Security Improvements

Applies To: Windows Server 2003, Windows Server 2003 with SP1

Attackers and malicious users can take advantage of a system with services that are running but not being used. Such an attack is possible because if administrators do not use a service, they might forget to maintain it with current hotfixes, service packs, and patches. To reduce this security risk, IIS 6.0 is locked down by default — only request handling for static Web pages is enabled, and only the WWW service is installed. None of the applications that run on IIS — including ASP, ASP.NET, Common Gateway Interface (CGI) scripting, FrontPage 2002 Server Extensions, and WebDAV — are turned on by default.

IIS 6.0 improves security in other ways as well. Many aspects of IIS 6.0, including default functionality and settings, perform different than they did in previous versions. These changes can result in existing applications or sites performing in unexpected ways. To save troubleshooting time, familiarize yourself with the security features in IIS 6.0. For more information about IIS 6.0 security, see Managing a Secure IIS 6.0 Solution.