Lock IT Down: Properly securing your IIS server

Make your IIS server secure with the IIS Lockdown Tool

With the constant attacks that hackers launch at IIS and Windows 2000, you would think that Microsoft would change the Windows 2000 logo to a bull's-eye rather than a waving flag. Networks that rely on IIS can become a target of attack merely through guilt by association so you’re probably very concerned about properly securing your IIS server.

The problem is that IIS is so powerful and has so many configuration options that it’s difficult to figure out how to properly configure IIS for peak security while not making it unusable. If you accidentally miss a setting, you could leave a gaping hole in your security model. If you oversecure IIS, your users may not be able to gain access to what they need. In order to help you strike the proper balance, Microsoft has created the IIS Lockdown Tool 2.1. In this Daily Feature, I’ll show you what the IIS Lockdown Tool is and how you can use it to make your IIS server secure.

What is the IIS Lockdown Tool, and how do I get it?
The IIS Lockdown Tool is a utility provided by Microsoft to help you configure your IIS server for maximum security based on the role you want it to perform. The IIS Lockdown Tool employs a wizard that uses predefined security templates to apply settings to your server. You tell the wizard what your IIS server is going to do, and the wizard configures IIS for you.

The IIS Lockdown Tool works with both Windows NT Server running IIS 4.0 and Windows 2000 Server running IIS 5.0. If you’re running an older Windows NT Server with only IIS 2.0 or IIS 3.0, it’s time to upgrade. The IIS Lockdown Tool also requires your server to be running Internet Explorer 4.0 or later. So if you’re running an old version of Windows NT with only IE 2.0 or IE 3.0, you’ll need to apply a newer version of IE before running the tool. Before you run the tool, you should make sure you’ve downloaded and applied all of the latest security patches for both Windows 2000 and IIS.

You can download the IIS Lockdown Tool from Microsoft’s Download Center. Click the iislockd.exe link to download the tool to a temporary directory on your server. The file is only 292 KB, so it will download very quickly.

Running the IIS Lockdown Tool
Like most security tools for Windows 2000 Server, you must run the IIS Lockdown Tool directly on your server, not from your administration workstation. Find the temporary directory where you downloaded iislockd.exe. If you’re using Explorer, double-click iislockd.exe to start it. If you prefer using a command line, type iislockd and press [Enter].

The IIS Lockdown Tool works like every other wizard you’ve ever used. It begins with a Welcome screen that you can bypass by clicking Next. You’ll then see the License screen. To continue with the IIS Lockdown Tool, you must select I Agree and click Next.

You’ll then see the Select Server Template screen, which shows the available templates that the IIS Lockdown Tool can use on your server. The available templates you see will depend on the version of Windows and available services that you’re running on your server. Some of the common templates you can choose from include:
  • Exchange Server 5.5
  • Exchange Server 2000
  • Static Web Server
  • Proxy Server
  • Other
  • Server That Doesn’t Require IIS

Each template contains a custom set of security settings that optimizes security for the role defined. If you don’t plan to use IIS, you should select Server That Doesn’t Require IIS. This setting will cause the IIS Lockdown Tool to completely disable IIS. If you select Other, you can customize your template to include the services you want.

At the bottom of the Select Server Template screen, you’ll see the View Template Settings checkbox. You should select this before clicking Next. Doing so will allow you to view the template settings that the IIS Lockdown Tool is choosing. That way, you can ensure that the proper services are selected and you can see what the tool is doing. This checkbox is enabled automatically if you select Other.

Next, on the Internet Services screen, you’ll see the services the IIS Lockdown Tool has decided you need to run, based on the template you chose on the previous screen. If a service is grayed out, it hasn’t been installed on your server. If a service has a check mark next to it, the IIS Lockdown Tool has enable that service. Conversely, an unchecked service is disabled. Note that the tool only disables the service; it won’t remove the service. You can remove the unnecessary service by using Add/Remove Programs. Ensure the choices are correct and click Next.

You’ll then see the Script Maps screen. This screen displays the scripts that the IIS Lockdown Tool has decided you need to run. Scripts can present large security holes, so check the list to make sure you’re running only the scripts you need to run. The IIS Lockdown Tool should make the proper selections based on your template, but you’re the one who can get fired for making the wrong choice, not the wizard. Click Next to continue.

The Additional Security screen appears next. This screen controls whether IIS will include additional features that can present security problems, such as IISAdmin. This screen will also display IIS Lockdown Tool recommendations for file permission settings. Click Next to continue.

Next, the URLScan window appears. URLScan is an additional feature that the IIS Lockdown Tool can enable to increase security on your network. URLScan screens and analyzes HTTP requests to your IIS server. Based on the criteria you configure, URLScan will reject requests that are not properly constructed. Some of the things URLScan will look for and reject include:
  • Suspicious URL encoding.
  • Non-ASCII characters in the URL.
  • Particular character sequences in the URL, which can cause errors or denial of service attacks.
  • Particular headers in the request.

Based on the template you’ve chosen, the IIS Lockdown Tool will determine whether you can use URLScan or not. The tool will also configure URLScan automatically for you if it determines you need URLScan. Click Next to continue.

The Ready To Apply Settings screen appears next. Review the settings that the tool plans to make to your system by looking through the Selected Changes list box. If something doesn’t look right, click Back to work your way backward through the wizard until you get to the page where you can make the fix. If everything looks OK, click Next.

At this point, the IIS Apply Settings window will appear and the IIS Lockdown Toolbox will begin applying security settings to your server. Windows 2000 may display a Digital Signature Not Found dialog box. Don’t panic. This will appear if you’ve chosen to install URLScan. Click Yes to continue the installation. When it completes, you’ll see Finished in the Status scroll box.

You can view a report of what the IIS Lockdown Tool did by clicking the View Report button. Click Next to display the Completion screen. Like the Welcome screen, this screen is merely informational. Click Finish to close the window and you’re done.

Locked and loaded
At this point, your IIS server is locked down, and you’re ready to go. The IIS Lockdown Toolbox has configured your server for both maximum security and maximum usability based on your specific needs. Make sure you double-check all of your applications to make sure the tool didn’t accidentally break something in the process of locking it down.

If you need to undo the choices the tool has made or want to make changes, just rerun the iislockd.exe file. It will restore your server to exactly the way it was before you ran the IIS Lockdown Tool.

Editor's Picks