IIS7 Setup and Security

Posted by Stephan Kristyn on March 30th, 2010 / 4 Comments

If you want to host a website on your intranet and you do not have any Domain Name Service installed you still can use the Microsoft’s webserver IIS by making use of Windows’ Netbios name resolution. After configuring IIS correctly -in my case running on Windows7- you will be able to access your website from a Mac Computer or Linux OS.

Install IIS7

1.) Install IIS7 on your Windows7 machine by selecting it from add/remove programs -> add/deactivate Windows features

2.) Setting up your website should be fairly easy. Just delete the default one and add a new one pointing to the local folder containing something like a index.html site.

3.) Authentification: Set this to anonymous to get IIS7 running. You can add more secure methods later.

4.) ACL/NTLM Authentification: Add the User IIS_IUSRS with read permissions to the permissions of the folder containing your website. You can do this directly at IIS or at your folder in Windows Explorer.

5.) Open the basic Windows Firewall and activate the checkbox www-services (http) to allow communication of IIS through the firewall.

Now you can type your machine’s hostname on the client machine, for e.g. http://myIISMachine and it will display your webpage.

Name Resolution

Let’s say myIISMachine is the hostname of your Windows PC running IIS. A proper router should resolve requests of your client’s browser to your Windows Webserver which in return answers with the Netbios Name. Generally the host name of a Windows computer is based on the NetBIOS name. The Primary DNS Suffix may be added, but in a basic Local Area Network one usually doesn’t have a DNS installed; and Windows does not add a DNS Suffix to your hostname, so your FQDN (Full Qualified Domain Name) may be just myMachineName instead of myMachineName.myHomeDomain.com. MacOSX also uses your Mac’s name as NetBIOS by default under the WINS Tab at Systemsettings -> Additional Options -> Network.

Besides, if you don’t use a DNS and you use IPv6; Windows7 does use it by default, Windows will use LLMNR (Link Local Multicast Name Resolution) in preference to NetBios. Anyhow, for our scenario with a MacOSX or Linux Client, IPv4 and Windows’ Netbios most likely will be used.

Setting up Security

To add Security to your IIS configuration, you first must know the up- and downsides of your options. You can use for e.g. methods like anonymous, basic, digest (ntlm over Kerberos and Active Directory/LDAP) or login (Forms over SSL or Cleartext).

Digest

You can use digestive authentication with any http 1.1 enabled browsers. The browser sends an anonymous request to the server which returns with 401 – Unauthorized. Then the browser requests a nounce (get_nounce), which is a unique value generated for this challenge only. The client then asks for your credentials (username and password) and constructs out of theme MD5 hash and send this to the server who has your credentials too and can create its own MD5 to verify your clients MD5 hash and grant your browser access to the website or other services (via a token). So in essence there is no possibility to read your password over the network stream. However Digestive is vulnerable to man-in-the-middle attacks, since your client does not know that the server is who he claims to be and vice versa and any attacker could pretend to be the server or the client with the intercepted nounces. Digestive is a platform-independent standard and was developed by Netscape, Microsoft, VeriSign and others in the RFC 2617 of 1999,

Negotiate

Negotiate automatically chooses Kerberos if you are in a domain, but if not, it chooses NTLM, which is the integrated Windows Authentication. Kerberos needs a DNS with a Active Directory or alternatives and a Ticket Granting Server, so chances are your operating system will use NTLM if you are at home in a private workgroup with no real network infrastructure.

Forms

The login method can use a form to authenticate the client users with username and password, but this happens in cleartext (Basic authentication). So it’s better to use SSL together with Forms authentication.

SSL/TLS

Establish a Secure transmission tunnel of the data which cannot be intercepted by third parties even inside the Local Area Network. Though you must issue yourself a certificate or get one from a Trusted Root Certificate Authority (CA) to let Client and Server identify each other. This way, you’d prevent man-in-the-middle attacks.

In my opinion, SSL/TLS and Kerberos are the most secure solutions. They also share a big fanbase in the open standard world.

Sources:
Authenticate Linux Clients: http://technet.microsoft.com/en-au/magazine/2008.12.linux.aspx
How to setup SSL on IIS7: http://learn.iis.net/page.aspx/144/how-to-setup-ssl-on-iis-7/

Twitter Facebook Reddit StumbleIt! Digg it Google Delicious

Comments

Comment by Name on Mar 31st, 2010 at 3 pm

Why would you run any kind of network without DNS? Sorry, I just don't see the point.
Comment by nottinhill on Mar 31st, 2010 at 3 pm

Thanks for your question. The point is affordability. Because not everybody can afford having a 24/7 DNS server running. For e.g. private users at home with a typical non-professional broadband-router / 2-3 clients setup. I even know lots of startup firms without any DNS servers. It's also a question of knowledge.
Comment by Avigit Saha on Aug 25th, 2010 at 9 pm

i’m trying to set a domain name and email address under that domain. i want to use private ip(for local area network, no internet) so that i can send mail using outlook express from client on this network. i setup IIS 7 on windows 7 professional with SMTP email but can’t configure it without domain. can you help me? thanks in advance.
Comment by Stephan Kristyn on Sep 21st, 2010 at 8 am

You are trying to set a domain name and email under some domain? And then you want IIS without domain? Try to focus on one goal at a time. First of all IIS is a Web Server. For E-Mail you need Exchange. Try a test edition or buy a old one off ebay if you are on a budget. You can always use third party mail servers like for e.g. hmailserver. Also try Microsoft Technet, it helped me many times.