emerging online business environment, accurate threat assessment is vital
to achieving cost-effective security for assets that are shared over the Web
within your organization, as well as among your business partners and
customers.

Security Policies
-----------------

Design your Web site security policies to achieve realistic goals at a reasonable
cost. Although Web sites differ from one other, they share some fundamental
goals involving the strength of their security, its cost, and the means of
achieving a secure site. To ensure this:

- Provide strong security that is consistent with access requirements.

- Certify that all personnel who administer security are fully competent to
  enforce the security policy consistently and accurately. Make sure that all
  users accept their responsibility to comply with this policy.

- Control security implementation costs that are consistent with the need for
  strong security. Security must scale up efficiently as sites expand.

- Adopt technologies, standards, and practices that are adaptable to changing
  conditions and new developments.

- Choose technologies that allow you to fully integrate security monitoring and
  management into network and user account administration. A single interface
  for security and administration enables you to have efficient and timely
  security monitoring.

- Adopt Internet community standards for communication between your Web site
  and Internet destinations, including the security of communication. The
  adoption of Internet standards yields low-cost startup and good scalability
  because the standards are widely supported by your customers and business
  partners.

REFERENCES
==========

For information about the IIS Lockdown tool and how to download it, visit the
following Microsoft Web site:

  http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/locktool.asp

For information about IIS, visit the following Microsoft Web sites:

  http://support.microsoft.com/directory/content.asp?ID=FH;EN-US;iis50

  http://www.microsoft.com/windows2000/en/server/iis/

For information about security, visit the following Microsoft Web site:

  http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/default.asp

Additional query words:

======================================================================
Keywords          : kbAudITPro kbHOWTOmaster 
Technology        : kbiisSearch kbiis500
Version           : :5.0
Issue type        : kbhowto

=============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Copyright Microsoft Corporation 1986-2002.