Best Practices Analyzer for Internet Information Services: Security
Updated: January 5, 2009
Applies To: Windows Server 2008 R2
Topics in this section can help you bring the Internet Information Services Web Server (IIS) running on Windows Server® 2008 R2 into compliance with security best practices. Content in this section is most valuable to administrators who have completed a Best Practices Analyzer scan of IIS, and who want information about how to interpret and resolve scan results that identify areas of IIS that are noncompliant with security best practices.
Security rules are applied to measure a role’s relative risk for exposure to threats such as unauthorized or malicious users, or loss or theft of confidential or proprietary data. Examples of conditions that can affect whether violations of security rules are found by a Best Practices Analyzer scan include computers on which Windows automatic updating is turned off, or computers that are using nondefault port settings.
For more information about Best Practices Analyzer and scans, see Best Practices Analyzer.
IIS: Grant a handler execute/script or write permissions, but not both
IIS: Make sure that your certificates are current
IIS: The configuration attribute notListedIsapisAllowed should be false
IIS: The configuration attribute notListedCgisAllowed should be false
IIS: Application pools should be set to run as application pool identities
IIS: Hide Custom Errors from displaying remotely
IIS: Use SSL when you use Basic authentication