Configure IIS Server security

Hello,

I am new at setting up IIS Web Servers . I need to make sure that a new Web
Server running on Windows 2003 SP1 server with IIS 6 is set up securely.
Here are the steps I've already taken:

1) Created two NTFS partitions - one for the system and another for data
2) Installed URLScan - not sure about the best way to configure it
3) Ran the 2003 SP1 Security Configuration Wizard
4) Renamed the admin account
5) Installed virus and spyware scanners
6) Ran the Microsoft Baseline Security Analyzer
7) Plan to use a Verisign certificate to secure the web site
8) Installed two NIC cards -- one to DMZ side of firewall and other to our
network to access a database required for the IIS server.
9) Redirected incoming SSL traffic to the IIS Server on the DMZ interface.

I would appreciate any other ideas on how best to secure an IIS server.

One other thing I'm concerned about is the fact that this server has two NIC
cards -- one connects to our firewall DMZ and the other connects to the local
network. Would it be easy for a hacker to get to our local network if he/she
accesses the server from the other card connected to the DMZ? In other words
could they connect to one interface and come out the other interface into our
network. What would be the best way to prevent this from happening?

Thanks in advance for you suggestions. I appreciate your help.

EddieF

I don't think step 8 is very smart if you want really secure setup.

If somehow I get access to the server (e.g. bug in the application running
on your server) I get free access to your LAN. The correct setup would be
one NIC (or even two NICs) but none of them directly connected to LAN. NIC
should only connect to DMZ and if it needs access to DB it should go through
firewall (and if possible use application layer filters on the
firewall...)...

--
Mike
Microsoft MVP - Windows Security

"EddieF" <EddieF@discussions.microsoft.com> wrote in message
news:BA1FBF1E-15DC-4026-941E-F6E722F206E9@microsoft.com...
> Hello,
>
> I am new at setting up IIS Web Servers . I need to make sure that a new
> Web
> Server running on Windows 2003 SP1 server with IIS 6 is set up securely.
> Here are the steps I've already taken:
>
> 1) Created two NTFS partitions - one for the system and another for data
> 2) Installed URLScan - not sure about the best way to configure it
> 3) Ran the 2003 SP1 Security Configuration Wizard
> 4) Renamed the admin account
> 5) Installed virus and spyware scanners
> 6) Ran the Microsoft Baseline Security Analyzer
> 7) Plan to use a Verisign certificate to secure the web site
> 8) Installed two NIC cards -- one to DMZ side of firewall and other to our
> network to access a database required for the IIS server.
> 9) Redirected incoming SSL traffic to the IIS Server on the DMZ interface.
>
> I would appreciate any other ideas on how best to secure an IIS server.
>
> One other thing I'm concerned about is the fact that this server has two
> NIC
> cards -- one connects to our firewall DMZ and the other connects to the
> local
> network. Would it be easy for a hacker to get to our local network if
> he/she
> accesses the server from the other card connected to the DMZ? In other
> words
> could they connect to one interface and come out the other interface into
> our
> network. What would be the best way to prevent this from happening?
>
> Thanks in advance for you suggestions. I appreciate your help.
>
> EddieF
>
>