Windows NT Server 4.0 Notes


Module 13: Internetworking and Intranetworking

Security Considerations

It is possible to integrate a corporate intranet with the Internet. Both can be supported by the same network system. Following security implications should be considered before attempting to integrate an intranet with the Internet.

  • Maintain data that is downloaded to an intranet site separately from information distributed over the Internet.
  • Usually, intranet sites are casual and informal, while Internet sites generally reflect the public image for the organization
  • It may not be advisable to grant full intranet access to Internet users.
IIS and PWS Overview
  • Using these makes it possible to publish information or services (Web pages, interactive applications) and to post and track databases on the Web.
  • They support the Internet Server Application Programming Interface (ISAPI). This is used to create interfaces that can be used for client/server applications.

IIS and PWS are network file and application servers that use:

  1. HTTP; is used to create and navigate Web hypertext documents and applications
  2. Gopher service is a hierarchical system used to create links to other computers or services, to put these links into custom menus, and to annotate files and directories.
  3. FTP is used to transfer files between two computers on a TCP/IP network.

IIS

PWS

Any computer running Windows NT Server Any computer running Windows NT Workstation
Supports the heavy usage Used for small scale Web server or an individual
 Both can use Performance Monitor and Event Viewer

Key features that IIS and PWS provide for a computer running Windows NT  

Feature

Use this feature to

File publication Publish existing files from Windows NT
Network management Monitor and record network activity and provide clients with access to valuable network resources such as HTML pages, shared files and printers
Security Provide clients with secure access to Internet and intranet resources
Support for common Internet standards Enable development of Web applications using languages such as CGI (Common Gateway Interface) and PERL (Practical Extraction and Report Language)
Microsoft Internet
Explorer
Enables Windows 3.11, Windows for Workgroups, Windows NT, Windows 95 and Macintosh easy access to the Web
Scalability Enable Internet access to multiple platforms running on standard hardware packages, including single and multiprocessor servers
Support for Microsoft BackOffice applications Provides businesses with ability to deliver commercial solutions on the Web (SQL Server and SNA Server)

 

IIS Installing Requirements:
  • Windows NT Server computer with TCP/IP
  • CD-ROM drive or LAN connection to server sharing installation files
  • Adequate disk space for published information content. Using NTFS file and directory permissions to secure all of the disks used with IIS is recommended.
  • Previous versions of FTP, Gopher or other Web services should be disabled.

Changes can be made to a current installation of IIS through the Internet Information Server Setup icon located in Microsoft Internet Server (Common) folder.

Can be installed when Windows NT Server is installed, or later using Network program or the Install Internet Information Server icon located on desktop.

PWS Installing Requirements:
  • Windows NT Workstation 4.0 and TCP/IP
  • the rest the requirements are the same as IIS. Install PWS through Network applet in Control Panel.


Changes can be made to a current installation of PWS through the Peer Web Services Setup icon located in Microsoft Peer Web Services Internet Server (Common) folder.

Configuring IIS and PWS

Use Microsoft Internet Service Manager (ISM) to:

  • Enhance configuration a performance for both; located in both Common folders.
  • Provides mechanism to configure and monitor the Internet services running on any computer running Windows NT in the network.
  • Internet Service Manager List Box

    ISM enables management of multiple servers from one computer. ISM default view, Report, lists the computers on the network and their installed services. Reports also provides following tasks:

    1. Connect to servers and view server properties.
    2. Start, stop, or pause a service.
    3. Select which services should be displayed
    4. Configure server properties

Properties

    In ISM double-click a computer or service to display its properties. These components can be configured here:

User connections and user logon and authentication requirements

the home directory for each service

server activity tracking through the Logging tab
 

 

secured access by IP address and bandwidth for each service

Configuring Services

ISM can be used to configure following services:

  • WWW services; set and show a default document when users don’t specify a particular file.
  • Gopher service
  • FTP service
    • to add an annotation file to each directory to help describe the files in that directory.
    • to enable FTP clients to be used to view files on Windows NT NTFS partitions in same format as a traditional UNIX FTP server, select UNIX on the Directory Listing Style tab. (check this out)

    Securing Internet and Intranet sites

Allow Anonymous Access with the Internet Guest Account.
  • On many Internet servers, access is anonymous; user name and password not required.

    a Guest account, IUSR_computername, is created during IIS or PWS installation. This account is used when allowing anonymous connections.

 

Note: Internet Guest account is added to the Guest group. Changes to the Guest group user rights and resource permissions also apply to the Internet Guest account

 

Require a User Name and Password on WWW and FTP resources

There are two types of authentication available when requiring a user name and password:

  1. Basic Authentication does not encrypt transmissions between client and server. Intruders could discover valid user name and passwords.

  2. Windows NT Challenge/Response authentication, supported by Microsoft Internet Explorer version 2.0 or later, protects the password; thereby, providing for secure logon over the network. User account obtained from client is the one with which the user logged on at the client.
Note: FTP server supports only basic authentication, so an FTP site is more secure if only anonymous connections are allowed.

Guidelines for Securing an Internet or Intranet Site:

  • Don’t allow blank passwords.
  • Require minimum password length.
  • Require frequent password change.
  • Use different passwords each time they must change.
  • Lock out accounts after failed logon attempts.
  • Require administrator to unlock locked accounts.
  • Require users with restricted hours to be automatically disconnected

 


E-mail Me! Comments and suggestions? E-mail me at grantwil@sk.sympatico.ca
Last Updated: Wednesday, March 10, 1999 Grant Wilson, Tisdale, SK. Canada