IIS and Server: Securing IIS 6.0 

1. MBSA. After you have installed IIS it is good practice to run MBSA again. This in addition to scanning your OS it will also scan all of Microsoft's products. Run MBSA and correct any of the high and medium risk items. You can click the How to Correct This link to obtain more information on what has to be done to solve this issue.

2. Disabling the Default Web Site. The default web site includes some important files that you might need to use at a later date. For example when you installed certificate services web enrollment a virtual directory was created under the default web site called CertSrv. This makes the default web site an important item to secure.

To disable the default web site open its properties window, which can be accessed by going to the Start Menu then selecting the Administrative Tools where you will find the IIS Manager. Navigate to the default web site, right click it and select Properties.

In the Web Site tab change the IP address to, which is the loopback address. Messages will not be delivered to the network but returned to the calling application.

3. Relocate Content Files. By default IIS creates the default web root path on your system drive during installation at C:\Inetput\wwwroot. This and any other content files should be moved to another partition or hard drive in order to restrict access to sensitive information located on the system drive. To relocate web content, first copy your web files to a new hard drive or partition.

Relocation the root path to another partition or hard drive will restrict access to sensitive system information if there is a security breach. It is possible to request a file outside the folder structure of an IIS server, which is why relocating the root path to another hard drive is recommended. When this is done the local path needs to be changed so IIS will point to the new home and define the default document that indicates the home page that will be displayed.

In the default web site properties window select the Home Directory tab and change the local path by selecting Browse and navigating to the new location.

After you have moved the content to another hard drive or partition you should configure the security settings using NTSF.

4. Web Service Extensions. Since IIS by default is configured to serve only static content you have to enable the appropriate web extension if you want to serve dynamic content.

To enable web service extensions open the IIS Manager and select the Web Service Extensions folder.

You should only have one extension enabled, which is the ASP, used by certificate services web enrollment. If any other extension is enabled you can disable it now. Remember to help reduce malicious attacks you should only enable required web service extensions.

5. Application Mappings. There are many programming and scripting languages that you can use to develop Web applications. Thus, IIS uses the file name extension of a requested resource on your Web site to determine which Internet Server API (ISAPI) or Common Gateway Interface (CGI) program to run to process a request. IIS 6.0 is preconfigured to support common application mappings. It is best to remove those that are not used.

Open the default web site properties window and select the Home Directory tab. Inside the tab under Application Settings click the Configuration button.

Remove all but the following extensions under the Mappings tab

  • .asa – Active Serve Application, which is Microsoft's specification for dynamic web pages created using Visual Basic or Jscript. This extension cannot be browsed it is prohibited by ASP for security reasons. .asp – Active Server Pages, which is ASP code embedded in a HTML page for the creation of dynamic content using Visual Basic or Jscript.
  • .cer – Certificate file and is used when certificate services are installed.
  • .cdx – Active Channel Definition File, which is an XML file used with Microsoft's Active Channel technology, which contain the URLs to the pages and subpages that make up the channel's offerings.
  • .htm and .html – Standard Hyper Text Markup Language pages
  • .stm, .shtm, and .shtml – Server Side Includes embedded in HTML pages.

You can add more application extension mappings when required.

6. Application Debugging. Changing the error message a client receives can prevent the disclosure of critical information that would be useful to attackers. You can create both basic and custom ASP error messages that will producer a nicer user experience in addition to the secure benefits.

To create a basic ASP error message select the Debugging tab under the Application Configuration window. Check that the debugging options are unchecked and change the error notification to “send text error message to client.” This will prevent detailed error messages being sent to potential attackers, which can be used to compromise your server.

7. Anonymous Authentication. Anonymous authentication gives users access to the public areas of your Web or FTP site without prompting them for a user name or password. By default, the IUSR_computername account is used to allow anonymous access.

To change the authentication method select the web site you wish to change, use the default web site, and open the properties window. Select the Directory Security tab and click the Edit button under Authentication and Access Control.

Leave anonymous access enabled if you wish to allow anybody the ability to access your web site. If you wish you can disable anonymous access and require an authentication method you would do that here.

8. Log Files. You need to have a logging system to monitor clients use of your web site for malicious activity. However, if you leave your log files where an attacker can access them they can erase any traces of their presence. This is why you should more log files to a separate hard drive or partition and implement file security.

Open the properties window of the default web site and select the Web Site tab. Then check that Enable logging is selected and the Active Log Format is W3C and click Apply.

Now to move the log to a difference location click the Properties tab in the Logging section. And move the Log File Directory. You will have to create the directory that you change the log to.