Overview of the Securing Web Sites and Applications Process

Applies To: Windows Server 2003, Windows Server 2003 with SP1

To provide comprehensive security for your Web sites and applications, you must ensure that the entire Web server, including each Web site and application that the server hosts, is protected from unauthorized access. Also, you might have to ensure that the Web sites and applications are protected from other Web sites and applications that are hosted on the same server. Finally, you need to initiate practices to help ensure that your Web sites and applications remain secure.

For security reasons, IIS 6.0 is not installed by default on the Microsoft® Windows® Server 2003, Standard Edition; Windows® Server 2003, Enterprise Edition; and Windows® Server 2003, Datacenter Edition operating systems. When you install IIS 6.0, it is locked down — only request handling for static Web pages is enabled, and only the World Wide Web Publishing Service (WWW service) is installed. Features such as Active Server Pages (ASP), ASP.NET, Common Gateway Interface (CGI) scripting, FrontPage® 2002 Server Extensions from Microsoft, and Web Distributed Authoring and Versioning (WebDAV) do not work by default. You can serve dynamic content and enable these features in the Web Service Extensions node in IIS Manager.

Before you begin this process, complete the following steps:

  • Install Windows Server 2003 with the default options.

  • Install IIS 6.0 with the default settings in Add or Remove Programs in Control Panel.

If you use other methods for installing and configuring Windows Server 2003, such as unattended setup, or enabling IIS 6.0 by using Manage Your Server, then the default configuration settings might not be identical.

Upon completing the process outlined in this section, you will have a Web server running IIS 6.0 that fulfills your security requirements. However, to maintain the security of your server, you need to implement continuing security practices such as security monitoring, detection, and response. For more information about maintaining Web server security, see Managing a Secure IIS 6.0 Solution.

Note

The security settings described in this section are appropriate for Web sites and applications that are hosted on Web servers on an intranet and the Internet, unless specifically noted.

Although not the focus of this section, you can apply many of the security recommendations described in this section to enhance the security of Web servers that have been upgraded from earlier versions of IIS.