Walkthrough: Creating a Security Zone Part 2
This walkthrough builds on Walkthrough: Creating a Security Zone Part 1. In this walkthrough, you will learn how to complete the following tasks:
Set policy for applications hosted on the HardenedIIS Web server.
Import settings from an existing, configured IIS server onto HardenedIIS.
Evaluate the deployment of a Web service onto HardenedIIS.
To set policy for applications hosted on a Web server
Click the HardenedIIS Web server to view the Settings and Constraints Editor.
Select the ASP.NET Security check box under Application Constraints.
Select the ASP.NET Security heading adjacent to the check box.
The ASP.NET Security constraint dialog appears in the right pane of the Settings and Constraints Editor.
Under Allowed security modes, select Forms.
Make sure it is the only value selected.
Select Requires impersonation.
Note
Depending on the sizing of the Settings and Constraints Editor, you might need to use the scroll bars in the right pane of the editor to view this option.
In the left pane of the Settings and Constraints Editor, select the ASP.NET Session State check box.
Select the ASP.NET Session State heading adjacent to the check box.
Under Session state mode in the right pane of the editor, make sure SQLServer is the only value selected.
These two constraints require that any Web application hosted on this server use Forms authentication with impersonation and use SQL session state to store session information. These two constraint dialog boxes are examples of predefined constraints. The constraints you created earlier for script maps and secure bindings are examples of user defined constraints. For more information about the types of constraints available and how to author them, see Constraining Application and Application Hosting Relationships and Common Application, System and Logical Server Configuration Tasks.
The next step is to import settings onto HardenedIIS from an existing IIS Web server. This step is optional. If you do not have an IIS Web server available to you, skip to the next procedure.
To import settings from an existing IIS Web server
Right-click HardenedIIS, and choose Import Settings.
The Import IIS Settings Wizard appears. Import settings from the Web server of your choice using the procedure specified in How to: Import Settings from an IIS Server. If the settings import fails, an error appears indicating why. For more information see, Troubleshooting IIS and ASP.NET Settings Import.
Using the IIS Import Wizard, you can import global settings, all Web sites, or application pools if you are importing from Windows Server 2003; application pools are not supported on Windows XP or in IIS before version 6.0.
After you have imported the settings, view them in the Settings and Constraints Editor by selecting Hardened IIS and then browsing the Logical Server Settings node. To find settings easier, use the Search feature. For more information, see How to: Search for Settings.
The next step is to build a Web service and evaluate its deployment into this zone.
To build a Web service
In Solution Explorer, right-click the solution node, click Add and then click New Distributed System Diagram.
The Add New Item - Solution Items dialog box appears.
Under Templates, click Application Diagram and then click Add.
The new application diagram opens in Application Designer.
From the Toolbox, drag an ASP.NETWebService to the diagram and name it MyWebService.
Note
The Web Service Details window appears when you create the application diagram. For more information about how to use this window to view and author Web service operations, see Defining Operations for ASP.NET Web Services.
Right-click MyWebService, and choose Define Deployment.
The Define Deployment dialog box appears, with the existing logical datacenter diagram selected.
Click OK.
The deployment diagram opens in Deployment Designer. The deployment diagram is an exact replica of the referenced logical datacenter diagram and is used to evaluate the deployment of applications into the datacenter.
From the System View window, drag MyWebService onto HardenedIIS.
This action indicates that MyWebService should be deployed on the HardenedIIS Web server in the datacenter. Using the deployment diagram, you evaluate the success of this deployment based on what you know about the type and configuration of logical servers and zones in the datacenter, as well as the type and configuration of applications you propose hosting there.
Right-click the deployment diagram and choose Validate Diagram.
The following validation warnings appear in Error List window:
"The constraint parameter 'Allowed Security Modes' requires that the setting 'Mode' be set to 'Forms', but it is currently set to 'Windows'.
"The constraint parameter 'Requires Impersonation' requires that the setting 'Impersonate' be set to 'True', but it is currently set to 'False'.
"The constraint parameter 'Session State Mode' requires that the settings 'Mode' be set to 'SQLServer', but it is currently set to 'InProc'.
Setting must have at least one of the following values set: '{IPAddress="", Port="443")' Current value is '<null>'.
Setting cannot have any of the following values set: '{FileExtension=".asmx", ScriptProcessor="%WINDIR%\Microsoft.NET\Framework\v2.0.40420\aspnet_isapi.dll"….
These warnings occur because settings requirements specified for applications hosted on HardenedIIS or the PerimeterNetwork zone conflict with the actual settings of MyWebService, the hosted application. You set these requirements when you set the ASP.NET Security and ASP.NET Session State constraints on HardenedIIS using the Settings and Constraints Editor.
The next step is to fix these warnings.
To fix validation warnings
Right-click the first warning in the Error List window, point to Go To, and then choose Mode Setting on MyWebService (Application Diagram).
This action selects the Mode setting on MyWebService in the Settings and Constraints Editor.
Change the setting from "Windows" to "Forms".
Right-click the DefaultSystem1.dd file in Solution Explorer, and choose Open to display the deployment diagram.
Fix the second and third warnings using the same approach.
The fourth warning indicates that there is a communication constraint in the datacenter that requires traffic over port 443. As the author of the logical datacenter diagram, you know why this constraint occurs. As a consumer of the logical datacenter diagram, you would determine why this warning occurs using the same process used to resolve the other warnings.
The last error results from the script maps constraint on .asmx files. This constraint prevents Web services from being hosted within the PerimeterNetwork zone regardless of whether Web servers within the zone allow Web services to be hosted.
Re-validate the deployment diagram.
Fix any remaining warnings.