Hites

jghjghjg

l;kl;

[pic]

Protecting Microsoft Internet Information Services Web Servers with ISA Server 2004

White Paper

Published: June 2004

For the latest information, please see http://www.microsoft.com/isaserver/

Contents

Introduction 1

Advanced HTTP Filtering 2

Delegation of Basic Authentication 3

Outlook Web Access Forms-based Authentication 4

RADIUS Authentication of Incoming Web Site Connections 5

SecurID Authentication of Incoming Web Site Connections 6

SSL-to-SSL Bridging 7

Flexible Web Site Redirection 8

Secure Web Server Publishing Wizards 9

Protection of Internal Server Names with Link Translation 10

Use of Custom Firewall Groups to Control Web Site Access 11

Conclusion 12

Introduction

Attacks against Web servers are the most common form of attack against corporate resources. Web sites exposed to Internet users must be secured to the greatest extent possible in order to successfully fend off repeated attacks from Internet intruders.

The first step in protecting publicly available Web servers is to harden the underlying operating system and the Web server components as much as possible, while leaving the Web applications’ functionality intact. The next step is to place an application-layer-aware firewall in front of the Web server. Such a firewall inspects incoming and outgoing Web communications moving through the firewall, assesses their safety and validity, and then allows or denies communications based on this assessment.

While security is a primary concern when allowing Internet users access to corporate Web resources, security without accessibility is of marginal value. A firewall must be able to provide a high level of security while at the same time giving the firewall administrator a high level of control over how Internet users access corporate Web resources.

Microsoft® Internet Security and Acceleration (ISA) Server 2004 is an...