| 
13Installing required softwareConfiguring Internet Information Services to avoid the detection of hidden directoriesWeb-based applications will sometimes inadvertently expose a site’s directory structure. Althoughthe exposed directories do not list their contents, the exposed directory information is detrimentalto the site’s overall security. By knowing a directories name, a potential hacker can guess itscontent and possible file names that reside within. Sensitive content can pose a severe securitythreat when directory names are exposed.To avoid this potential security risk, you can issue 404 - Not Found response status codes instead of403 - Forbidden response status codes. This change will obfuscate the presence of directories onthe site, and will prevent the site structure from being exposed.You must be a member of the Administrators group on the local computer to perform the followingprocedure, or you must be delegated the appropriate authority. As a security best practice, logon toyour computer using an account that is not in the Administrators group, and then use the WindowsRun as command to run the Internet Information Services Manager as an administrator.E Open a Windows Command Prompt and enter the following:runas /user: "mmc %systemroot%\system32\inetsrv\iis.msc"Where is the account name for someone with administrativeauthority to the workstation.E In Internet Information Services Manager, expand the local computer, expand Web Sites,right-click Default Web Site, and then select Properties.E Click the Custom Errors tab.E In the Error Messages for HTTP Errors list, select the HTTP error 403;14, and click Edit Properties.E Select URL from the Message Type list box.E Enter the following in the URL field:/spssmr/shared/404-custom.asp.E Click OK, and then click OK again.E Exit the Internet Information Services Manager.E Launch the Windows Registry Editor (type regedit in a Windows Command Prompt).E Navigate to the following location:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\ParametersCreate a new DWORD value named IgnoreAppPoolForCustomErrors and give it a value of 1.E Open a Windows Command Prompt and enter iisreset.Installing Microsoft SQL ServerYou must have SQL Server installed on at least one machine.E To install SQL Server, follow the instructions that come with the application. |
