Internet Information Services and Resulting Internet Communication in Windows 7 and Windows Server 2008 R2

Applies To: Windows 7, Windows Server 2008 R2

In this section

Benefits and purposes of IIS

Examples of security-related features in IIS 7.5

Finding information about features in IIS 7.5

Procedures for installing or uninstalling features in IIS 7.5

Additional references

This section provides overview information and suggestions for other sources of information about balancing your organization’s requirements for communication across the Internet with your organization’s requirements for protection of networked assets. However, it is beyond the scope of this document to describe all aspects of maintaining appropriate levels of privacy and security in an organization that is running Web servers that communicate across the Internet.

Note

If you do not want to offer content on an intranet or the Internet from a computer that is running Windows Server® 2008 R2, you do not need to remove Internet Information Services (IIS) version 7.0. By default, it is not installed with Windows Server 2008 R2. The exception is Windows Web Server 2008 R2, on which IIS is installed by default. If you use a server as a Web server with content, and then you deploy it for some other purpose, remove IIS from that server.

Benefits and purposes of IIS

Internet Information Services version 7.5 is one of the optional role services in Windows Server 2008 R2, although it is installed by default in Windows Web Server 2008 R2. IIS provides a way to publish information on the Internet or an intranet. In a managed environment, IIS is usually installed on selected servers only. IIS includes innovative security features and a broad range of administrative features for managing Web sites. By using programmatic features like Active Server Pages (ASP) and ASP.NET, you can create and deploy scalable, flexible Web applications.

IIS and related features can be added by using the Initial Configuration Tasks interface or Server Manager. When IIS 7.5 is installed with the default set of IIS features (also called role services), it can accept requests for static files only. To serve dynamic content, you must install additional IIS features, not just the default features.

For more information about IIS features, including features that are related to security, see the following resources:

IIS 7.5 includes a variety of settings and features related to security, some of which are described in the following list. For additional information about security-related features in IIS 7.5, see the links in the previous section.

  • WebDAV and FTP: WebDAV and File Transfer Protocol (FTP) functionality that is available in IIS 7 enable Web authors to publish content more reliably and securely. The new WebDAV and FTP modules also offer Web server administrators more options for authentication, auditing, and logging.

  • Request Filtering: The Request Filtering module, previously available as an extension for IIS 7, helps prevent potentially harmful requests from reaching the server by allowing you to restrict or block specific HTTP requests.

  • Configuration logging and tracing: Configuration logging and tracing uses the Event Viewer to audit access to the IIS configuration and to track successful or failed modifications.

  • Application hosting enhancements: IIS 7.5 offers a variety of new features that help increase security and improve diagnostics, and it provides a flexible and manageable platform for many types of Web applications, including those that are based on the ASP.NET platform and Hypertext Preprocessor (PHP) scripting.

  • Service hardening: Building on the IIS 7 application pool isolation model that increased security and reliability, every IIS 7.5 application pool now runs each process as a unique, less-privileged identity.

  • Ability to limit the Web server feature set: IIS 7.5 includes a completely modular Web server with more than four times the number of installable components as previous versions of IIS. You can limit your installation to the components that are necessary for your environment. This decreases the attack surface of the Web server.

    The default installation for the Web Server (IIS) role includes the installation of role services for serving static content, making minor customizations (such as default documents and HTTP errors), monitoring and logging server activity, and configuring static content compression.

  • Key simplifications of security management: The simplifications of security management include:

    • Delegated administration support. This enables you to securely delegate configuration and management tasks to non-administrators.

    • Unified authentication and authorization management. This allows authentication and authorization for all types of content, including Forms authentication and URL Authorization, to be managed in a single location.

    • Managed service accounts improve identity management in IIS 7.5. This means that server administrators no longer have to worry about application-pool passwords expiring.

Finding information about features in IIS 7.5

One way to minimize the attack surface of a server running IIS is to install only the role services (IIS features) that are needed for that server. The following topics can help you plan the role services that you want to install and identify the correct name for the service. You can select and name role services in the graphical interface of the Add Roles Wizard or the Add Role Services Wizard, which can be started from Server Manager, or in a command or script that is used for automated installation.

Note

For more details about features in IIS, follow the steps in "To View Help After Installing IIS," later in this section.

Procedures for installing or uninstalling features in IIS 7.5

The following procedures explain how to:

  • Add the Web Server (IIS) role and select the role services to install on a computer running Windows Server 2008 R2

  • View the role services that are installed for a Web Server

  • Install additional IIS role services on a server that already has the Web Server (IIS) role installed

  • Uninstall IIS role services on a server that already has the Web Server (IIS) role installed

  • View Help for IIS 7.5

For information about using the Server Core installation option of Windows Server 2008 R2that will run IIS, see Additional references later in this section.

To add the Web server role and select the role services to install

  1. If you recently installed Windows Server 2008 R2, and the Initial Configuration Tasks interface is displayed, under Customize This Server, click Add roles. Then skip to step 3.

  2. If the Initial Configuration Tasks interface is not displayed and Server Manager is not running, click Start, click Administrative Tools, and then click Server Manager. (If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.)

  3. In Server Manager, under Roles Summary, click Add Roles.

  4. In the Add Roles Wizard, if the Before You Begin page appears, click Next.

  5. On the Select Server Roles page, under Roles, select Web Server (IIS) and then click Next.

Note

If IIS is already installed on the server, the Web Server (IIS) check box will be selected and dimmed. For information about viewing or installing IIS role services in this situation, see the following two procedures.

  1. On the Web Server (IIS) page, click and view links for Help topics that you want to read. Close the topics when you have finished reading them, and then click Next.

  2. On the Select Role Services page, select the role services that you want to install for Web Server (IIS), and then click Next.

  3. Follow the instructions in the wizard to complete the installation process.

To view the role services that are installed for a Web server

  1. If Server Manager is not already open, click Start, click Administrative Tools, and then click Server Manager. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  2. In the console tree, under Roles, click Web Server (IIS).

  3. In the right pane, ensure that Role Services is expanded, and view the list of role services that are installed.

To install additional IIS role services on a server that already has the Web server role installed

  1. If Server Manager is not already open, click Start, click Administrative Tools, and then click Server Manager. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  2. In the console tree, click Web Server (IIS).

  3. In the right pane, in the Role Services section, click Add Role Services.

  4. Follow the instructions in the wizard to select role services and complete the installation process.

To uninstall IIS role services on a server that has the Web server role installed

  1. If Server Manager is not already open, click Start, click Administrative Tools, and then click Server Manager. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  2. In the console tree, click Web Server (IIS).

  3. In the right pane, in the Role Services section, click Remove Role Services.

  4. Follow the instructions in the wizard to identify and remove role services.

To view Help after installing IIS

  1. After installing IIS (including the IIS Management console, which is included in default installations of IIS), click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  2. Click the Help menu, click IIS Help, click Search, and then type available role services in the Search text box.

Additional references