Learn to protect IIS Server Service Account Security

Unless absolutely required, do not run the IIS server service in the security context of the domain account. If the physical security of the IIS server is damaged, the domain account password can be easily obtained by dumping the local security authorization (LSA) secret.

Use IPSec filter to block ports

The Internet Protocol Security (IPSec) filter can provide an effective way to enhance the security level required by the server. We recommend that you use this option in a high-security environment to further reduce the number of vulnerable IIS servers.

For more information about using IPSec filters, see other Member Server enhancement processes in the module.

The following table lists all IPSec filters that can be created on the IIS server in the advanced security environment defined in this Guide.

IPSec network communication diagram of IIS server

 
 

  
  
Service protocol source port target port source address target address operation Image
  
  
All me mom servers of one point Client are allowed to be
  
  
 
  
  
Terminal Services TCP all 3389 all ME allowed is
  
  
 
  
  
Domain Member all ME Domain controllers allow
  
  
 
  
  
Domain Member all ME Domain controllers allow
  
  
 
  
  
HTTP Server TCP all 80 all ME allowed is
  
  
 
  
  
HTTPS Server TCP all 443 all ME allowed is
  
  
 
  
  
All Inbound Traffic All ME prohibited is
 
 

All the rules listed in the IPSec network communication diagram of the IIS server should be mirrored. This ensures that any network communication that enters the server can also be returned to the source server.