Internet Information Services and Internet Communication (Windows Server 2003)
Applies To: Windows Server 2003 with SP1
This section provides information about:
The benefits of Internet Information Services (IIS) in products in the Microsoft Windows Server 2003 family
For servers from which you want to offer content on an intranet or the Internet, descriptions of some of the security-related features offered in IIS 6.0, and suggestions for other sources of information about security and IIS 6.0
Note
.gif "note")
NoteFor servers from which you do not want to offer content on an intranet or the Internet, you do not need to remove IIS, since by default it is not installed with most products in the Windows Server 2003 family. The exception is Windows Server 2003, Web Edition, on which IIS is installed by default. If you use a server as a Web server and then deploy it for some other purpose, remove IIS from that server. </div></td> </tr> </tbody> </table>Controlling Internet printing
Subcomponents that are part of IIS, with instructions for finding out which subcomponents are installed on a given server
Viewing Help for IIS
Other sources of information about IIS
It is beyond the scope of this white paper to describe all aspects of maintaining appropriate levels of security in an organization running servers that communicate across the Internet. This section, however, provides overview information as well as suggestions for other sources of information about balancing your organization's requirements for communication across the Internet with your organization's requirements for protection of networked assets.
Benefits and Purposes of IIS
IIS 6.0 is one of the optional components in products in the Windows Server 2003 family. IIS is a component that provides an easy way to publish information on the Internet or an intranet. In a managed environment, IIS is usually installed on selected servers only. IIS includes innovative security features and a broad range of administrative features for managing Web sites. By using programmatic features like ASP.NET, which is an enhancement to Active Server Pages (ASP), you can more easily create and deploy scalable, flexible Web applications.
IIS is not installed by default with products in the Windows Server 2003 family other than Windows Server 2003, Web Edition. IIS and related components can be added by using either Add or Remove Programs in Control Panel or Manage Your Server. After IIS 6.0 is installed, it is configured by default in a "locked down" state. The locked down state means that IIS 6.0 accepts requests for static files only, until it is configured to serve dynamic content. It also means that all time-outs and settings are set to restrictive defaults. You can enable or disable IIS 6.0 functionality based on the needs of your organization by using IIS Manager. You can also enable IIS 6.0 functionality through programmatic and command-line interfaces.
For more information about IIS features, see the following Web sites:
The product information page for IIS 6.0 at:
The technical overview document for IIS 6.0 at:
The IIS page on the Microsoft Web site at:
If you have a Web site on which you want to use Microsoft .NET Passport for authentication and you also want to use Passport Manager Administration, a component in the Windows Server 2003 family, see Appendix E: Passport Manager Administration (Windows Server 2003).
Examples of Security-Related Improvements in IIS 6.0
IIS 6.0 includes a variety of settings and features related to security, some of which are listed in the following table.
Examples of security-related settings and features in IIS 6.0
Setting or feature Description Disabling through Group Policy
With the Windows Server 2003 family, domain administrators can prevent users from installing IIS 6.0 on their computers.
Running as an account with limited privileges
IIS 6.0 worker processes run in a user context with limited privileges by default. This drastically reduces the attack surface of the Web server.
Secure ASP
All functions built into ASP pages always run as an account with limited privileges (anonymous user).
Recognized file extensions
IIS 6.0 serves requests only to files that have recognized file extensions and rejects requests to file extensions it doesn't recognize.
Command-line tools not accessible to Web users
Attackers often take advantage of command-line tools that are executable through the Web server. In IIS 6.0, the command-line tools cannot be executed by the default Web server identity.
Write protection for content
Once attackers get access to a server, they try to deface Web sites. By preventing anonymous Web users from overwriting Web content, these attacks can be mitigated.
Time-outs and limits
Product settings are set to aggressive and secure defaults.
Upload data limitations
Administrators can limit the size of data that can be uploaded to a server.
Buffer overflow protection
The Windows Administration Service in IIS will detect if a worker process had a buffer overflow and will exit that process.
File verification
The core server verifies that the requested content exists before it gives the request to a request handler (Internet Server Application Programming Interface [ISAPI] extension).
For more information about creating Web sites with IIS 6.0 and maintaining appropriate levels of awareness and control over the communication to and from those sites, see the IIS Help. For information about viewing the Help, see "To view Help after installing IIS," later in this section.
Controlling Internet Printing
Internet printing makes it possible for clients to use printers located anywhere in the world by sending print jobs using Hypertext Transfer Protocol (HTTP). Additionally, a computer running a product in the Windows Server 2003 family can use IIS to create a Web page that provides information about printers and provides the transport for printing over the Internet.
For Internet printing, it is important to consider both the server and the client:
Server: Internet printing is an optional component (not installed by default) of IIS 6.0. A server running a product in the Windows Server 2003 family can be configured to act as a print server allowing Internet printing. In a managed environment, you might want to ensure that the Internet printing subcomponent of IIS is not installed. For information about how to do this, see "Procedures for Checking or Controlling the Installation of IIS Subcomponents," later in this section.
Client: Clients running Windows XP can install an Internet printer using a Web browser, the Add Printer Wizard, or the Run dialog box. To control whether clients can support Internet printing, see the section about Internet printing in the white paper titled "Using Windows XP Professional with Service Pack 2 in a Managed Environment: Controlling Communication with the Internet." You can view this white paper on the TechNet Web site at:
https://go.microsoft.com/fwlink/?LinkId=29133
Note
NoteThe white paper available from the preceding link also includes a procedure for using Group Policy to disable Internet printing on a computer running IIS. That procedure is not applicable for computers running products in the Windows Server 2003 family because the Group Policy object referred to in the procedure is not available in the Windows Server 2003 family. For such servers, use the procedures in "Procedures for Checking or Controlling the Installation of IIS Subcomponents," later in this section. </div></td> </tr> </tbody> </table>Answer File Entries and Registry Keys for IIS Subcomponents
For reference purposes, the following table shows the syntax for answer file entries associated with IIS in the Windows Server 2003 family as well as the corresponding registry keys. Do not change the registry keys. They are shown for use in a script that could check whether a particular component is installed on a particular server. A registry key value of 0x00000000 means the component is not installed, and a value of 0x00000001 means the component is installed.
Note
For more details about answer file entries related to IIS components, follow the steps in "To view Help after installing IIS," later in this section, and then search for the topic called "Installing IIS." In that topic, look for a table showing the answer file entries.
Answer file entries and registry keys associated with IIS subcomponents for the Windows Server 2003 family
IIS subcomponent Syntax for answer file entry (in the [Components] section) Registry key (for use in a script that checks whether a component is installed): 0x00000000 means it is not installed; 0x00000001 means it is installed IIS common files
iis_common = On | Off
HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion\Setup\
OC Manager\Subcomponents\
iis_common
Active Server Pages (ASP) for IIS
iis_asp = On | Off
HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion\Setup\
OC Manager\Subcomponents\iis_asp
File Transfer Protocol (FTP) service
iis_ftp = On | Off
HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion\Setup\
OC Manager\Subcomponents\iis_ftp
IIS Manager (Microsoft Management Console [MMC] snap-in)
iis_inetmgr = On | Off
HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion\Setup\
OC Manager\Subcomponents\iis_inetmgr
Internet Data Connector
iis_internetdataconnector = On | Off
HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion\Setup\
OC Manager\Subcomponents\
iis_internetdataconnector
Network News Transfer Protocol (NNTP) service
iis_nntp = On | Off
HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion\Setup\
OC Manager\Subcomponents\iis_nntp
Server-Side Includes
iis_serversideincludes = On | Off
HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion\Setup\
OC Manager\Subcomponents\
iis_serversideincludes
Simple Mail Transfer Protocol (SMTP) service
iis_smtp = On | Off
HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion\Setup\
OC Manager\Subcomponents\iis_smtp
Web Distributed Authoring and Versioning (WebDAV) publishing
iis_webdav = On | Off
HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion\Setup\
OC Manager\Subcomponents\iis_webdav
World Wide Web (WWW) service
iis_www = On | Off
HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion\Setup\
OC Manager\Subcomponents\iis_www
Remote administration (HTML)
sakit_web = On | Off
HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion\Setup\
OC Manager\Subcomponents\sakit_web
Internet Server Application Programming Interface (ISAPI) for Background Intelligent Transfer Service (BITS) server extensions
BitsServerExtensionsISAPI = On | Off
HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion\Setup\
OC Manager\Subcomponents\
bitsserverextensionsisapi
Background Intelligent Transfer Service (BITS) server extensions snap-in
BitsServerExtensionsManager = On | Off
HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion\Setup\
OC Manager\Subcomponents\
bitsserverextensionsmanager
FrontPage server extensions
fp_extensions = On | Off
HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion\Setup\
OC Manager\Subcomponents\fp_extensions
Internet printing
inetprint = On | Off
HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion\Setup\
OC Manager\Subcomponents\inetprint
ActiveX control and sample pages for hosting Terminal Services client connections over the Web
TSWebClient = On | Off
HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion\Setup\
OC Manager\Subcomponents\TSWebClient
Note
For several of the subcomponents in the previous table, the software for the subcomponent is installed regardless of the answer-file entry, but the subcomponent cannot be used unless the answer-file entry is set to On (or the procedure is followed for installing the subcomponent through Add or Remove Programs in Control Panel). These subcomponents are Internet Data Connector, Server-Side Includes, and WebDAV publishing.
Procedures for Checking or Controlling the Installation of IIS Subcomponents
The following procedures explain how to:
View the registry keys listed in the table in the previous subsection
View or change the IIS components currently installed on a computer running a product in the Windows Server 2003 family
Specify answer file entries that control whether IIS subcomponents are included during unattended installation
To view registry keys related to IIS subcomponents
Open Registry Editor by clicking Start, clicking Run, and then typing regedit.
Warning
.gif "Caution")
CautionIncorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied. </div></td> </tr> </tbody> </table>Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup\
OC Manager\Subcomponents\.View the registry keys listed in the table in the previous subsection, and find the value associated with each key. A value of 0x00000000 means the component is not installed. A value of 0x00000001 means the component is installed.
Close Registry Editor.
To view or change the IIS components currently installed on a computer running a product in the Windows Server 2003 family
Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.
Double-click Add or Remove Programs.
Click Add/Remove Windows Components (on the left).
Select Application Server and then click Details.
Find Internet Information Services (IIS) in the list, and perform one of the following steps:
If IIS is installed and you want to remove it, clear the check box for IIS and complete the wizard.
If IIS is not installed and you want to add the default set of IIS subcomponents, select the check box for IIS and complete the wizard.
If you want to view or select from the list of IIS subcomponents, after selecting IIS, click Details.
Note
The Internet Printing component is in the list of components that appears when you click Details.
Follow the instructions to complete the Windows Components Wizard.
To specify answer file entries that control whether IIS subcomponents are included during unattended installation
Using the methods you prefer for unattended installation or remote installation, create an answer file.
In the [Components] section of the answer file, add the appropriate entries listed in the table in "Answer File Entries and Registry Keys for IIS Subcomponents," earlier in this section. Ensure that the entries specify Off for components you do not want to install and On for components you want to install.
If no IIS subcomponents are listed in an answer file for unattended installation of a product in the Windows Server 2003 family, these subcomponents are not installed by default.
Note
NoteFor more details about answer file entries related to IIS components, follow the steps in the next procedure, "To view Help after installing IIS," and then search for the Help topic called "Installing IIS." In that topic, look for a table showing the answer file entries. </div></td> </tr> </tbody> </table>To view Help after installing IIS
After installing IIS (including the IIS Manager subcomponent, which is included in default installations of IIS), click Start.
Either click Control Panel, or point to Settings and then click Control Panel.
Double-click Administrative Tools, and then click Internet Information Services (IIS) Manager.
Click the Help menu and then click Help Topics.
Related Links
For more information about IIS, see the following Web sites:
The product information page for IIS 6.0 at:
The technical overview document for IIS 6.0 at:
The IIS page on the Microsoft Web site at:
The page for the IIS Lockdown Tool on the TechNet Web site at: