Enabling Only Essential IIS Components and Services

Applies To: Windows Server 2003, Windows Server 2003 with SP1

IIS 6.0 includes other components and services in addition to the WWW service, such as the File Transfer Protocol Service (FTP service) and the Simple Mail Transfer Protocol (SMTP) service. You can install and enable IIS components and services by using the Application Server subcomponent, which is found in Add or Remove Windows Components in Add or Remove Programs in Control Panel. After installing IIS, you need to enable the IIS 6.0 components and services that are required by the Web sites and applications running on your Web server.

Enable only the essential IIS 6.0 components and services that are required by your Web sites and applications. Enabling unnecessary components and services increases the attack surface of the Web server.

When a Web site or application does not function on the Web server and you suspect that an IIS 6.0 component or service might need to be enabled, complete the following steps:

  • Enable the individual IIS 6.0 component or service that you believe will allow the Web site or application to function.

  • Test the Web site or application for proper operation.

  • If the Web site or application functions correctly, further configure the IIS 6.0 component or service to the most restrictive security settings.

  • If enabling the IIS 6.0 component or service does not allow the Web site or application to function, disable the IIS 6.0 component or service and continue troubleshooting the problem.

The Web site or application might not function properly because of issues that are not security-related. For example, an Internet Server API (ISAPI) extension that is used by an application might not be installed properly. Although it might appear that the ISAPI extension is disabled, the problem might actually be caused by a faulty installation or configuration setting for the ISAPI extension. For more information about troubleshooting problems related to Web sites and applications that are not functioning, see Troubleshooting in IIS 6.0.

Important

When you are troubleshooting Web site- and application-related problems, do not enable all of the IIS 6.0 components and services. Enabling all of the IIS 6.0 components and services will unnecessarily increase the attack surface of the Web server.

For each of the subcomponents of the application server that are listed in Table 3.2 through Table 3.6, complete the following steps:

  • Review the recommended settings to determine whether you need to make changes to the default settings.

  • Determine, based on the information provided in the comments, if the recommendation applies to your server.

  • Enable or disable the component based on the decisions made in the previous steps.

    For more information about how to configure the IIS 6.0 protocols and services, see Configure IIS Components and Services.

Table 3.2 Subcomponents of the Application Server

Subcomponent Default Setting Recommended Setting Comment

Application Server Console

Enabled

No change

Provides a Microsoft Management Console (MMC) snap-in that includes administration for all of the Web Application Server (WAS) components.

On a dedicated Web server, this component is not required because only IIS Manager is used.

ASP.NET

Disabled

See comment

Provides support for ASP.NET applications.

Enable this component when you need to run ASP.NET applications on the Web server.

Enable network COM+ access

Enabled

See comment

Allows the Web server to host COM+ components for distributed applications.

Disable this component unless it is required by your applications.

Enable network DTC access

Disabled

See comment

Allows the Web server to host applications that participate in network transactions through Distributed Transaction Coordinator (DTC).

Disable this component unless it is required by your applications.

Internet Information Services (IIS)

Enabled (See Table 3.3 for subcomponents)

No change

Provides basic Web and FTP services.

This component is required on a dedicated Web server.

Note: If this component is not enabled, then all subcomponents are not enabled.

Message Queuing

Disabled (See Table 3.4 for subcomponents)

See comment

Provides guaranteed messaging, security, and transactional support for applications that communicate through messaging services provided by Message Queuing (also known as MSMQ).

This component is required when your Web sites and applications use Message Queuing.

Note: If this component is not enabled, then all subcomponents are not enabled.

Table 3.3 Subcomponents of Internet Information Services (IIS)

Subcomponent Default Setting Recommended Setting Comment

Background Intelligent Transfer Service (BITS) Server Extensions

Disabled

See comment

Allows background file transfers from a BITS client to the Web server.

Enable this component when it is required by any of your client applications.

Note: Windows Update, SUS, and Automatic Updates do not require this component; they require the BITS client component, which is not part of IIS. 

For more information, see Obtaining and Applying Current Security Patches later in this section.

Common Files

Enabled

No change

On a dedicated Web server, these files are required by IIS and must always be enabled.

File Transfer Protocol (FTP) Service

Disabled

No change

Allows the Web server to provide FTP services.

This component is not required on a dedicated Web server. However, you might need to enable FTP on a server that is only used for posting content, to support software such as Microsoft FrontPage® 2002 without enabling FrontPage 2002 Server Extensions.

Because the FTP credentials are always sent in plaintext, it is recommended you connect to FTP servers through a secured connection, such as those provided by Internet Protocol security (IPsec) or a VPN tunnel.

For more information, see Using IPsec or VPN with Remote Administration later in this section.

FrontPage 2002 Server Extensions

Disabled

See comment

Provides FrontPage support for administering and publishing Web sites.

On a dedicated Web server, disable when no Web sites are using FrontPage Server Extensions.

Internet Information Services Manager

Enabled

See comment

Administrative interface for IIS.

Disable when you do not want to administer the Web server locally.

Internet Printing

Disabled

No change

Provides Web-based printer management and allows printers to be shared by using HTTP.

This component is not required on a dedicated Web server.

NNTP Service

Disabled

No change

Distributes, queries, retrieves, and posts Usenet news articles on the Internet.

This component is not required on a dedicated Web server.

SMTP Service

Enabled

Disabled

Supports the transfer of electronic mail.

This component is not required on a dedicated Web server.

World Wide Web Service

Enabled (See Table 3.6 for subcomponents)

No change

Provides Internet services, such as static and dynamic content, to clients.

This component is required on a dedicated Web server.

Note: If this component is not enabled, then all subcomponents are not enabled.

Table 3.4 Subcomponents of Message Queuing

Subcomponent Default Setting Recommended Setting Comment

Active Directory Integration

Disabled

See comment

Provides integration with Active Directory whenever the Web server belongs to a domain.

Common

Disabled

See comment

Required by Message Queuing.

Downlevel Client Support

Disabled

See comment

Provides access to Active Directory and site recognition for clients that are not Active Directory-aware.

MSMQ HTTP Support

Disabled

See comment

Provides the sending and receiving of messages over the HTTP transport.

Routing support

Disabled

See comment

Provides store-and-forward messaging as well as efficient routing services for Message Queuing.

Triggers

Disabled

See comment

Provides support to associate the arrival of incoming messages at a queue with functionality in a COM component or stand-alone program.

This component is required when your Web sites and applications use Message Queuing and use Message Queuing triggers.

Table 3.5 Subcomponents of the Background Intelligent Transfer Service (BITS) Server Extension

Subcomponent Default Setting Recommended Setting Comment

BITS management console snap-in

Disabled

No change

Installs an MMC snap-in for administering BITS.

Enable this component when you enable the BITS server extension ISAPI component.

BITS server extension ISAPI

Disabled

No change

Installs the BITS ISAPI so that the Web server can receive background file transfers from a BITS client.

Enable this component when it is required by any of your client applications.

For more information, see Obtaining and Applying Current Security Patches later in this section.

Table 3.6 Subcomponents of the World Wide Web Service

Subcomponent Default Setting Recommended Setting Comment

Active Server Pages

Disabled

See comment

Provides support for Active Server Pages (ASP).

Disable this component when none of the Web sites or applications on the Web server uses ASP. You can disable this component in Add or Remove Windows Components, which is accessible from Add or Remove Programs in Control Panel, or in the Web Service Extensions node in IIS Manager.

For more information, see Enabling Only Essential Web Service Extensions later in this section.

Internet Data Connector

Disabled

See comment

Provides support for dynamic content provided through files with .idc extensions.

Disable this component when none of the Web sites or applications on the Web server include files with .idc extensions. You can disable this component in Add or Remove Windows Components, which is accessible from Add or Remove Programs in Control Panel, or in the Web Service Extensions node in IIS Manager.

For more information, see Enabling Only Essential Web Service Extensions later in this section.

Remote Administration (HTML)

Disabled

No change

Provides an HTML interface for administering IIS.

Use IIS Manager instead to provide easier administration and to reduce the attack surface of the Web server. This component is not required on a dedicated Web server.

Remote Desktop Web Connection

Disabled

No change

Includes Microsoft ActiveX® controls and sample pages for hosting Terminal Services client connections.

Use IIS Manager instead to provide easier administration and to reduce the attack surface of the Web server. This component is not required on a dedicated Web server.

Server-Side Includes

Disabled

See comment

Provides support for .shtm, .shtml, and .stm files.

Disable this component when none of the Web sites or applications on the Web server includes files with these extensions.

WebDav Publishing

Disabled

Disabled

Web Distributed Authoring and Versioning (WebDAV) extends the HTTP/1.1 protocol to allow clients to publish, lock, and manage resources on the Web.

Disable this component on a dedicated Web server. You can disable this component in Add or Remove Windows Components, which is accessible from Add or Remove Programs in Control Panel, or in the Web Service Extensions node in IIS Manager

For more information, see Enabling Only Essential Web Service Extensions later in this section.

World Wide Web Service

Enabled

No change

Provides Internet services, such as static and dynamic content, to clients.

This component is required on a dedicated Web server.