Security explanation for IIS server service account

In previous articles, we introduced the basic port that the server should open to complete the function of a specific role. If the server uses static IP addresses, these ports are sufficient. To provide more functions, you may need to open more ports. Opening more ports makes it easier for IIS servers in your environment to manage, but this may greatly reduce server security.

Because there is a large amount of interaction between domain members and domain controllers, especially RPC and authentication communication, you should allow all communications between the IIS server and all domain controllers. Communication can be further restricted, but most environments need to create more filters to effectively protect servers.

This makes it very difficult to execute and manage IPSec policies. You should create similar rules for each domain controller that will interact with the IIS server. To improve the reliability and availability of the IIS server, you need to add more rules for all domain controllers in the environment.

If Microsoft Operation Manager (MOM) is running in the environment, all network communication is allowed between the IIS server that executes the IPSec filter and the MOM server. This is required because a large number of interaction processes exist between the MOM server and the client application that the OnePoint client reports to the MOM console.

Other management software may have similar requirements. If you need higher-level security, you can configure the filtering operation of the OnePoint client to coordinate the IPSec and MOM servers.

This IPSec Policy effectively blocks communication through any high port, so it does not allow Remote Procedure Call (RPC) communication. This may make it very difficult to manage IIS servers. You can enable Terminal Services because many ports have been disabled. In this way, the administrator can perform remote management.