In Part 1 we walked through the installation and configuration of Deployment Webservices. In this part we will focus on securing the Webservice.
There are five (5) main areas that I focus on to lock down the Webservice, and I’ll include two (2) optional areas for consideration:
- Use Request Filtering, which is basically what the old URL Scan morphed into from IIS 7 (Windows 2008) and above. Request Filtering gives a tighter level of control over the settings and where they are applied than URL Scan ever did.
- Authentication – Disable anonymous authentication. That should be a no-brainer!
- Authorization Rules – Only allow specific users access.
- Changing the authenticatedUserOverride serverRuntime setting to UseWorkerProcessUser. IIS 7.5 (Windows 2008 R2) and above allows us to configure IIS so that the worker process identity is used for accessing resources, such as the file system, whilst the authenticated user is only used for authorization purposes. This means that you only need to set NTFS permissions for the worker process identity.
- Setting NTFS Permissions on the DeploymentWebservice folder for the worker process identity.
- Optionally, you can also exclude some of the higher risk AD Functions.
- Optionally, you can also SSL enable the site with a certificate.