Configure IIS Web server permissions to protect customer data

As your customers' businesses grow, their networks grow too. If you are responsible for maintaining the security of their data, it's wise to regularly check and update user access controls to ensure that confidential corporate data within folders, files and Web documents remain under lock and key. Luckily, it's easy to create rules in Internet Information Services (IIS) to specify or restrict what information can be accessed. Let's look at how to configure IIS Web server permissions to provide proper and secure access controls that not only satisfy your customer's end users, but also ensure better data security.

IIS Web server permissions control access to virtual directories on the Web and apply to all users. To control access to specific data, start by configuring the IIS directory security features:

It is important to note that, because you're dealing with IIS Web server permissions, the new settings will apply to all users regardless of their specific NT File System (NTFS) access rights.

That brings us to the next step, which is to configure the NTFS permissions for Web documents. NTFS permissions control access to the physical directories on the server and apply to specific user groups. You can use them to define which users can access what content and how they can use it by creating a discretionary access control list (DACL) for each file or directory.

To create a DACL, select a particular Windows user account or group, and specify the access permission for it.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Management and Access Control Identity management technologies and products to offer customers Access control compliance and corporate governance considerations Partner Program Directory: Authentication vendors The importance of PCI compliance Tech Watch: Biometric devices What current authentication methods are in use on the network? How many users utilize the network resources currently? Do off-site workers require remote access? How large is the customer's employee pool? Have you considered multiple levels of authentication? Information Security Threats UTM appliances bundle security, give VARs multiple revenue streams Remote vulnerability scanning: Process, roles and responsibilities Data breach prevention techniques: Helping customers avoid data breaches Full disk encryption: A hot opportunity for VARs Top security tips for solutions providers Common injection attacks Checklist: Five steps to assessing a customer's antivirus protection Polymorphic malware attacks and in-line scanning Use hosted email filtering for virus protection Re-route virus traffic to the bit bucket Data Leak and Data Theft Protection Sophos integrates encryption into endpoint, email security Maintaining your customers' security amid layoffs Making the case for 'live' incident response Mass. data protection law 201 CMR 17: How to get customers ready Data breach prevention techniques: Helping customers avoid data breaches PGP partners with Avnet to boost channel play Data protection services offer revenue for security solution providers Full disk encryption: A hot opportunity for VARs What are the best data leakage prevention strategies for my clients? Data security: Alternatives to data leak prevention

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

To change NTFS permissions for a directory or file:

This will help you to better control access to Web content, because IIS will first check that a user has the necessary Web permissions to access the requested resource before ensuring that they also have NTFS permissions. If a user does not have permission, they will receive a "403 Access Forbidden" message. If they have incorrect NTFS permissions, they will receive a "401 Access Denied" message.

If any of your customers are running Web sites that provide access to particularly sensitive data, such as their own customers' personal information, suggest that they install a Web server certificate to enable their Web server's Secure Sockets Layer (SSL) features. This forces users to establish an encrypted link in order to connect to particular directories or files. As a final measure, you can also map client certificates to Windows user accounts on their Web server. This approach, while providing strong authentication and access control, is more complex for you to administer, but is worthwhile if any sites that you manage need to confirm the identity of users before granting access to restricted content.

About the author
Michael Cobb, CISSP-ISSAP, is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications including SearchSecurity.com.