TechNet Magazine > Home > Issues > 2005 > Winter >  Resources: IIS 6.0 Security
Resources IIS 6.0 Security
Phil Sherwood

In today's business environment, most organizations are using Web servers to extend products and services to both internal and external customers. At the same time, attackers are increasing their relentlessness and sophistication. To enable secure Web infrastructures based on reliable, high-performance Web server platforms, Microsoft built IIS 6.0 from the ground up with a focus on security as a core design criterion.
Although security is a critical topic in the field of information technology today, few IT professionals have the time to dig through the volume of information available on MSDN®, TechNet, the IIS Technology Center on, and elsewhere.
However, the relatively new Web site simplifies searching by providing a collection of valuable, security-focused IIS 6.0 overviews and technical resources, summarized at Try IIS 6.0. The various offerings range from executive and technical webcasts, papers for both technical and business management personnel, FAQs, detailed technical IIS 6.0 documentation, and links to other focused online security centers.
The following is a sample of what's available on

Papers and FAQs
Looking for IIS resources that you can access offline from your Tablet PC or stuff into your pocket and reference on the subway? A white paper, several technical papers, and a magazine article all examine Window Server 2003 and IIS 6.0 security capabilities in different levels of detail. A short collection of FAQs also provides some brief explanations of IIS components.
Starting on the less technical side, Understanding Internet Information Security provides an overview of the IIS security model. This is a manageable introduction for those on the business side and can serve as a quick, high-level scan and refresher for the more technical type. Note that the text on the page is a truncated version of the Word document downloadable from the link towards the top of the page. It's worth the time to download and print the .doc file, 19 nicely formatted pages in total, about 10 of which contain the meat and potatoes of the subject.
Also a discussion of the IIS security model (but at the code level and assuming the reader's substantial technical familiarity with IIS and Windows NT®) is Microsoft Internet Information Server Security Overview. It's drawn from the MSDN library and amounts to about 10 pages of text. After dispensing with some very high-level questions ("Why Security Is Important," for example), it digs into more nuts-and-bolts topics such as authentication, access control and related considerations, data integrity, digital certificates, and the CryptoAPI.
Still more technically substantial and running close to 40 pages is Technical Overview of Windows Server 2003 Security Services, published in July 2002. The table of contents appears on this page; the paper itself also provides an extensive collection of links. Within the overview, the paper discusses the security-related Windows Server tools and processes: authentication, access control, security policy, auditing, Active Directory® data protection, network data protection, public key infrastructure (PKI), and trusts. Although the mentions of IIS are contained on pages 4 and 5, the Windows Server 2003 content that makes up the majority of the article covers the strong foundation on which IIS is built.
To round out the offerings, a technical paper, "For Developers: Innovations in IIS Security," is the online reprint of a September 2002 MSDN Magazine article titled, "Innovations in Internet Information Services Let You Tightly Guard Secure Data and Server Processes" and amounts to about eight hard copy pages. It covers the use of IIS Lockdown to shut down services when needed, limiting port access with TCP/IP filtering, controlling file serving with extension mapping, new developments in SSL, the use of URLScan, and more.

Customer responses to Microsoft-sponsored webcasts have been very positive. While gaining access to these webcasts requires a couple of brief steps, these online seminars are worth the few moments spent logging in. Most webcasts range between 70 and 100 minutes in length and between 8.5 and 13MB in download size.
One of the many webcasts available is Microsoft Executive Circle Webcast: Advanced Web Server Security with IIS 6.0 and Windows Server 2003, by IIS Security Program Manager Vikas Malhotra and IIS MVP Brett Hill, introduced by IIS Product Manager Mary Alice Colvin. Relevant for business and technical personnel, it explains how security improvements in both IIS 6.0 and Windows Server 2003 enable deployment of secure Web servers and reduce costs.
Other webcasts dig further into technical detail about IIS 6.0 security features. Starting with a bit of history, Securing Internet Information Services (presented by Malhotra; about 70 minutes long) covers previous IIS architectures and then reviews the security architecture rebuilt for IIS 6.0, which is locked down by default. It explains how new features, such as fault-tolerant process isolation, help protect against intrusions.
Effectively Using IIS Security (Malhotra; 90 minutes) provides an overview of the big picture by reviewing the new IIS 6.0 security architecture before it explores the underlying security principles of IIS 6.0. It also illustrates how the new security features help protect Web servers against hackers. A 7.3MB PDF slide deck, downloadable separately, accompanies this presentation.
Authentication protocols are the focus of The Ins and Outs of Authentication in IIS 4.0, 5.0, and 6.0—Level 200 (Chris Adams, IIS supportability lead; 85 minutes). This presentation addresses ways to secure IIS servers with good authentication schemes, a critical part of establishing server security, by explaining how anonymous, basic, and other authentication methods work.
If you're considering migrating to IIS 6.0 from the 4.0 or 5.0 releases you will want to watch The Inside Scoop: The Good, the Bad, and the Ugly of IIS 5.0 Isolation Mode in IIS 6.0 (Level 300) (Chris Adams, IIS supportability lead; 82 minutes). The presentation focuses on determining which applications implemented on earlier releases of IIS are well suited for immediate migration to IIS 6.0, with its new worker process isolation mode, and which are candidates for running in IIS 5.0 Isolation Mode temporarily while they're updated to take advantage of the new architecture of IIS 6.0. The pitfalls and costs of using IIS 5.0 Isolation Mode on Windows Server 2003 are also discussed.
Windows and Exchange administrators and others who have to ensure secure data transmission between clients and Windows and Exchange servers form the primary audience for Troubleshooting Secure Socket Layer (Adams; 90 minutes). This presentation discusses SSL on each supported IIS platform and also lays out some tips and tricks that simplify troubleshooting.

Online Security Centers
Expanding beyond the very specific technical documentation are the two different online security centers included on the Web site. The first is the Online IIS Security Center, which provides the latest security updates, troubleshooting advice, configuration and administration guidance, and in-depth information on specific security topics for all versions of IIS Web servers.
Starting at the In-depth Guidance for Securing Computer Systems heading at the IIS Security Center, traversing a few linked pages, and then scanning for IIS reveals the following three items of interest.
The second recommended site is the Online Microsoft Security Center. While this site is not specifically an IIS 6.0 resource, it does provide a handy central location to keep current on recent viruses, hack attempts, and other security incidents as well as security bulletins, updates, and corporate-level security information.

The e-Business Foundation Winner
The in-depth emphasis on security in IIS 6.0 might take the surprise out of learning that IIS 6.0 is an eWEEK award winner. In April 2004, eWEEK, a prominent e-business, communications, and Internet-based architecture newsletter, acknowledged the new strength and security of Windows Server 2003 and IIS 6.0. It declared the pair as the winner in the Best e-Business Foundation category, based "on the strength of the components it combines for building an organization's basic IT infrastructure."
The award also singled out the improved security features: "Chief among those was the move to the all-new IIS (Internet Information Services) 6.0 Web server, which is faster, more reliable and more secure than the previous version of IIS. What's more, IIS 6.0 is not installed by default in Windows Server 2003, which reduces unnecessary exposure. In addition, IIS 6.0 is better suited than its predecessor as a development platform target." (Source: E-Business Foundations)
To look past industry awards, visit the security page on the Web site to discover the resources described here, and more. The site lays out in both summary form and technical detail the elements that make Windows Server 2003 and IIS 6.0 meet business and organizational needs for a secure, high-performance Web infrastructure.

Phil Sherwood ( is principal of Witan Consulting, which provides technical and marketing writing, product and program management, and general business management support to both small businesses and large technology development companies.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.
Page view tracker