Help and Support

Resources for securing Internet Information Services

View products that this article applies to.
Article ID:282060
Last Review:November 21, 2006
Revision:6.1
This article was previously published under Q282060
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/prodtech/IIS.mspx (http://www.microsoft.com/technet/security/prodtech/IIS.mspx)

SUMMARY

When you use Internet Information Services to host Web sites, it is important to protect the server from unknown, and potentially malicious, users. This article provides references to use in this vital task.

Back to the top

MORE INFORMATION

The most comprehensive information on securing Web applications is available in:
Designing Secure Web-Based Applications for Microsoft Windows 2000
ISBN: 0-735-60995-0
Authors: Michael Howard, Richard Waymire, Marc Levy
Publisher: Microsoft Press, July 2000
The following references are available online from the Microsoft TechNet Web site:

As a best practice, Microsoft recommends installing the latest service pack and security updates for IIS, as well as any other components running on the web server. Although many customers utilize the online Security Bulletin Search as a reference for what hotfixes to apply for a given Product and Service Pack choice, the information provided by that tool does not take into account cumulative rollups (it shows all updates released after the specified Service Pack). For that reason, we recommend that customers who deploy IIS use the Microsoft Baseline Security Analyzer (MBSA) to identify security risks. For more information about the MBSA, click the following article number to view the article in the Microsoft Knowledge Base:
320454 (http://support.microsoft.com/kb/320454/) Microsoft Baseline Security Analyzer (MBSA) version 1.2.1 is available
Once the latest Service Pack and all of the latest product updates (hotfixes) have been applied, system level security should be applied to the web server. To make securing IIS more convenient, Microsoft has produced the IIS Lockdown Wizard, available at the following location:
325864 (http://support.microsoft.com/kb/325864/) How to install and use the IIS Lockdown Wizard

The IIS Lockdown Wizard provides a "wizard" interface to configure many security recommendations. Both the IIS Lockdown Wizard and UrlScan, an ISAPI filter that can be used to block malicious web requests, are part of the Microsoft Security Toolkit that can be obtained from the following location:
http://www.microsoft.com/technet/security/tools/default.mspx (http://www.microsoft.com/technet/security/tools/default.mspx)
For more information about UrlScan, click the following article number to view the article in the Microsoft Knowledge Base:
307608 (http://support.microsoft.com/kb/307608/) Using URLScan on IIS
Microsoft is committed to providing applications that can be used to keep our customers' information secure, and maintains an Internet site dedicated to security-related topics for Microsoft products. The Microsoft Security web site is available at:
http://www.microsoft.com/security/ (http://www.microsoft.com/security/)
In addition to visiting the Microsoft Security web site on a regular basis, Microsoft recommends that customers stay up to date with the latest Security Bulletins, by subscribing to the Microsoft Security Notification Service at the Web site listed below:
http://www.microsoft.com/technet/security/bulletin/notify.mspx (http://www.microsoft.com/technet/security/bulletin/notify.mspx)
Microsoft provides free online services for determining when updates are required, such the Critical Update Notification which is available from the Windows Update Web site. To visit the Windows Update Web site, visit the following Microsoft Web site:
http://windowsupdate.microsoft.com (http://windowsupdate.microsoft.com)
You can also use the Microsoft Baseline Security Advisor to determine vulnerabilities on the system that is running the utility. To obtain the Microsoft Baseline Security Advisor, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/tools/mbsahome.mspx (http://www.microsoft.com/technet/security/tools/mbsahome.mspx)

Back to the top

REFERENCES

When securing Web servers, it is possible to set permissions too restrictively, which can prevent proper serving of content. The following Microsoft Knowledge Base article describes the minimal permissions necessary for Internet Information Services to serve content properly:
187506 (http://support.microsoft.com/kb/187506/) Required NTFS permissions and user rights for IIS 4.0
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
271071 (http://support.microsoft.com/kb/271071/) How to set required NTFS permissions and user rights for an IIS 5.0 Web server

Back to the top

APPLIES TO
Microsoft Internet Information Server 4.0
Microsoft Internet Information Services 5.0

Back to the top

Keywords: 
kbinfo KB282060

Back to the top

Article Translations

 

Other Support Options

  • Contact Microsoft
    Phone Numbers, Support Options and Pricing, Online Help, and more.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.