|
Syteview makes use of Active Server Pages (ASPs) running on a Microsoft Internet Information Server (IIS Server) to accept requests for data from your end users’ web browsers. The IIS Server passes these data requests off to your Microsoft SQL Server which looks up and then returns the raw data to the IIS Server. The IIS Server takes this raw data and formats it according to the layout of the original Active Server Page and then returns this formatted data to the originating web browser. The IIS Server’s integral part in this process, and the fact that it is the part of your system that is exposed to the internet makes it absolutely essential that the IIS Server be properly configured to prevent unauthorized access. This page walks you through the process of configuring your IIS Server. We don’t claim that this process is the only way of configuring a secure a web server, or that this process will result in a web server that is sufficiently secure for your environment. If you are not familiar with web servers and web server security procedures then we highly recommend that have get professional help in this matter. Note: No matter the level of your skills, it is always a good idea to have your security procedures reviewed by another security professional. Start the configuration process by removing the unnecessary portions of your IIS Server. This is most easily done by removing the Default Web Site on your IIS Server. From the Control Panel select Administrative Tools and then Internet Services Manager. When the Internet Services Manager opens, click on your server then highlight the Default Web Site in the right-hand pane and press your Delete key.  If for some reason you require the Default Web Site on your IIS Server at least make sure to delete the following Virtual Directories from the Default Web Site:
After deleting the Default Web Site with the Internet Services Manager delete the following directories:
After deleting the Default Web Site and the directories it uses, your next step will be to create the Syteview web site. From the Internet Services Manager right-click on your Server and select New->Web Site. This will bring up the Web Site Creation Wizard.  Click the Next button to continue. This will open the Web Site Description page of the wizard. Enter a description for the Syteview web site. Syteview perhaps.  Click the Next button to continue. This will open the IP Address and Port Settings page.  Enter an IP address for the web site to use. This IP address should not already be in use by another web site. Change the TCP port that this web site will use only if you have an actual need to do so. Click the Next button to continue. This will open the Web Site Home Directory page.  Enter the directory where you installed the Syteview Web Server Components using the SyteSetup program. Uncheck the Allow anonymous access to this Web site checkbox. Click the Next button to continue. This will open the Web Site Access Permissions page.  Your users will only need to Read and Run the Syteview web pages, so checkmark those checkboxes and clear the others. Then click the Next button to continue. This will bring up the final Web Site Creation wizard page telling you that you have successfully created the web site.  Now that you have created the Syteview web site your next step is to configure it. In the Internet Services Manager right-click on the web site you just created and select Properties. This will open the Syteview Properties dialog box.  Change to the Web Site tab and verify that you have selected the proper web site and that it is using the correct IP number and TCP port number and then change to the Documents tab.  On the Documents tab checkmark the Enable Default Document checkbox and then remove both the Default.htm and the Default.asp documents. Next click the Add button and add the frameset.asp document.  Click the OK button to return to the Documents tab of the web site's Properties dialog box.  The only default document specified on this page should now be frameset.asp. The next step is to change to the Home Directory tab.  On the Home Directory tab make sure that the radio button labeled ‘A directory located on this computer’ is selected and that the Local Path points to the directory where you installed the Syteview Web Server components with the SyteSetup program. Next, checkmark the Read checkbox and the Log Visits checkbox. Un-checkmark the Script Source Access checkbox, Write checkbox, Directory Browsing checkbox and the Index This Resource checkbox. Next, change the Execute Permissions combo-box to Scripts Only and the Application Protection combo-box to Medium (Pooled). Finally click the Configuration button to bring up the Application Configuration dialog box.  On the Application Configuration dialog box highlight each of the Application Mappings one at time, except for the .asp mapping, and click the Remove button to remove each mapping.  Once you have removed all of the Application Mappings except for the .asp mapping change to the App Options tab and make sure that the Enable Parent Paths checkbox is unchecked.  After clearing the Enable Parent Paths checkbox, click the OK button to close the Application Configuration dialog box and return to the Home Directory tab of the web site's Properties dialog box. When the web site's Properties dialog box reappears, change to the Directory Security tab.  On the Directory Security tab click the Edit button to bring up the Authentication Methods dialog box.  On the Authentication Methods dialog box MAKE SURE the Anonymous Access checkbox and the Basic Authentication checkboxes are unchecked and the Integrated Windows Authentication checkbox is checked and then click the OK button to close this dialog box and return the Directory Security tab on the web site's Properties dialog box. You are now finished using the Internet Services Manager to configure your Syteview web site. Click the Apply button and then the OK button to apply the changes you have made and then close the Syteview Properties dialog box. Your next step should be to apply all available service packs and hotfixes to your web server. Visit the Windows Update web site http://windowsupdate.microsoft.com to verify that your system has all of the latest patches and fixes applied. Next, you should disable all unnecessary services running on your server and then move (or remove) potentially dangerous programs (ie. Cmd.exe) from your server and use NTFS file permissions to restrict access to these programs. If your IIS Server is part of an Active Directory Domain consider applying the Deny Access permission to these programs for all the Groups that will be accessing your server via the internet. Next, apply at least these file permission restrictions to the following directories and files on your web server: Note: In this example, the web site files have been installed on the I: drive, \Syteview directory and the DataControl was installed on the I: drive, \Data_Controls directory
Finally, always protect your IIS Server with a properly configured firewall before connecting it to the internet or to your intranet. Never place an unsecured IIS Server on the internet for even a moment. Note: Some security professionals recommend a layered approach to protecting your IIS Server and your network by placing a firewall between your IIS Server and the internet and placing another firewall between your IIS Server and your network (including the SQL Server that your IIS Server will be communicating with). Note: Follow this link for a good article on securing your Internet Information Server: Protecting your IIS Server and Web Application |