Walkthrough: Creating a Security Zone Part 1
This walkthrough builds on Walkthrough: Creating Logical Datacenter Diagrams.
In this walkthrough, you will learn how to use user-defined constraints and zone endpoint constraints to create very specific requirements for logical servers being hosted within that zone. You will also learn how to create a reusable prototype of the zone that you can store on the Toolbox. The first step is to constrain the type of communication allowed into the zone. For this walkthrough, you will work with the PerimeterNetwork security zone you created in Walkthrough: Creating Logical Datacenter Diagrams.
To only allow inbound zone traffic over https on Port 443 only
Right-click the Internet inbound zone endpoint, and click Settings and Constraints to view the Settings and Constraints editor.
Under Zone Communication Constraints, clear the DatabaseServerEndpoint and GenericServerEndpoint check boxes.
This prevents database or generic servers from being connected to the inbound zone endpoint.
Select the User Defined check box under WebSiteEndpoint.
Expand User Defined and select the WebSite check box under User Defined.
This allows you to write constraints on Web sites that communicate with (connect to) the inbound zone endpoint.
Click the Web Site heading in the left pane of the editor. In the right pane, expand the Authentication tree and select the SecureBindings check box.
Under Operator, select Contains One.
Click the Value field and then click the ellipsis (…).
The ComplexSetting Collection Editor appears.
Click Add.
Under Port, enter 443.
Leave the IPAddress field blank.
Click OK.
You have now constrained all traffic coming through the inbound zone endpoint to be through port 443, which handles HTTPS traffic. The next step is to restrict what types of logical servers the zone is allowed to contain.
To restrict what the zone can contain
Select the zone shape and view the Settings and Constraints editor.
Under Zone Containment Constraints, clear the GenericServer, WindowsClient, and Zone check boxes.
By doing this, you are constraining the zone and preventing it from containing generic servers (servers that can host any kind of application), Windows servers (servers that can host Windows clients), or other zones. If you try to drop any of these items in the zone from the Toolbox or elsewhere on the logical datacenter diagram, you will not be able to.
The next step is to add a database server to the zone.
To add a database server to the zone
Drag a DatabaseServer to the diagram from the Toolbox and place it inside the PerimeterNetwork zone.
Name the server SessionStore.
This server will be used to store SQL Session State information from the HardenedIIS Web server.
Select the provider endpoint on SessionStore, press ALT, and connect it to HardenedIIS.
The next step is to write a zone constraint that prevents Web servers from hosting Web services.
To constrain Web servers from hosting Web services
Click the zone.
Under Zone Containment Constraints, expand IISWebServer, select the User Defined check box, select the InternetInformationServices check box, and finally select the WebSites check box.
Click the WebSites node in the left pane and expand the Content node in the right pane of the Settings and Constraints Editor.
Select ScriptMaps.
Note
If you have WebSite selected instead of WebSites in the left pane of the editor, the ScriptMaps section will not show under Content.
Under Operator, choose Contains None from the list box.
Click the Value field and then click the ellipsis (…).
The ComplexSetting Collection Editor appears.
Click Add.
Under FileExtension, type .asmx.
Under IncludedVerbs, type GET,HEAD,POST,DEBUG.
Note
Enter this string exactly as it appears. If you add spaces, or change the order of the verbs, this constraint will not work.
Set Script equal to True.
Under ScriptProcessor, enter the path to aspnet_isapi.dll. (%WINDIR%\Microsoft.NET\Framework\v2.0.40420\aspnet_isapi.dll)
Click OK.
This constraint prevents Web services from being hosted on the Web servers inside the perimeter network. It does this by restricting any Web server from hosting Web sites that allow certain script maps to run. Because this constraint is authored on the zone itself, any Web server placed inside the zone will be evaluated against this constraint as will the applications hosted on the Web server.
The final step is to create a reusable version of this zone that is accessible from the Toolbox and that can be shared with others in your organization.
To create a reusable prototype of the PerimeterNetwork zone
Click the zone.
From the Diagram menu, choose Add to Toolbox.
The Add to Toolbox dialog box appears.
Under Name, type PerimeterNetwork and click OK.
The Save File dialog box appears. The file is saved as an .lddprototype file, meaning that it is a prototype that you can use in Logical Datacenter Designer.
Click Save.
Open to Toolbox and drag the PerimeterNetwork to the diagram.
By creating this prototype, you have created a customized version of the PerimeterNetwork zone that you can reuse in any logical datacenter diagram you create or edit. This prototype will display whenever you create a new Distributed System solution. It is a function of the designers and not the solution that was open when you created it.
Other Distributed System Designer users can share this prototype by placing a copy of the .lddprototype file in the default prototype folder, which is typically located at %ProgramFiles%\Microsoft Visual Studio <versionNumber>\Common7\Tools\DesignerPrototypes\Prototypes. For more information about creating reusable prototypes in Logical Datacenter Designer, see How to: Create Custom Prototypes from Configured Zones and Logical Servers. For more information about redistributing these prototypes to other users, see How to: Import or Install New Custom Prototypes.
Next Steps
In the second part of this walkthrough, you will learn how to do the following:
Set policy for applications hosted on HardenedIIS.
Import settings from an existing, configured IIS server onto HardenedIIS.
Evaluate the deployment of a Web service onto HardenedIIS.
See Also
Tasks
Walkthrough: Creating a Security Zone Part 2