Security Changes in IIS 6.0

Applies To: Windows Server 2003, Windows Server 2003 with SP1

To improve the security of your Web server, many aspects of IIS 6.0, including default behavior and settings, function differently than in earlier versions of IIS. Some of the most notable changes were made to take a more proactive stance against malicious users and attackers. A significant change is that IIS is not installed by default on Microsoft® Windows® Server 2003, Standard Edition; Windows® Server 2003, Enterprise Edition; and Windows® Server 2003, Datacenter Edition operating systems, and many services and features of IIS are not installed or enabled by default when you install IIS. Other security changes in IIS 6.0 affect components of Active Server Pages (ASP), authentication, and access control methods. As a result of these changes, some existing applications and sites might require you to enable services, change settings, or make other adjustments before they run as expected. However, if you change default settings, you should do so carefully to maintain the most secure solution possible.

The most significant security-related changes are as follows:

  • IIS installs in a locked-down mode.

  • Restrictive Multipurpose Internet Mail Extensions (MIME) types reduce the attack surface of IIS.

  • Multiple worker processes affect Internet Server API (ISAPI) filter status display.

  • ASP and ASP.NET functionality are disabled by default.

  • Parent paths are disabled by default.

  • Global.asa events are run as anonymous user.

  • Anonymous password synchronization is disabled by default.

  • Advanced Digest authentication requires Windows Server 2003.

  • Microsoft®  .NET Passport authentication requires LocalSystem user account rights.

  • Kerberos authentication requires service principal names (SPNs) for multiple worker processes.

  • Access is restricted for executables.

  • Access is restricted for non-default identities for Common Gateway Interface (CGI) processes.

The following sections describe the security-related changes and provide information about how to customize your IIS work environment.