Export (0) Print
Expand All

Internet Information Services in Windows XP with SP1

Published: December 27, 2004

This section provides information about:

  • The benefits of Internet Information Services (IIS) in Microsoft Windows XP Professional with Service Pack 1 (SP1).

  • How to control IIS on users’ computers to prevent the flow of information to and from the Internet

On This Page

Benefits and Purposes of IIS in Windows XP with SP1
Overview: IIS on Computers Running Windows XP with SP1 in a Managed Environment
Controlling IIS on Users’ Computers to Prevent the Flow of Information to and from the Internet
Procedures for Checking or Preventing the Installation of IIS Subcomponents on a Client

Benefits and Purposes of IIS in Windows XP with SP1

IIS 5.1 is one of the optional components in Windows XP with SP1 and by default is not installed. Allowing selected users to install this component provides them with an easy way to publish information on the Internet or an intranet. IIS includes innovative security features and a broad range of administrative features for managing Web sites. By using programmatic features like Active Server Pages (ASP and ASP.NET), users who have been given the responsibility to create Web sites can more easily create and deploy scalable, flexible Web applications.

IIS is not installed by default with Windows XP with SP1 but can be added using Add or Remove Programs in Control Panel. IIS in Windows XP Professional with SP1 can, by default, service only 10 simultaneous client connections, with one Web site only, and does not use all the features of the server versions. IIS 5.1 in Windows XP Professional with SP1 includes the Microsoft Management Console (MMC) snap-in for managing IIS. For more information about IIS features, see the following Microsoft Web sites:

Overview: IIS on Computers Running Windows XP with SP1 in a Managed Environment

In a managed environment, we recommend that you carefully select and train any users who will be permitted to install IIS on their computers running Windows XP with SP1. In some respects, such users have responsibilities like those of a server administrator, and they should therefore be trained about security, auditing, and monitoring.

It is beyond the scope of this white paper to provide details about maintaining security on a computer that hosts a Web site. However, as a best practice, on any client on which IIS is installed, we recommend that you run the IIS Lockdown Tool (before or after installing the service pack). Because administrators will most likely exclude IIS from standard desktop configurations in a managed environment, the sections that follow provide details about how to prevent the installation of this component.

Controlling IIS on Users’ Computers to Prevent the Flow of Information to and from the Internet

To maximize the security of computers in your organization and prevent the flow of information through IIS on clients running Windows XP with SP1, if IIS is not required on those clients, remove or exclude it. You can do this during workstation deployment by using standard methods for unattended installation or remote installation. If you are using an answer file, the following table shows the entries, all of which are in the [Components] section.

Note By default, the components listed in the table are not installed with Windows XP Professional.

The following table shows the answer file entries as well as the associated registry keys. Do not change the registry keys. They are shown for use in a script that could check whether a particular component is installed on a particular computer. A registry key value of 0x00000000 means the component is not installed, and a value of 0x00000001 means the component is installed.

Answer File Entries and Registry Keys Associated with IIS Subcomponents

IIS Subcomponent

Answer File Entry (in the [Components] Section)

Registry Key (for use in a script that checks whether a component is installed):0x00000000 means it is not installed,0x00000001 means it is installed

IIS common files

iis_common = Off

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Setup\Oc Manager\
Subcomponents\iis_common

File Transfer Protocol (FTP) service

iis_ftp = Off

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Setup\Oc Manager\
Subcomponents\iis_ftp

IIS MMC snap-in

iis_inetmgr = Off

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Setup\Oc Manager\
Subcomponents\iis_inetmgr

Simple Mail Transfer Protocol (SMTP) service

iis_smtp = Off

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Setup\Oc Manager\
Subcomponents\iis_smtp

World Wide Web (WWW) service

iis_www = Off

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Setup\Oc Manager\
Subcomponents\iis_www

FrontPage® server extensions

fp_extensions = Off

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Setup\Oc Manager\
Subcomponents\fp_extensions

Procedures for Checking or Preventing the Installation of IIS Subcomponents on a Client

The following procedures explain how to:

  • View the registry keys listed in the table in the previous section

  • View the components currently installed on a computer running Windows XP

  • Prevent the installation of IIS subcomponents during unattended installation by using an answer file

  • Obtain the IIS Lockdown Tool for use on any client on which IIS is necessary

To View Registry Keys Related to IIS Subcomponents

  • Open Registry Editor by clicking Start, clicking Run, and then typing regedit.

    Caution Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied.

  • Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    \Setup\Oc Manager\Subcomponents\.

  • View the registry keys listed in the table in the previous section, and the value associated with each key. A value of 0x00000000 means the component is not installed. A value of 0x00000001 means the component is installed.

  • Close Registry Editor.

To View the Components Currently Installed on a Computer Running Windows XP

  1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.

  2. Double-click Add or Remove Programs.

  3. Click Add/Remove Windows Components (on the left).

  4. Scroll down to Internet Information Services (IIS) and click Details.

  5. View the list of subcomponents and each check box, which show whether a particular subcomponent has been installed.

To Prevent the Installation of IIS Subcomponents During Unattended Installation by Using an Answer File

  1. Using the methods you prefer for unattended installation or remote installation, create an answer file. For more information about unattended and remote installation, see Appendix A, "Resources for Learning About Automated Installation and Deployment."

  2. In the [Components] section of the answer file, ensure that there are no entries for the subcomponents listed in the preceding table, "Answer file entries and registry keys associated with IIS subcomponents." If you want to list any of these subcomponents, ensure that the entries specify Off.

    If IIS subcomponents are not listed in an answer file for unattended installation of Windows XP Professional, by default, these subcomponents are not installed.

To Obtain the IIS Lockdown Tool for Clients on Which IIS is Necessary

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft