The IIS Best Practices Analyzer may return 2 security errors on a working, default, install of Windows Small Business Server 2011 Standard

Applies to: Windows Small Business Server 2011 Standard


This article describes the errors received on an IIS Best Practices Analyzer scan on a default install of Windows Small Business Server 2011 Standard.

More Information


On Windows SBS 2011 Standard, Open Server Manager, Web Server (IIS) node. On the right pane find the Best Practices Analyzer and select Scan This Role.

There are two errors that will be displayed under the Security category:

1. Application pools should be set to run as Application pool identities
2. Use SSL when you use Basic authentication


The first error is due to the fact that the Application pool 'MSExchangePowerShellAppPool' is set to run as local system.
The 'MSExchangePowerShellAppPool' application pool is used for Exchange management and is required to run under local system for Exchange 2010 to function.

The second error is authentication is enabled for configuration path 'MACHINE/WEBROOT/APPHOST' but it lacks a required SSL binding. There is a problem with the logic that the IIS BPA uses to determine the SSL configuration. All the default sites in Small Business Server 2011 Standard that have basic authentication enabled are properly configured by Small Business Server setup with SSL.


These errors are harmless and may be safely ignored.