Setting up web server security in IIS 7.0

Internet Information Services (IIS) 7.0 is not automatically installed when you install Windows. You must decide whether to install it. This is a security precaution that can help protect your computer from web-based viruses and hackers.

For added security, after you install IIS, your web server will serve only HTML files and image files such as bitmaps. To help provide even more protection for your web server, you must use at least one of the following security measures:

Basic authentication

Basic authentication determines who can access resources on a web server. This authentication method requires users to provide a valid user name and password to access content. For more information about Basic authentication, go to Configuring Authentication in IIS 7.0 on the Microsoft TechNet website.

Digest authentication

Digest authentication uses a Windows domain controller to authenticate users who request access to content on your web server. When you need improved security over Basic authentication, consider using Digest authentication, especially if your environment contains firewalls and proxy servers. For more information about Digest authentication, go to Configuring Authentication in IIS 7.0 on the Microsoft TechNet website.

Windows authentication

Windows authentication is best suited for an intranet environment. For more information about Windows authentication, go to Configuring Authentication in IIS 7.0 on the Microsoft TechNet website.

Client certificate mapping authentication

Client certificate mapping allows you to map users on a Windows domain to a specific client certificate. For more information about mapping certificates, go to IIS 7.0: Configure Client Certificate Mapping Authentication on the Microsoft TechNet website.

IIS client certificate mapping authentication

IIS client certificate mapping allows you to map a certificate to a specific client or to a group of clients. For more information about mapping certificates, go to IIS 7.0: Configure Client Certificate Mapping Authentication on the Microsoft TechNet website.

URL authorization

URL authorization allows you to create rules that authorize user access to the URLs that make up a web application. For more information about URL authorization, go to Configuring URL Authorization Rules in IIS 7.0 on the Microsoft TechNet website.

Request filtering

When you want to restrict the types of HTTP requests your server will process, you can configure IIS 7.0 to analyze specific criteria for each incoming request. For more information about request filtering, go to Filter HTTP Requests in IIS 7.0 on the Microsoft TechNet website.

Internet Protocol security

Internet Protocol security (IPsec) encrypts data that travels between two computers, thereby helping to protect it from modification and interpretation. For more information about IPsec, go to IPsec Concepts on the Microsoft TechNet website.