Running the IIS Lockdown Tool

  • Article

Applies To: Windows Server 2003, Windows Server 2003 with SP1

The IIS Lockdown Tool is designed to help secure earlier versions of IIS by doing the following:

  • Preventing the WWW service from being disabled after upgrade on Web servers that are currently running Windows 2000 Server and IIS 5.0. Disabling the WWW service prevents any Web sites or applications from functioning.

  • Helping to secure the existing Web server by disabling or removing unnecessary features that are present in IIS 4.0 and IIS 5.0 installations. These features would otherwise remain on the Web server after upgrading, leaving it vulnerable to attacks.

The IIS Lockdown Tool works by turning off unnecessary features, thereby reducing the attack surface that is available to malicious users. To provide multiple layers of protection for an in-depth defense against potential attackers, the IIS Lockdown Tool includes UrlScan and customized security templates based on supported server roles.

Note

The WWW service is enabled after the upgrade process is complete on servers running IIS 4.0 because IIS is installed by default in Windows 2000 Server.

Server Configurations with the IIS Lockdown Tool

The IIS Lockdown Tool secures the existing IIS server by performing one or more of the following user-specified transactions:

  • Enabling or disabling IIS services such as the WWW service, the FTP service, or the Simple Mail Transfer Protocol (SMTP) service.

  • Removing services that are disabled.

  • Disabling active Active Server Pages (ASP) applications on the server.

  • Disabling optional components, including:

    • Index Server Web interface

    • Server-side includes (SSI)

    • Internet Data Connector (IDC)

    • Internet printing

    • HTR scripting

    • Web Distributed Authoring and Versioning (WebDAV)

  • Disabling anonymous user access to the server by denying:

    • Execute permissions on the operating system executables and DLLs

    • Write permissions on all Web site content directories

  • Removing unnecessary virtual directories, including:

    • IIS Samples

    • Scripts

    • Microsoft Data Access Components (MDAC)

    • IIS Admin

  • Installing UrlScan

Tip

The IIS Lockdown Tool helps secure IIS. However, to maintain IIS security, install all available security patches and hotfixes to help protect against known security vulnerabilities.

Server Roles in the IIS Lockdown Tool

Depending upon the applications that you are hosting and the software that you are using on the existing IIS server, select the server role that most closely corresponds to the server you are upgrading. The IIS Lockdown Tool uses the specified server role to determine the appropriate actions to configure the existing IIS server.

Regardless of the server role selected, UrlScan is not required for the purposes of upgrade. UrlScan can be installed by using the IIS Lockdown Tool or separately. For more information about determining whether you need to run UrlScan after upgrade, see Determining Whether to Run the IIS Lockdown Tool and UrlScan.

The server roles that are included in the IIS Lockdown Tool include the following:

  • Small Business Server for Windows NT Server 4.0

  • Small Business Server 2000

  • Exchange Server 5.5

  • Exchange Server 2000

  • Microsoft SharePointâ„¢ Portal Server

  • FrontPage Server Extensions

  • SharePoint Team Services

  • BizTalk® Server 2000

  • Commerce Server 2000

  • Proxy Server

  • Static Web server

  • Dynamic Web server (ASP-enabled)

  • Server that does not require IIS

  • Other (a server that does not match any of the roles in this list)

Each of the server roles in the IIS Lockdown Tool secures the Web server by performing a different combination of the security configuration changes listed earlier. For example, if you select the Exchange Server 2000 (OWA, PF Management, IM, SMTP, NNTP) server role, then FTP is disabled, and SMTP and NNTP are enabled. However, if you select the SharePoint Portal Server, server role then FTP, SMTP, and Network News Transfer Protocol (NNTP) are disabled. To determine the configuration performed by each server role, review the contents of the IisLockd.ini file in the same folder that contains the IIS Lockdown Tool.

After running the IIS Lockdown Tool and before upgrading, thoroughly test the server to ensure that your Web sites and applications function as they did before. If you find that the configuration settings adversely affect your applications, run the IIS Lockdown Tool again to undo the changes that were made. If you are uncertain whether the IIS Lockdown Tool has been run on the server, you can run the tool again without adversely affecting the system.

Tip

When the IIS Lockdown Tool locks down a server, it creates a log file named Oblt-log.log and saves it in the folder that contains IISLockd.exe. This file contains information about every action the IIS Lockdown Tool implemented on the system.

Administrators can run the IIS Lockdown Tool unattended, allowing consistent configuration across many servers through unattended scripts. For more information about running the IIS Lockdown Tool unattended, see RunLockdUnattended.doc, which is located in the folder that contains the files for the IIS Lockdown Tool.

To download the latest version, see IIS Lockdown Tool.