Internet Information Services Security

  • Article

SMS 2003 relies on Internet Information Services (IIS) to support the management point, server locator point, and reporting point site systems. Well maintained IIS security helps to ensure the integrity of these SMS site systems.

IIS security is especially important if IIS is installed on SMS site servers when the site is running in SMS advanced security because:

  • The site server's computer account has administrative privileges on other computers. IIS runs by using the local system account, which is the only account with the right to use the computer account. This typically is the case only on site servers.

  • When using advanced security, the SMS site server manages its local files and registry entries by using the local system account. Software running in the local system account context of IIS has equal access to those files and registry entries.

You can implement three IIS application protection modes: low, medium, and high. High application protection mode is the most secure and isolates the application files from the IIS files at the process level. SMS 2003 uses IIS 5.0 high application protection mode.

In IIS 6.0 you can implement application pools, which are similar to high application protection mode. Application pools are more efficient and enable the use of new IIS 6.0 features, such as automatic application restarts called the worker process Isolation Mode. To determine which mode IIS 6.0 is in, right-click the Web Sites node in the IIS administrative tool and select Properties. The Isolation Mode is indicated on the Service tab.

Recommendations for securing IIS include:

  • Use the latest version of IIS that is available. Usually this means using the latest operating system available.

  • Apply service packs and security-related hotfixes as they become available.

  • Disable IIS functions that you do not require.

  • Put IIS on servers that are separate from other applications, or on servers with few other functions.

  • Use IIS security lockdown and other IIS security tools, as described in the IIS documentation.

For More Information

Did you find this information useful? Please send your suggestions and comments about the documentation to smsdocs@microsoft.com.