1. Windows Server 2012 Security
Windows Server 2012 security actually begins
during the planning and designing phases so that every conceivable
security aspect is addressed. This can entail physical, logical
(Windows Server 2012, applications, and so on), and communications
security.
When you’re securing the Windows Server 2012
system with the Web Server (IIS) role, it’s important to keep the
server updated and apply the latest service pack and security patches.
Keeping up-to-date with service packs and patches ensures that Windows
Server 2012 is operating with the greatest amount of protection.
Application security on the Windows Server
2012 system with the Web Server (IIS) role should be carefully
reviewed, especially if it’s a custom-built application. If the
application is developed by a vendor, make sure that you have an
application that is certified to run on Windows Server 2012 and that
all vendor recommendations for configuration and security have been
reviewed, vetted and if appropriate, implemented.
2. IIS Authentication
Authentication is a process that verifies
that users are who they say they are. IIS supports a multitude of
authentication methods, including the following:
• Anonymous authentication—Users can establish a connection to the website without providing credentials.
• Active Directory client certificate authentication—Users can establish a connection by using their Active Directory client certificate for authentication.
• ASP.NET impersonation—Users can utilize an impersonation context other than the ASP.NET account.
• Windows authentication—This
authentication method can be integrated with Active Directory. As users
log on, the hash value of the password is sent across the wire instead
of the actual password.
• Digest authentication—Similar
to Integrated Windows authentication, a hash value of the password is
transmitted. Digest authentication requires a Windows Server domain
controller to validate the hash value.
• Basic authentication—Basic
authentication sends the username and password over the wire in
clear-text format. This authentication method offers little security to
protect against unauthorized access by itself and is typically used in
conjunction with SSL-based protection of the site or page.
• Forms authentication—Users
are redirected to a secure page where they enter their credentials.
After they have been authenticated, they are redirected back to the
page they originally requested.
These authentication methods can be enabled under the Authentication feature page, as illustrated in Figure 1. You can view this window by selecting the feature under the IIS section at the server, site, or virtual directory level.
Figure 1. Authentication feature page.
