Best Practices Analyzer for Internet Information Services: Security

Applies To: Windows Server 2008 R2

Topics in this section can help you bring the Internet Information Services Web Server (IIS) running on Windows Server® 2008 R2 into compliance with security best practices. Content in this section is most valuable to administrators who have completed a Best Practices Analyzer scan of IIS, and who want information about how to interpret and resolve scan results that identify areas of IIS that are noncompliant with security best practices.

Best Practices Analyzer and security rules

Security rules are applied to measure a role’s relative risk for exposure to threats such as unauthorized or malicious users, or loss or theft of confidential or proprietary data. Examples of conditions that can affect whether violations of security rules are found by a Best Practices Analyzer scan include computers on which Windows automatic updating is turned off, or computers that are using nondefault port settings.

For more information about Best Practices Analyzer and scans, see Best Practices Analyzer.

IIS Security Best Practices

• IIS: Grant a handler execute/script or write permissions, but not both

• IIS: Make sure that your certificates are current

• IIS: The configuration attribute notListedIsapisAllowed should be false

• IIS: The configuration attribute notListedCgisAllowed should be false

• IIS: Application pools should be set to run as application pool identities

• IIS: Hide Custom Errors from displaying remotely

• IIS: Use SSL when you use Basic authentication