I'm developing some web site that run on IIS 7 and can connect to SQL server via php. The problem is I think its not safe because everyone that know my public IP address can freely access my site (the site is not for public, but I need it to be accessible to some people). How can I add security to this website of mine?
I have search for some type of security like authentication in IIS, but I don't know what should be used. Can I just add id and password like when we try to open page for configure router (192.168.0.1) .
You can easily disable anonymous authentication and enable basic authentication in IIS 7 using IIS manager.
Here is a Technet link and an SO post with details:
Is it a standalone server or do you run the IIS server on a desktop?
If your the only one who should access your site you could also use Intergrated windows authentication (IWA). IWA is a feature of the IIS Server, so if you wan't to use is you should enable it first.
Related
I am currently running:
Windows Server 2016
SQL Server 2016
IIS
Cognos Analytics 11.1.7
SSO
SSL
MS Active Directory
This is a single-server install, so the content manager, dispatcher, and gateway are all on one Windows machine. On the ibmcognos application in IIS, Windows Authentication is enabled and Anonymous Authentication is disabled. In Cognos Configuration, "Allow anonymous access?" is set to False.
I want to make my Cognos offering available on the Internet. So I'm thinking I need "Allow anonymous access?" set to True and Anonymous Authentication is enabled. But I'm sure it's more complicated than that.
Here's what I'm thinking:
Add a Windows Server with IIS to my environment.
Install Cognos gateway on the new server.
Configure IIS for Cognos and allow anonymous authentication.
Configure Cognos (gateway) to point to my existing system.
Change "Allow anonymous access?" (on my existing system) to True.
For testing, can this all live on one server?
Install Cognos gateway into a separate folder.
Add a web site to the IIS web server.
Configure the new web site to use the new gateway and anonymous authentication.
Is that it? Is it that simple?
I know I'll need to adjust folder permissions in Team Content as appropriate to accommodate Everyone and still provide security.
I know there are risks concerning potential workloads on the Cognos server when I allow the entire planet access to it.
This turned out to be simpler. No additional install is needed. All that is needed is to change "Allow anonymous access?" to True on my initial configuration and allow Anonymous Authentication in IIS. Then all users get access to the objects that Everyone can see. To get access to internal-only content, they must click on the Personal menu and select Sign in. Not tested, but anyone not already authenticated in the Active Directory domain should get challenged for credentials.
I'm running IIS 7.0 on a Windows 2008 R1 Server and want to setup IIS Manager Users. Due to some fact, every last try to access the site is rejected (HTTP Unauthorized).
The following additional IIS components are installed:
Security\Basic Authentification
Security\URL Authorisation
Management Tools\IIS Management Console
Management Tools\Management Service
Then I configured the Management Service to use Windows or IIS-Manager-User Credentials.
I also added some IIS-Manager-Users and activated them on my Website.
On the Authentification Settings Pane, I disabled anonymous access and enabled basic authentification.
As a result, when browsing the website, a password is now required. The thing is, I can access the page with Windows Credentials, but not with the IIS Manager User Credentials. In this case the result is always HTTP 401 - Unauthorized.
What am I missing?
IIS Manager Users are meant for administration of IIS (aka management of the sites/apps) and not for access the server at runtime (normal browsing of content).
Having said that, you can make that work if your scenario is to use the same users for potentially administration (like using WMSVC) and runtime and I wrote a blog about it on 2008 on how to set it up:
http://blogs.msdn.com/b/carlosag/archive/2008/09/26/using-iis-manager-users-in-your-application.aspx
I configured the Default website in IIS for SSL by creating a CSR using the IIS itself, submitted it to a CA, and assigned the issued certificate as the server certificate. That's all is required in this world to setup server SSL. But when I open the https url it says "Internet Explorer cannot display the webpage". Which pillar should I bang my head against to get it working? The only help from microsoft I could find is that useless arcicle http://support.microsoft.com/?id=290391 that presupposes you are configuring a non-default website for SSL and goes on and on about port conflict. I'm using default website for https.
I'm using windows xp, IIS 5.1 and Microsoft Management Console 3.0.
Please help or courier me a shotgun for shooting myself.
Edit: After I configured IIS for SSL, the Apache Tomcat server which had been configured on port 8080 has suddenly stopped working. The 8080 urls just timeout. What is the connection?
Edit: Because I can't live without Tomcat on my machine, I used another machine to setup IIS SSL after stopping the tomcat there. I face the same problem there, "Internet Explorer cannot display the webpage". Please help before I shoot myself.
Don't shoot!
XP has given me fits with SSL... have you tried setting the application pool to high/isolated setting up the website with an identity under COM?
That seemed to solve some issues for me.
Also - did you make sure to set it up in the correct stores? Is this an application that is running under your account or a service account? If it is a service account you may need to do a RUN AS on the certificate management console and add under that user's personal store as well as under the appropriate store for the machine/computer.
Good luck.
Webdeploy is very convenient from Visual Studio 2010. Today I am using it to publish my project via a remote deploy agent (http://x.x.x.x/MsDeployAgentService) to a production web server facing Internet.
Although administrator password is required, is it a good practice to leave http://x.x.x.x/MsDeployAgentService accessible to everyone or should I care more about the security of this subpath so that it cannot be accessed from Internet?
If I need to allow deployment only from certain internal URLs, how do I secure the deployment agent service?
It seems pretty secure as a few shared hosts are using it for their clients.
Security note
Set it up so that you are using IIS managers and not Windows Logins.
There is an implicit restriction on what IIS managers can do, rather than Windows, and passing out Windows logins means access via RDP to the server (usually)
after deploying my web site to IIS
server when i brows my web site kept
under default web site it's displaying
error message "You are not authorized
to view this page"...please solve this
issue
Sounds like you don't have the default document set correctly. You may need to add Default.aspx to the list.
Other things to look at:
That you're targetting .Net Framework 2.0
That the permissions on the actual files on the server are adequate for the identity the website is running as
That you have enabled anonymous access if you don't want Windows authentication