Contents Overview 1 Identifying Potential Risks from the Internet 2 Implementing IIS as an Internet Web Server 9 Implementing IIS as an Intranet Web Server 16 Implementing IIS as an Extranet Web Server 24 Review 30 Module 9: Implementing IIS 5.0 Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation. If, however, your only means of access is electronic, permission to print one copy is hereby granted. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2001 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, MS-DOS, Outlook, PowerPoint, SQL Server, Visual Basic, Visual InterDev, Visual SourceSafe, Visual Studio, Windows, Win32, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners. Module 9: Implementing IIS 5.0 iii Instructor Notes This module provides students with the knowledge and skills that are necessary to implement Microsoft ® Internet Information Services (IIS) 5.0 in different scenarios that are based upon the specific role of the Web server. After completing this module, students will be able to:  Identify potential risks from the Internet.  Implement IIS as an Internet Web server.  Implement IIS as an intranet Web server.  Implement IIS as an extranet Web server. Materials and Preparation This section provides the materials and preparation tasks that you need to teach this module. Required Materials To teach this module, you need the Microsoft PowerPoint ® file 2295A_09.ppt. Preparation Tasks To prepare for this module, you should read all of the materials for this module. Other Activities This section provides procedures for implementing interactive activities to present or review information, such as games or role playing exercises. Class Discussions  To prepare for the activities 1. Review the scenarios. 2. Review the discussion questions and answers. 3. Develop a possible list of alternative answers and their advantages and disadvantages. Presentation: 60 Minutes Lab: 00 Minutes iv Module 9: Implementing IIS 5.0 Module Strategy Use the following strategy to present this module:  Identifying Potential Risks from the Internet This section describes the risks that may be introduced to an internal network by Internet users. Describe the risks from common attacks. Then, describe the threats that are introduced by denial-of-service (DoS) attacks, and explain that some DoS attacks can be prevented by installing the latest Microsoft Windows ® 2000 hotfixes and service packs to update vulnerable files. Finally, describe how port scanning can pose a threat to an internal network by attempting to contact every port number and expose services with known weaknesses. Demonstrate that the nbtstat command reveals all Network Basic Input/Output System (NetBIOS) names registered by the target Internet Protocol (IP) address, and explain how to minimize the risk of exposure from port scanning.  Implementing IIS as an Internet Web Server This topic describes the considerations that are necessary for implementing IIS as an Internet Web server. Describe the considerations for configuring and administering Web sites, configuring applications, providing security, monitoring and optimizing performance, enabling SMTP, and implementing Microsoft FrontPage ® on an Internet Web server. When you have finished this topic, begin the class discussion for implementing IIS as an Internet server. Read the scenario to the students, and then divide the class into groups and assign each group a question. Give the students time to consider their answers, and then lead a discussion based on their responses.  Implementing IIS as an Intranet Web Server This topic describes the considerations that are necessary for implementing IIS as an intranet Web server. Describe the considerations for configuring and administering Web sites, configuring applications, providing security, monitoring and optimizing performance, enabling SMTP, and implementing FrontPage on an intranet Web server. When you have finished this topic, begin the class discussion for implementing IIS as an intranet Web server. Read the scenario to the students, and then divide the class into groups and assign each group a question. Give the students time to consider their answers, and then lead a discussion based on their responses.  Implementing IIS as an Extranet Web Server This topic describes how to use an extranet to extend the network to trusted partners. Describe the considerations for configuring and administering Web sites, configuring applications, providing security, monitoring and optimizing performance, enabling Simple Mail Transfer Protocol (SMTP), and implementing FrontPage on an extranet Web server. When you have finished this topic, begin the class discussion for implementing IIS as an extranet server. Read the scenario to the students, and then divide the class into groups and assign each group a question. Give the students time to consider their answers, and then lead a discussion based on their responses. Module 9: Implementing IIS 5.0 v Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. There are no labs in this module, and as a result, there are no lab setup requirements or configuration changes that affect replication or customization. Module 9: Implementing IIS 5.0 1 Overview  Identifying Potential Risks from the Internet  Implementing IIS as an Internet Web Server  Implementing IIS as an Intranet Web Server  Implementing IIS as an Extranet Web Server ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** When you place a Web server on a network, there are many considerations that determine how you evaluate network security, authentication, and configuration of Microsoft ® Internet Information Services (IIS) 5.0. In addition, there are potential impacts on the network architecture. For example, if your Web server is connected to both the Internet and your local network, you must take special precautions to prevent Internet users from accessing your network. These precautions often involve the use of firewalls or other devices to prevent unauthorized access to your network. In an intranet environment, your Web server acts as a central repository for corporate data. Team collaboration tools are often used in an intranet to store team project information. In this way, team members, other departments, and management can all gain access to project information on the intranet. You may also want to make a Web server available to business partners, associates, or subsidiaries without making the Web server available to the general public. To do this, you can create an extranet that enables only trusted business partners to gain access to your network over the Internet. Each of these situations requires different considerations for configuring IIS, including administering Web sites, configuring applications, providing security, monitoring and optimizing performance, enabling SMTP, and implementing Microsoft FrontPage ® . After completing this module, you will be able to:  Identify potential risks from the Internet.  Implement IIS as an Internet Web server.  Implement IIS as an intranet Web server.  Implement IIS as an extranet Web server. Topic Objective To provide an overview of the module topics and objectives. Lead-in In this module, you will learn how to implement IIS as an Internet, intranet, and extranet Web server. 2 Module 9: Implementing IIS 5.0    Identifying Potential Risks from the Internet  Common Attacks  Denial-of-Service Attacks  Port Scanning  Protecting IIS and Network Resources ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** When your Web server is accessible to both your local network and to the Internet, you expose your private network to the Internet and grant network access to a potentially unlimited number of users. An attacker can use any of several techniques to gain access to confidential information or to affect the functionality of your network. Therefore, you must take special precautions to protect your private corporate network from attackers. The first step in protecting your private network from public networks is to identify risks that may be introduced by public network users. You must be able to identify the following risks:  Risks to network security from common attacks.  Threats introduced by denial-of-service (DoS) attacks.  Threats introduced by port scanning. Topic Objective To analyze the common threats that are introduced when your private network is connected to a public network. Lead-in The first step in protecting your private network from public networks is to identify risks that may be introduced by public network users. Module 9: Implementing IIS 5.0 3 Common Attacks  Social Engineering  Exploitation of Default Security Configurations  IP Spoofing  Exploitation of Excess Services  Exploitation of System Back Doors  Session Takeover ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** Common attacks include any attempt to circumvent the security of a network by exploiting known weaknesses. Examples of common attacks include:  Social engineering. The attacker acquires access privileges by using simple deception or impersonation. For example, the attacker telephones into an organization and uses false names and references to impersonate a legitimate network user.  Exploitation of default security configurations. The attacker accesses a network by exploiting default accounts, passwords, or security configurations that were not updated.  Internet Protocol (IP) spoofing. The attacker programmatically modifies the source address of packets so that it appears as if the packets originated from a trusted network or trusted computer.  Exploitation of excess services. The attacker exploits poorly monitored services. Uninstall or disable any service that does not need to be deployed on a specific server. Most of the risks that are associated with Microsoft Windows ® 2000 services and IIS are identified through Microsoft security bulletins, which are available at http://www.microsoft.com/technet/security  Exploitation of system back doors. The attacker exploits back door accounts that were configured to allow administrative access to the network in the event that the original administrative account is corrupted or compromised. Audit all administrative group membership periodically to ensure that unnecessary back door accounts are removed.  Session takeover. The attacker can exploit buffers, which are the spaces that programmers allocate for variables in their programming. The attacker overwrites an application’s buffer, resulting in an overflow of code. When the overflow occurs, it may be possible for the attacker to execute administrative functions at the security level of the application. Topic Objective To describe the risks to network security from common attacks. Lead-in There are several ways in which an attacker can gain unauthorized access to a network. Delivery Tip Emphasize that leaving the Administrator account with the name “Administrator” is a common example of a poor security configuration. Explain that the exploitation of excess services can include the installation of the FTP service. Because FTP sends passwords in unencrypted (clear text) form, the passwords may be compromised. Important 4 Module 9: Implementing IIS 5.0 Denial-of-Service Attacks Disk Space Err or Bandwidth Err or Buffers Err or CPU Cycles Usage Err or Denial-of-Service Attacks Affect: Denial Denial - - of of - - Service Service Attacks Affect: Attacks Affect: ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** A denial-of-service (DoS) attack is the intentional overwhelming of a network with unnecessary traffic, which prevents a service or resource from performing as expected. DoS attacks are not made to steal data or access resources, but rather to disrupt network traffic. Typically, these attacks are based on known weaknesses in the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite. By preventing services from running, a DoS attack exploits an Internet host by overwhelming at least one of the following:  Disk space The attacker consumes disk space by sending large quantities of data. For example, if a File Transfer Protocol (FTP) server is configured to allow uploads of data, the attacker could upload large volumes of data in an attempt to consume all free disk space.  Bandwidth The attacker consumes the available bandwidth on the network by sending large quantities of data. For example, the attacker could send repeated broadcast messages that diminish or eliminate the available bandwidth. Bandwidth is also subject to distributed denial-of-service attacks (DDoS), in which multiple computers (known as drones) attack the same target, resulting in overuse of network bandwidth. Topic Objective To analyze the common threats introduced by denial- of-service attacks. Lead-in Denial-of-service attacks are designed to overwhelm a network with unnecessary traffic. [...]... 16 Module 9: Implementing IIS 5.0 Implementing IIS as an Intranet Web Server Topic Objective To outline the topics that are relevant to implementing IIS as an intranet Web server Lead-in Implementing IIS as an intranet Web server is in some ways similar to implementing IIS as an Internet Web server However, because an intranet is not exposed... 24 Module 9: Implementing IIS 5.0 Implementing IIS as an Extranet Web Server Topic Objective To outline the topics that are relevant to implementing IIS as an extranet Web server Lead-in You can create an extranet to provide an extension of your organization to your business partners Configuring IIS as an Extranet Web Server Discussion: Implementing IIS as an Extranet Web Server... Explorer 4.0 or 5, or Office 2000 installed on their computer Module 9: Implementing IIS 5.0 21 Discussion: Implementing IIS as an Intranet Web Server Topic Objective To evaluate the IIS and network configuration issues involved when an IIS server is configured as an intranet Web server Intranet Lead-in To create a strategy for implementing IIS as an intranet Web server, you must address authentication,... information about implementing network security, see Course 2150A, Designing a Secure Microsoft Windows 2000 Network Module 9: Implementing IIS 5.0 9 Implementing IIS as an Internet Web Server Topic Objective To outline the topics that are relevant to implementing IIS as an Internet Web server Lead-in Configuring an Internet Web server requires careful planning and specific strategies Configuring IIS as an... http://officeupdate.microsoft.com/frontpage/wpp/serk Module 9: Implementing IIS 5.0 13 Discussion: Implementing IIS as an Internet Web Server Topic Objective To evaluate the IIS and network configuration issues involved when an IIS server is accessible to both the Internet and the local network Corporate Office Web Server Marketing Reports Lead-in To create a strategy for having an IIS server accessible to both the Internet... strategies for implementing IIS as an Internet, an intranet, and an extranet Web server Identifying Potential Risks from the Internet Implementing IIS as an Internet Web Server Implementing IIS as an Intranet Web Server Implementing IIS as an Extranet Web Server *****************************ILLEGAL FOR NON-TRAINER USE****************************** Delivery Tip Summarize the key concepts taught in the module. .. security, performance, e-mail authentication, and Web publishing 10 Module 9: Implementing IIS 5.0 Configuring IIS as an Internet Web Server Topic Objective To describe the considerations that are necessary for configuring IIS as an Internet Web server Lead-in There are several considerations that you must make when configuring IIS as an Internet Web server Consider How You Will: Consider How You... develop a strategy for securing network traffic, such as implementing a virtual private network (VPN) You must also develop a strategy for rejecting unwanted traffic from the Internet Module 9: Implementing IIS 5.0 25 Configuring IIS as an Extranet Web Server Topic Objective To describe the considerations that are necessary for configuring IIS as an extranet Web server Lead-in Because security concerns... access by IP address, if possible Implementing FrontPage Typically, an extranet Web server delivers content to trusted organizations While you can use FrontPage to design and publish content for your extranet, it is not likely that your business partners will require access to your Web site by using FrontPage Module 9: Implementing IIS 5.0 27 Discussion: Implementing IIS as an Extranet Web Server Topic... have on IIS server resources and your internal network Determine whether access must be restricted to certain times of the day or days of the week 30 Module 9: Implementing IIS 5.0 Review Topic Objective To reinforce module objectives by reviewing key points Lead-in In this module, . about implementing network security, see Course 2 1 50 A, Designing a Secure Microsoft Windows 200 0 Network. Note Note Module 9: Implementing IIS 5. 0 9 . Presentation: 60 Minutes Lab: 00 Minutes iv Module 9: Implementing IIS 5. 0 Module Strategy Use the following strategy to present this module:  Identifying