How to secure IIS in a UNIX-to-Windows migration

1. Please add the following sentence to this article. You can assign strong NTFS permissions for your resources. The NTFS file system is more secure than the FAT or FAT32 file system. You can also assign the most restrictive Web permissions possible. For example, if the Web site is used only for viewing information, assign only Read permissions. If a directory or site contains applications, assign Scripts Only permissions instead of Scripts and Executables permissions. Do not assign Write and Script source access permissions or Scripts and Executables permissions. Use this combination with extreme caution. It could allow a user to upload potentially harmful executable files to the server and run them. 2) Add keyword kbSCRAPKeep. 3) For more info, please take a look at the Security Content Bug 33180. This article is one in a series of articles that provides detailed information about performing a UNIX-to-Windows migration. This article describes the basic procedure to migrate the security settings for your Web site from Apache and UNIX to Internet Information Services (IIS) and Windows.

The articles in this series include the following:

Turn off Directory Browsing

If you use the Directory Browsing functionality, clients can view the folder contents instead of being served a default page or error page. Directory Browsing can be a potential security risk because it allows clients to see all of the pages in a specific folder, even if the pages do not form part of the Web site. If you use Apache, you use the Options directive to configure the Directory Browsing functionality. If you use IIS, this functionality is part of the folder specification. For more information about how to turn off Directory Browsing, click the following article number to view the article in the Microsoft Knowledge Base:

Configure authentication

Authentication is the process of requiring and identifying an individual user before they are granted access to an area of a Web site. Apache handles authentication through a number of different mechanisms, from local files to external databases. IIS handles its authentication by providing a conduit to the Windows 2000 directory service.

When you migrate data to IIS, you must migrate both the settings and the users to Windows 2000 Active Directory to configure authentication for these sites. For more information about how to configure authentication, click the following article numbers to view the articles in the Microsoft Knowledge Base:

Restrict sites by user

If you use Apache and you want to restrict an individual user's access to a site or folder, you must implement an authentication system. You can use either a Directory directive or the .Htaccess file to limit the access of a specific group or of a list of users. If you use IIS, the authentication is built in to the program and you can limit access by using the same controls that are used to define security for a Windows folder. For more information about how to restrice access to a site or a folder on a user-by-user basis, click the following article number to view the article in the Microsoft Knowledge Base:

Restrict site access by IP address or domain name

If you are using Apache, you can use the Allow directive and the Deny directive to limit access to a folder or a Web site based on the Internet Protocol (IP) address or domain. Typically, you use these directives to limit a Web site, for example, an intranet, for use for your own company users only. IIS provides a similar system for limiting access. For more information about how to limit Web site or folder access by a specific IP address or domain name, click the following article number to view the article in the Microsoft Knowledge Base:

Migrate user and group information

Because IIS uses Active Directory for holding authentication information, you must migrate the user and group information from the different sources that are used in your Apache installation to IIS and Active Directory. You can use a variety of utilities to help migrate the user and group information. For example, you can use the adduser command to add users easily and to use Windows Services for UNIX. For more information about how to migrate user and group information, click the following article number to view the article in the Microsoft Knowledge Base:

Set IIS permissions for specific objects

Apache uses the underlying UNIX file permissions and the settings in the .Htaccess file to limit access to specific elements. If you use IIS, you can set permissions for different objects in a Web site independently on their underlying file permissions. For more information about how to set IIS permissions for specific objects, click the following article number to view the article in the Microsoft Knowledge Base:

Set folder security for shared folders

If you are sharing your Web site as a folder so that it can be updated by other users who modify the source files, you must set security permissions for the files in the folder. For more information about how to set folder security for shared folders, click the following article number to view the article in the Microsoft Knowledge Base:

Migrate .Htaccess data in a UNIX-to-Windows migration

Although IIS does not support the Apache .Htaccess file, you can emulate this file's effects on individual folders in IIS and provide some user-customizable options for managing this folder without compromising the security of your computer. For more information about how to migrate .Htaccess data to IIS, click the following article number to view the article in the Microsoft Knowledge Base:

Use the IIS Permissions Wizard

You can use the IIS Permissions Wizard to simplify and automate the process of setting permissions across a range of folders and objects. If you use this tool, you simulate the effects of the inherited security and authentication settings and users can easily copy around .Htaccess files to set parameters for a folder. For more information about how to use the IIS Permissions Wizard, click the following article number to view the article in the Microsoft Knowledge Base:

Use the IIS Lockdown Tool

You can use the IIS Lockdown Tool to set the levels of security that you want to use to secure a full Web site and the associated files. You can also use this tool to quickly reproduce the settings on an Apache Web site without manually setting these values. For more information about how to use the IIS Lockdown Tool, click the following article number to view the article in the Microsoft Knowledge Base:

Install an SSL certificate for a UNIX-to-Windows migration

To secure communications, you must install a Secure Sockets Layer (SSL) certificate in a site and transfer existing certificates from an Apache installation to IIS during a migration process. You can install a certificate directly in IIS without performing any additional migration steps. For more information about how to install an SSL certificate, click the following article number to view the article in the Microsoft Knowledge Base:

Set up HTTPS services

For more information about how to set up secure HTTPS service, click the following article number to view the article in the Microsoft Knowledge Base:

You can assign strong NTFS permissions for your resources. The NTFS file system is more secure than the FAT or FAT32 file system. You can also assign the most restrictive Web permissions possible. For example, if the Web site is used only for viewing information, assign only Read permissions. If a directory or site contains applications, assign Scripts Only permissions instead of Scripts and Executables permissions. Do not assign Write and Script source access permissions or Scripts and Executables permissions. Use this combination with extreme caution. It could allow a user to upload potentially harmful executable files to the server and run them.

For more information about how to migrate from UNIX to Windows, visit the following Microsoft Web site: