Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies To: Windows Server 2003, Windows Server 2003 with SP1
The IIS Lockdown Tool is designed to help secure earlier versions of IIS by doing the following:
Preventing the WWW service from being disabled after upgrade on Web servers that are currently running Windows 2000 Server and IIS 5.0. Disabling the WWW service prevents any Web sites or applications from functioning.
Helping to secure the existing Web server by disabling or removing unnecessary features that are present in IIS 4.0 and IIS 5.0 installations. These features would otherwise remain on the Web server after upgrading, leaving it vulnerable to attacks.
The IIS Lockdown Tool works by turning off unnecessary features, thereby reducing the attack surface that is available to malicious users. To provide multiple layers of protection for an in-depth defense against potential attackers, the IIS Lockdown Tool includes UrlScan and customized security templates based on supported server roles.
Note
The WWW service is enabled after the upgrade process is complete on servers running IIS 4.0 because IIS is installed by default in Windows 2000 Server.
The IIS Lockdown Tool secures the existing IIS server by performing one or more of the following user-specified transactions:
Enabling or disabling IIS services such as the WWW service, the FTP service, or the Simple Mail Transfer Protocol (SMTP) service.
Removing services that are disabled.
Disabling active Active Server Pages (ASP) applications on the server.
Disabling optional components, including:
Index Server Web interface
Server-side includes (SSI)
Internet Data Connector (IDC)
Internet printing
HTR scripting
Web Distributed Authoring and Versioning (WebDAV)
Disabling anonymous user access to the server by denying:
Execute permissions on the operating system executables and DLLs
Write permissions on all Web site content directories
Removing unnecessary virtual directories, including:
IIS Samples
Scripts
Microsoft Data Access Components (MDAC)
IIS Admin
Installing UrlScan
Tip
The IIS Lockdown Tool helps secure IIS. However, to maintain IIS security, install all available security patches and hotfixes to help protect against known security vulnerabilities.
Depending upon the applications that you are hosting and the software that you are using on the existing IIS server, select the server role that most closely corresponds to the server you are upgrading. The IIS Lockdown Tool uses the specified server role to determine the appropriate actions to configure the existing IIS server.
Regardless of the server role selected, UrlScan is not required for the purposes of upgrade. UrlScan can be installed by using the IIS Lockdown Tool or separately. For more information about determining whether you need to run UrlScan after upgrade, see Determining Whether to Run the IIS Lockdown Tool and UrlScan.
The server roles that are included in the IIS Lockdown Tool include the following:
Small Business Server for Windows NT Server 4.0
Small Business Server 2000
Exchange Server 5.5
Exchange Server 2000
Microsoft SharePoint™ Portal Server
FrontPage Server Extensions
SharePoint Team Services
BizTalk® Server 2000
Commerce Server 2000
Proxy Server
Static Web server
Dynamic Web server (ASP-enabled)
Server that does not require IIS
Other (a server that does not match any of the roles in this list)
Each of the server roles in the IIS Lockdown Tool secures the Web server by performing a different combination of the security configuration changes listed earlier. For example, if you select the Exchange Server 2000 (OWA, PF Management, IM, SMTP, NNTP) server role, then FTP is disabled, and SMTP and NNTP are enabled. However, if you select the SharePoint Portal Server, server role then FTP, SMTP, and Network News Transfer Protocol (NNTP) are disabled. To determine the configuration performed by each server role, review the contents of the IisLockd.ini file in the same folder that contains the IIS Lockdown Tool.
After running the IIS Lockdown Tool and before upgrading, thoroughly test the server to ensure that your Web sites and applications function as they did before. If you find that the configuration settings adversely affect your applications, run the IIS Lockdown Tool again to undo the changes that were made. If you are uncertain whether the IIS Lockdown Tool has been run on the server, you can run the tool again without adversely affecting the system.
Tip
When the IIS Lockdown Tool locks down a server, it creates a log file named Oblt-log.log and saves it in the folder that contains IISLockd.exe. This file contains information about every action the IIS Lockdown Tool implemented on the system.
Administrators can run the IIS Lockdown Tool unattended, allowing consistent configuration across many servers through unattended scripts. For more information about running the IIS Lockdown Tool unattended, see RunLockdUnattended.doc, which is located in the folder that contains the files for the IIS Lockdown Tool.
To download the latest version, see IIS Lockdown Tool.