IIS 6: The Complete Reference

Security policies are a method of enforcing security standards on a machine. Using security templates you can enforce predefined sets of policies. You can also use security policies to enforce a certain registry key setting. If you are a member of an Active Directory domain, you can use a Group Policy Object (GPO), and all the servers in the domain will inherit those settings; otherwise, you can use a local security policy.

Creating a Local Security Policy

To modify the local security policy, choose Start | Administrative Tools | Local Security Policy. In the Local Security Settings window shown in Figure 6-3, you can directly edit your security policies.

Figure 6-3: Local security settings

Five main categories of policies appear in the local security policy:

• Account Policies Configure the password and account lockout policies.

• Local Policies Configure Audit Policy, User Rights Assignment, and Security Options:

• Audit Policy Sets up auditing for the server. You can set up to audit success and/or failure events for the following items:

  • Account Logon

  • Account Management

  • Directory Service Access

  • Logon Events

  • Object Access

  • Policy Change

  • Privilege Use

  • Process Tracking

  • System Events

  • User Rights Assignment Specify granular user rights for specific user accounts or groups (otherwise known as objects). To add a security object to the policy, in the Local Security Settings window, right-click the policy name and choose Properties. Then click the Add User Or Group button. You can then browse to the specific security object and add it to the policy by highlighting it and clicking Add. To remove a security object from the policy, select the object and click Remove.

  • Security Options Specify security options for the server. While these options do not specifically deal with IIS, they can make the server more secure overall.

• Public Key Policies Handle options for the Encrypting File System (EFS), which allows for encryption on the file level. If you have EFS enabled, you can set recovery agent information here.

• Software Restriction Policies Enable which software can be run on a machine and which user accounts have access to run that software.

• IP Security Policies Allow you to configure whether the server uses IPSEC for encrypting communication on the network. There are three settings:

  • Client (respond only) Uses IPSEC if the other machine requests it.

  • Server (request security) Attempts to negotiate IPSEC with a machine with which it is communicating. If that fails, it will communicate without encryption.

  • Secure Server (require security) Forces IPSEC communication. If the other machine does not use IPSEC, the communication will fail.

Using the Local Security Policies

Once you have a security policy defined, you can export it from one machine and import it to another. This allows you to create a single template and apply it to any number of servers.

Importing a Local Security Policy

You can use template files to configure the local security policy by importing an .inf file that contains the settings. This allows you to configure multiple machines without having to check all the settings manually on each machine. Several sample security templates come with WS03 in the %systemroot%\security\templates directory. You can use these templates or create your own. To import a template file, click on Security Settings and choose Action | Import Policy in the menu bar. Then browse to the template file and click Open. The security policy will be imported over the top of whatever settings are configured currently.

Exporting a Local Security Policy

After you have configured a system to your specifications, you can export the security template to an .inf file for use on other systems. To export the security policy, click on Security Settings and choose Action | Export Policy in the menu bar. Then browse to the directory into which you wish to save the policy, type a filename, and click Save.

Refreshing the Security Policy

When you change a setting in the security policy, it is not immediately refreshed. Instead, the policy is refreshed on bootup and every 90 minutes for non-domain controllers. Domain controllers are refreshed every 5 minutes. If you want a change to take effect immediately, open a command prompt and type gpupdate.exe. In WS03, that’s all you need to do to refresh the security policy.

Domain Security Policies

The templates for a domain security policy are the same as for the local security policy. The difference is that domain security policies are applied to all servers in the domain instead of just the local server on which they are configured. Domain security policies are configured in the Domain Security Policy Microsoft Management Console (MMC) snap-in, which is located in the Start Menu under Administrative Tools on your domain controllers.