Security is always a consideration; it is critical to make careful security considerations when you implement and maintain your Web sites, infrastructure, and applications. Internet Information Services 7 (IIS 7) and above offers many ways to configure security, including dynamic IP restrictions, application pool identities, and Secure Sockets Layer (SSL). IIS also provides a comprehensive set of authentication and authorization features that can be used to create the desired access control scheme for PHP applications without writing any custom code. You can use features such as Forms Authentication, Role Manager, and URL Authorization to quickly deploy access control solutions that are easily manageable through IIS Manager and other tools.
The following articles provide guidance:
- Secure Your Infrastructure and Applications. This article provides an overview of techniques to secure PHP on IIS.
- Secure Content in IIS Through File System ACLs. This article, provides guidance for using access control lists (ACLs) to secure content.
- Secure Content in IIS Through Impersonation. This article describes how to use impersonation to help secure content.
- Set ACLs Through the Manifest.xml File. While hosters typically use the command line to set ACLs, it is also possible to use the Manifest.xml file.
- Secure Your SQL Server Database. If you use Microsoft® SQL Server® as your database, you must create and implement an effective security plan. This article touches on a few areas of particular interest to Web hosters.
- Ensure Security Isolation for Web Sites. The recommendation for isolating PHP Web sites in a shared hosting environment is consistent with all general security isolation recommendations for IIS. Isolating Web sites is particularly important in a shared hosting environment.
- Use Request Filtering. Request filtering is designed and optimized for security scenarios.
- Secure PHP with Configuration Settings. You can configure PHP settings to tighten the security of a PHP installation; this article recommends settings you can use.
- Enable PHP Applications to Make Application-Level Access Control Decisions. You can expose key access control information to a PHP application to facilitate application-level access control.