The specifics of how Internet Information Services (IIS) Manager may be used to configure Web security differ depending on the operating system version and on the version of IIS installed. Therefore, this discussion will be mainly concerned with what configurations may be used and pitfalls to avoid, in contrast to the mechanics of setting the configurations.
Two examples of how to modify IIS security settings are given here:
- With Windows Server 2003 and IIS version 6.0, navigate from the Start button to Programs > Administrative Tools and start Internet Information Services (IIS) Manager. Expand the Web Sites node in the lefthand pane to find the PR-Tracker application, then right-click on it and select Properties. The Directory Security tab of the Properties dialog provides access to the settings of interest.
- With Windows Server 2008 and IIS Version 7.0, start Internet Information Services (IIS) Manager and similarly expand the Sites node to find the PR-Tracker application. In this case, double-click on the Authentication icon in the middle pane and select the sub-feature that you want to modify. You may need to work with other icons as well - for example, if you want to use IP address and domain restrictions, as described below.
Using SSL/HTTPS with a login name and password is the most secure option. Microsoft Help and Support describes how to set up SSL/HTTPS on IIS - or use a Web search to find the most current information. In the PR-Tracker Connect Dialog, uncheck Connect without using login name and password and enable Basic Authentication in IIS; also, be sure that anonymous access is disabled in IIS and the other authentication methods available are disabled. This approach requires that each PR-Tracker user also be set up as a Windows user on the server.
Another secure option (though less so than using SSL/HTTPS as described above) is setting up IIS to allow anonymous access - also disabling all types of authenticated access - and setting up PR-Tracker to check the user's domain and login name. Select Setup | Manage Users from the PR-Tracker menu and enter one or more Windows Login(s) for each user. Also click the Set Security Mode button and select the Verify ... option. For more detailed information, please see the PR-Tracker Help topic Managing Users. This approach does not require that each PR-Tracker user be set up as a Windows user on the server.
Regardless of which of the above approaches you choose, you may increase security by permitting access only from a selected IP address or addresses. The drawback of using this feature of IIS is that it may prove too restrictive in some situations and/or may require a higher level of maintenance, so please think about the potential consequences before implementing IP address restrictions.