DOCUMENT:Q311184 19-APR-2002 [iis] TITLE :HOW TO: Perform Security Planning for IIS 5.0 PRODUCT :Internet Information Server PROD/VER::5.0 OPER/SYS: KEYWORDS:kbAudITPro kbHOWTOmaster ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Internet Information Services version 5.0 ------------------------------------------------------------------------------- IN THIS TASK ------------ - SUMMARY - Assessing Security Threats - Security Policies - REFERENCES SUMMARY ======= This article describes how to assess security threats and suggests how to implement security polices. A member of the Administrators group who is familiar with your existing network security should make recommendations about Internet Information Services (IIS) security polices. Assessing Security Threats -------------------------- To plan the security of your Web site effectively, you must: - Keep pace with changes in business that might require new security measures. For example, e-commerce requires encryption of private information that is sent over the Internet. - Identify and assess threats to the security of your online assets. For example, if you open your corporate intranet to access by employees from their homes, their user IDs and passwords are assets that become vulnerable to the threat of exposure on the Internet. - Prioritize threats according to potential exposure and recovery costs. For example, if customers can purchase services from your Web site, determine which assets would be exposed and what the cost would be to secure them. In the emerging online business environment, accurate threat assessment is vital to achieving cost-effective security for assets that are shared over the Web within your organization, as well as among your business partners and customers. Security Policies ----------------- Design your Web site security policies to achieve realistic goals at a reasonable cost. Although Web sites differ from one other, they share some fundamental goals involving the strength of their security, its cost, and the means of achieving a secure site. To ensure this: - Provide strong security that is consistent with access requirements. - Certify that all personnel who administer security are fully competent to enforce the security policy consistently and accurately. Make sure that all users accept their responsibility to comply with this policy. - Control security implementation costs that are consistent with the need for strong security. Security must scale up efficiently as sites expand. - Adopt technologies, standards, and practices that are adaptable to changing conditions and new developments. - Choose technologies that allow you to fully integrate security monitoring and management into network and user account administration. A single interface for security and administration enables you to have efficient and timely security monitoring. - Adopt Internet community standards for communication between your Web site and Internet destinations, including the security of communication. The adoption of Internet standards yields low-cost startup and good scalability because the standards are widely supported by your customers and business partners. REFERENCES ========== For information about the IIS Lockdown tool and how to download it, visit the following Microsoft Web site: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/locktool.asp For information about IIS, visit the following Microsoft Web sites: http://support.microsoft.com/directory/content.asp?ID=FH;EN-US;iis50 http://www.microsoft.com/windows2000/en/server/iis/ For information about security, visit the following Microsoft Web site: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/default.asp Additional query words: ====================================================================== Keywords : kbAudITPro kbHOWTOmaster Technology : kbiisSearch kbiis500 Version : :5.0 Issue type : kbhowto ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.