Internet Information Services in Windows XP with SP1
This section provides information about:
The benefits of Internet Information Services (IIS) in Microsoft Windows XP Professional with Service Pack 1 (SP1).
How to control IIS on users’ computers to prevent the flow of information to and from the Internet
On This Page
Benefits and Purposes of IIS in Windows XP with SP1
Overview: IIS on Computers Running Windows XP with SP1 in a Managed Environment
Controlling IIS on Users’ Computers to Prevent the Flow of Information to and from the Internet
Procedures for Checking or Preventing the Installation of IIS Subcomponents on a Client
Benefits and Purposes of IIS in Windows XP with SP1
IIS 5.1 is one of the optional components in Windows XP with SP1 and by default is not installed. Allowing selected users to install this component provides them with an easy way to publish information on the Internet or an intranet. IIS includes innovative security features and a broad range of administrative features for managing Web sites. By using programmatic features like Active Server Pages (ASP and ASP.NET), users who have been given the responsibility to create Web sites can more easily create and deploy scalable, flexible Web applications.
IIS is not installed by default with Windows XP with SP1 but can be added using Add or Remove Programs in Control Panel. IIS in Windows XP Professional with SP1 can, by default, service only 10 simultaneous client connections, with one Web site only, and does not use all the features of the server versions. IIS 5.1 in Windows XP Professional with SP1 includes the Microsoft Management Console (MMC) snap-in for managing IIS. For more information about IIS features, see the following Microsoft Web sites:
The IIS 5.1 page (part of the Windows XP Professional evaluation pages) at:
The IIS Security Center page (part of TechNet) at:
Overview: IIS on Computers Running Windows XP with SP1 in a Managed Environment
In a managed environment, we recommend that you carefully select and train any users who will be permitted to install IIS on their computers running Windows XP with SP1. In some respects, such users have responsibilities like those of a server administrator, and they should therefore be trained about security, auditing, and monitoring.
It is beyond the scope of this white paper to provide details about maintaining security on a computer that hosts a Web site. However, as a best practice, on any client on which IIS is installed, we recommend that you run the IIS Lockdown Tool (before or after installing the service pack). Because administrators will most likely exclude IIS from standard desktop configurations in a managed environment, the sections that follow provide details about how to prevent the installation of this component.
Controlling IIS on Users’ Computers to Prevent the Flow of Information to and from the Internet
To maximize the security of computers in your organization and prevent the flow of information through IIS on clients running Windows XP with SP1, if IIS is not required on those clients, remove or exclude it. You can do this during workstation deployment by using standard methods for unattended installation or remote installation. If you are using an answer file, the following table shows the entries, all of which are in the [Components] section.
Note By default, the components listed in the table are not installed with Windows XP Professional.
The following table shows the answer file entries as well as the associated registry keys. Do not change the registry keys. They are shown for use in a script that could check whether a particular component is installed on a particular computer. A registry key value of 0x00000000 means the component is not installed, and a value of 0x00000001 means the component is installed.
Answer File Entries and Registry Keys Associated with IIS Subcomponents
IIS Subcomponent |
Answer File Entry (in the [Components] Section) |
Registry Key (for use in a script that checks whether a component is installed):0x00000000 means it is not installed,0x00000001 means it is installed |
|---|---|---|
IIS common files |
iis_common = Off |
HKEY_LOCAL_MACHINE\Software\Microsoft\ |
File Transfer Protocol (FTP) service |
iis_ftp = Off |
HKEY_LOCAL_MACHINE\Software\Microsoft\ |
IIS MMC snap-in |
iis_inetmgr = Off |
HKEY_LOCAL_MACHINE\Software\Microsoft\ |
Simple Mail Transfer Protocol (SMTP) service |
iis_smtp = Off |
HKEY_LOCAL_MACHINE\Software\Microsoft\ |
World Wide Web (WWW) service |
iis_www = Off |
HKEY_LOCAL_MACHINE\Software\Microsoft\ |
FrontPage® server extensions |
fp_extensions = Off |
HKEY_LOCAL_MACHINE\Software\Microsoft\ |
Procedures for Checking or Preventing the Installation of IIS Subcomponents on a Client
The following procedures explain how to:
View the registry keys listed in the table in the previous section
View the components currently installed on a computer running Windows XP
Prevent the installation of IIS subcomponents during unattended installation by using an answer file
Obtain the IIS Lockdown Tool for use on any client on which IIS is necessary
To View Registry Keys Related to IIS Subcomponents
Open Registry Editor by clicking Start, clicking Run, and then typing regedit.
Caution Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied.
Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Setup\Oc Manager\Subcomponents\.View the registry keys listed in the table in the previous section, and the value associated with each key. A value of 0x00000000 means the component is not installed. A value of 0x00000001 means the component is installed.
Close Registry Editor.
To View the Components Currently Installed on a Computer Running Windows XP
Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.
Double-click Add or Remove Programs.
Click Add/Remove Windows Components (on the left).
Scroll down to Internet Information Services (IIS) and click Details.
View the list of subcomponents and each check box, which show whether a particular subcomponent has been installed.
To Prevent the Installation of IIS Subcomponents During Unattended Installation by Using an Answer File
Using the methods you prefer for unattended installation or remote installation, create an answer file. For more information about unattended and remote installation, see Appendix A, "Resources for Learning About Automated Installation and Deployment."
In the [Components] section of the answer file, ensure that there are no entries for the subcomponents listed in the preceding table, "Answer file entries and registry keys associated with IIS subcomponents." If you want to list any of these subcomponents, ensure that the entries specify Off.
If IIS subcomponents are not listed in an answer file for unattended installation of Windows XP Professional, by default, these subcomponents are not installed.
To Obtain the IIS Lockdown Tool for Clients on Which IIS is Necessary
The IIS Lockdown Tool, designed for use on computers on which IIS is installed, is available from the Microsoft TechNet Web site at: