SUMMARY
This article is one in a series of articles that provides detailed information about performing a UNIX-to-Windows migration. This article describes the basic procedure to migrate the security settings for your Web site from Apache and UNIX to Internet Information Services (IIS) and Windows.
The articles in this series include the following:
324215 HOW TO: Prepare for a UNIX-to-Windows Migration
323970 HOW TO: Prepare the Target Server for a UNIX-to-Windows Migration
324213 HOW TO: Migrate Apache Settings and Configure IIS in a UNIX-to-Windows Migration
324538 HOW TO: Migrate Web Site Data in a UNIX-to-Windows Migration
324216 HOW TO: Secure IIS in a UNIX-to-Windows Migration
324539 HOW TO: Perform Maintenance and Ancillary Tasks after a UNIX-to-Windows Migration
324217 HOW TO: Test and Performance Tune After a UNIX-to-Windows Migration
Turn Off Directory Browsing
If you use the Directory Browsing functionality, clients can view the folder contents instead of being served a default page or error page. Directory Browsing can be a potential security risk because it allows clients to see all of the pages in a specific folder, even if the pages do not form part of the Web site. If you use Apache, you use the Options directive to configure the Directory Browsing functionality. If you use IIS, this functionality is part of the folder specification.
For additional information about how to turn off Directory Browsing, click the article number below
to view the article in the Microsoft Knowledge Base:
313075 HOW TO: Configure Web Server Permissions for Web Content in IIS
Configure Authentication
Authentication is the process of requiring and identifying an individual user before they are granted access to an area of a Web site. Apache handles authentication through a number of different mechanisms, from local files to external databases. IIS handles its authentication by providing a conduit to the Windows 2000 directory service.
When you migrate data to IIS, you must migrate both the settings and the users to Windows 2000 Active Directory to configure authentication for these sites.
For additional information about how to configure authentication, click the article numbers below
to view the articles in the Microsoft Knowledge Base:
301457 HOW TO: View or Change Authentication Methods in IIS
310344 HOW TO: Configure IIS 5.0 Web Site Authentication in Windows 2000
Restrict Sites by User
If you use Apache and you want to restrict an individual user's access to a site or folder, you must implement an authentication system. You can use either a Directory directive or the .Htaccess file to limit the access of a specific group or of a list of users. If you use IIS, the authentication is built in to the program and you can limit access by using the same controls that are used to define security for a Windows folder.
For additional information about how to restrict access to a site or folder on a user-by-user basis, click the article number below
to view the article in the Microsoft Knowledge Base:
300985 HOW TO: Configure User and Group Access on an Intranet in Windows NT 4.0 or Windows 2000
Restrict Site Access by IP Address or Domain Name
If you are using Apache, you can use the Allow directive and the Deny directive to limit access to a folder or a Web site based on the Internet Protocol (IP) address or domain. Typically, you use these directives to limit a Web site, for example, an intranet, for use for your own company users only. IIS provides a similar system for limiting access.
For additional information about how to limit Web site or folder access by a specific IP address or domain name, click the article number below
to view the article in the Microsoft Knowledge Base:
324066 HOW TO: Restrict Site Access by IP Address or Domain Name
Migrate User and Group Information
Because IIS uses Active Directory for holding authentication information, you must migrate the user and group information from the different sources that are used in your Apache installation to IIS and Active Directory. You can use a variety of utilities to help migrate the user and group information. For example, you can use the
adduser command to add users easily and to use Windows Services for UNIX.
For additional information about how to migrate user and group information, click the article number below
to view the article in the Microsoft Knowledge Base:
324222 HOW TO: Migrate User and Group Information
Set IIS Permissions for Specific Objects
Apache uses the underlying UNIX file permissions and the settings in the .Htaccess file to limit access to specific elements. If you use IIS, you can set permissions for different objects in a Web site independently on their underlying file permissions.
For additional information about how to set IIS permissions for specific objects, click the article number below
to view the article in the Microsoft Knowledge Base:
324068 HOW TO: Set IIS Permissions for Specific Objects
Set Folder Security for Shared Folders
If you are sharing your Web site as a folder so that it can be updated by other users who modify the source files, you must set security permissions for the files in the folder.
For additional information about how to set folder security for shared folders, click the article number below
to view the article in the Microsoft Knowledge Base:
324067 HOW TO: Set Folder Security for Shared Folders
Migrate .Htaccess Data in a UNIX-to-Windows Migration
Although IIS does not support the Apache .Htaccess file, you can emulate this file's effects on individual folders in IIS and provide some user-customizable options for managing this folder without compromising the security of your computer.
For additional information about how to migrate .Htaccess data to IIS, click the article number below
to view the article in the Microsoft Knowledge Base:
324064 HOW TO: Migrate .HTACCESS Data in a UNIX-to-Windows Migration
Use the IIS Permissions Wizard
You can use the IIS Permissions Wizard to simplify and automate the process of setting permissions across a range of folders and objects. If you use this tool, you simulate the effects of the inherited security and authentication settings and users can easily copy around .Htaccess files to set parameters for a folder.
For additional information about how to use the IIS Permissions Wizard, click the article number below
to view the article in the Microsoft Knowledge Base:
324070 HOW TO: Use the IIS Permissions Wizard
Use the IIS Lockdown Tool
You can use the IIS Lockdown Tool to set the levels of security that you want to use to secure a full Web site and the associated files. You can also use this tool to quickly reproduce the settings on an Apache Web site without manually setting these values.
For additional information about how to use the IIS Lockdown Tool, click the article number below
to view the article in the Microsoft Knowledge Base:
310725 HOW TO: Run the IIS Lockdown Wizard Unattended in IIS
Install an SSL Certificate for a UNIX-to-Windows Migration
To secure communications, you must install a Secure Sockets Layer (SSL) certificate in a site and transfer existing certificates from an Apache installation to IIS during a migration process. You can install a certificate directly in IIS without performing any additional migration steps.
For additional information about how to install an SSL certificate, click the article number below
to view the article in the Microsoft Knowledge Base:
310178 HOW TO: Install Imported Certificates on a Web Server in Windows 2000
Set Up HTTPS Services
For additional information about how to set up a secure HTTP service, click the article number below
to view the article in the Microsoft Knowledge Base:
324069 HOW TO: Set Up an HTTPS Service in IIS