Resources for securing Internet Information Services

We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:For more information about IIS 7.0, visit the following Microsoft Web site:


When you use Internet Information Services to host Web sites, it is important to protect the server from unknown, and potentially malicious, users. This article provides references to use in this vital task.

More Information

The most comprehensive information on securing Web applications is available in:
Designing Secure Web-Based Applications for Microsoft Windows 2000
ISBN: 0-735-60995-0
Authors: Michael Howard, Richard Waymire, Marc Levy
Publisher: Microsoft Press, July 2000
The following references are available online from the Microsoft TechNet Web site:

As a best practice, Microsoft recommends installing the latest service pack and security updates for IIS, as well as any other components running on the web server. Although many customers utilize the online Security Bulletin Search as a reference for what hotfixes to apply for a given Product and Service Pack choice, the information provided by that tool does not take into account cumulative rollups (it shows all updates released after the specified Service Pack). For that reason, we recommend that customers who deploy IIS use the Microsoft Baseline Security Analyzer (MBSA) to identify security risks.
For more information about the MBSA, click the following article number to view the article in the Microsoft Knowledge Base:
320454 Microsoft Baseline Security Analyzer (MBSA) version 1.2.1 is available

Once the latest Service Pack and all of the latest product updates (hotfixes) have been applied, system level security should be applied to the web server. To make securing IIS more convenient, Microsoft has produced the IIS Lockdown Wizard, available at the following location:
325864 How to install and use the IIS Lockdown Wizard

The IIS Lockdown Wizard provides a "wizard" interface to configure many security recommendations. Both the IIS Lockdown Wizard and UrlScan, an ISAPI filter that can be used to block malicious web requests, are part of the Microsoft Security Toolkit that can be obtained from the following location: For more information about UrlScan, click the following article number to view the article in the Microsoft Knowledge Base:
307608 Using URLScan on IIS

Microsoft is committed to providing applications that can be used to keep our customers' information secure, and maintains an Internet site dedicated to security-related topics for Microsoft products. The Microsoft Security web site is available at: In addition to visiting the Microsoft Security web site on a regular basis, Microsoft recommends that customers stay up to date with the latest Security Bulletins, by subscribing to the Microsoft Security Notification Service at the Web site listed below: Microsoft provides free online services for determining when updates are required, such the Critical Update Notification which is available from the Windows Update Web site. To visit the Windows Update Web site, visit the following Microsoft Web site:You can also use the Microsoft Baseline Security Advisor to determine vulnerabilities on the system that is running the utility. To obtain the Microsoft Baseline Security Advisor, visit the following Microsoft Web site:


When securing Web servers, it is possible to set permissions too restrictively, which can prevent proper serving of content. The following Microsoft Knowledge Base article describes the minimal permissions necessary for Internet Information Services to serve content properly:
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
271071 How to set required NTFS permissions and user rights for an IIS 5.0 Web server