IIS 6.0 Security Best Practices

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

General Best Practices

  • Log on with the least credentials. Log on to your computer using an account that is not in the Administrators group, and then use the Run as command to run IIS Manager as an administrator.

  • Reduce the attack surface. Disable all services you do not need, including IIS services such as FTP, NNTP or SMTP. If a feature or service is not enabled, then there is no need to secure it.

  • Do not download or run programs from untrusted sources. Programs can contain instructions to violate security in a number of ways including data theft, denial of service, and data destruction.

  • Keep virus scanners up to date. Virus scanners frequently identify infected files by scanning for a signature that is a known component of a previously identified virus. The scanners keep these virus signatures in a signature file, which is usually stored on the local hard disk. Because new viruses are discovered frequently, this file should also be updated frequently for the virus scanner to easily identify all current viruses.

  • Keep current with all software updates. Software updates provide solutions to known security issues. Check software provider Web sites periodically to see if there are new updates available for software used in your organization.

    • The new process model in IIS 6.0 includes process recycling, which means an administrator can easily install most IIS updates and most new worker process DLLs without any interruption of service.

    • Auto Update version 1.0 provides three options to customers: notify update availability the moment it is available; download the update, and notify that it has been downloaded; and scheduled install. For more information, see "Windows Automatic Updates" in Help and Support Center for Windows Server 2003.

  • Use NTFS. The NTFS file system is more secure than the FAT or FAT32 file system.

  • Assign strong NTFS permissions for your resources.

  • Exercise caution with domain controllers. If you use a domain controller as an application server, be aware that if security is compromised on the domain controller, then security is compromised on the entire domain.

IIS Best Practices

  • Restrict write access permissions for the IUSR_computername account. This will help limit the access anonymous users have to your computer.

  • Store executable files in a separate directory. This makes it easier to assign access permissions and audit for administrators.

  • Create a group for all anonymous user accounts. You can deny access permissions to resources based on this group membership.

  • Deny execute permissions for anonymous users to all executables in Windows directories and subdirectories.

  • Use IP address restriction if administering IIS remotely. For more information, see Securing Sites with IP Address Restrictions.

  • Assign the most restrictive permissions possible. For example, if your Web site is used only for viewing information, assign only Read permissions. If a directory or site contains applications, assign Scripts Only permissions instead of Scripts and Executables permissions. For more information, see Securing Sites with Web Site Permissions.

  • Do not assign Write and Script source access permissions or Scripts and Executables permissions. Use this combination with extreme caution. It can allow a user to upload potentially harmful executable files to your server and run them. For more information, see Securing Sites with Web Site Permissions.

  • Enable data encryption in all WMI-based remote administration scripts. For more information, see Encrypting Data When Running WMI–Based Remote Administration Scripts.

  • Ensure that the VeriSign Intermediate Root CA on your Web server is up to date. Verify the expiration date, and update the Intermediate Root CA if necessary. The new VeriSign Intermediate Root CA has the following properties:

    Issued to: www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
Issued by: Class 3 Public Primary Certification Authority
Valid from: 4/16/97 to 10/24/11

    For information about verifying the expiration date, see Determining the Intermediate Root CA Version on a Web Server. For information about updating the Intermediate Root CA, see the VeriSign Support Web site.

For information about security best practices for the Windows Server 2003 family, see "Security Best Practices" in Help and Support Center for Windows Server 2003.