Securing IIS 6.0
1. MBSA. After you have installed IIS it is good practice to
run MBSA again. This in addition to scanning your OS it will also scan
all of Microsoft's products. Run MBSA and correct any of the high and
medium risk items. You can click the How to Correct This link to obtain
more information on what has to be done to solve this issue.
2. Disabling the Default Web Site. The default web site includes
some important files that you might need to use at a later date. For
example when you installed certificate services web enrollment a virtual
directory was created under the default web site called CertSrv. This
makes the default web site an important item to secure.
To disable the default web site open its properties window, which can be
accessed by going to the Start Menu then selecting the Administrative
Tools where you will find the IIS Manager. Navigate to the default web
site, right click it and select Properties.
In the Web Site tab change the IP address to 127.0.0.1, which is the
loopback address. Messages will not be delivered to the network but
returned to the calling application.
3. Relocate Content Files. By default IIS creates the default web
root path on your system drive during installation at C:\Inetput\wwwroot.
This and any other content files should be moved to another partition or
hard drive in order to restrict access to sensitive information located
on the system drive. To relocate web content, first copy your web files
to a new hard drive or partition.
Relocation the root path to another partition or hard drive will
restrict access to sensitive system information if there is a security
breach. It is possible to request a file outside the folder structure of
an IIS server, which is why relocating the root path to another hard
drive is recommended. When this is done the local path needs to be
changed so IIS will point to the new home and define the default
document that indicates the home page that will be displayed.
In the default web site properties window select the Home Directory tab
and change the local path by selecting Browse and navigating to the new
After you have moved the content to another hard drive or partition you
should configure the security settings using NTSF.
4. Web Service Extensions. Since IIS by default is configured to
serve only static content you have to enable the appropriate web
extension if you want to serve dynamic content.
To enable web service extensions open the IIS Manager and select the Web
Service Extensions folder.
You should only have one extension enabled, which is the ASP, used by
certificate services web enrollment. If any other extension is enabled
you can disable it now. Remember to help reduce malicious attacks you
should only enable required web service extensions.
5. Application Mappings. There are many programming and scripting
languages that you can use to develop Web applications. Thus, IIS uses
the file name extension of a requested resource on your Web site to
determine which Internet Server API (ISAPI) or Common Gateway Interface
(CGI) program to run to process a request. IIS 6.0 is preconfigured to
support common application mappings. It is best to remove those that are
Open the default web site properties window and select the Home
Directory tab. Inside the tab under Application Settings click the
Remove all but the following extensions under the Mappings tab
- .asa Active Serve Application, which is Microsoft's specification for
dynamic web pages created using Visual Basic or Jscript. This extension
cannot be browsed it is prohibited by ASP for security reasons. .asp
Active Server Pages, which is ASP code embedded in a HTML page for the
creation of dynamic content using Visual Basic or Jscript.
- .cer Certificate file and is used when certificate services
- .cdx Active Channel Definition File, which is an XML file
used with Microsoft's Active Channel technology, which contain the
URLs to the pages and subpages that make up the channel's
- .htm and .html Standard Hyper Text Markup Language pages
- .stm, .shtm, and .shtml Server Side Includes embedded in
You can add more application extension mappings when required.
6. Application Debugging. Changing the error message a client
receives can prevent the disclosure of critical information that would
be useful to attackers. You can create both basic and custom ASP error
messages that will producer a nicer user experience in addition to the
To create a basic ASP error message select the Debugging tab under the
Application Configuration window. Check that the debugging options are
unchecked and change the error notification to send text error message
to client. This will prevent detailed error messages being sent to
potential attackers, which can be used to compromise your server.
7. Anonymous Authentication. Anonymous authentication gives users
access to the public areas of your Web or FTP site without prompting
them for a user name or password. By default, the IUSR_computername
account is used to allow anonymous access.
To change the authentication method select the web site you wish to
change, use the default web site, and open the properties window. Select
the Directory Security tab and click the Edit button under
Authentication and Access Control.
Leave anonymous access enabled if you wish to allow anybody the ability
to access your web site. If you wish you can disable anonymous access
and require an authentication method you would do that here.
8. Log Files. You need to have a logging system to monitor
clients use of your web site for malicious activity. However, if you
leave your log files where an attacker can access them they can erase
any traces of their presence. This is why you should more log files to a
separate hard drive or partition and implement file security.
Open the properties window of the default web site and select the Web
Site tab. Then check that Enable logging is selected and the Active Log
Format is W3C and click Apply.
Now to move the log to a difference location click the Properties tab in
the Logging section. And move the Log File Directory. You will have to
create the directory that you change the log to.