Microsoft has released an updated version of its popular IIS Lockdown Wizard, which secures Internet Information Services Web servers. This version incorporates templates for Microsoft server products that rely on IIS, such as Exchange, BizTalk, SharePoint, and others. It also has a new UI and provides integration of the URLScan utility.
To successfully install and configure the IIS Lockdown Wizard, you must use one of these two platforms:
- Windows NT 4.0 with IIS 4.0
- Windows 2000 with IIS 5.0
With the release of the IIS Lockdown Wizard 2.1, Microsoft introduces the following new functionality:
- Server roles—Microsoft provides templates to match the role of your IIS server. Some examples include Exchange 5.5 and 2000, Commerce Server, BizTalk, Small Business Server 4.5 and 2000, SharePoint Portal Server, FrontPage Server Extensions, and SharePoint Team Server.
- URLScan integration—URLScan is now integrated to provide additional security to your IIS server.
- Options to disable or remove IIS Services—You can now easily remove or disable services such as HTTP, SMTP, NNTP, and FTP from your IIS server.
- Answer files—This release supports answer files, which allows you to work with unattended installations.
- New user interface (UI)—Microsoft has redesigned the UI based on customer feedback from previous versions of the tool.
Working with templates
The IIS Lockdown templates provide you with a nice starting point for locking down your specific IIS server based on its role. The first step is to select the template that matches the type of IIS Server you are going to lock down (Figure A).
The Microsoft Knowledge Base offers additional information on the IIS Lockdown Tool. If you are using the IIS Lockdown Wizard with Exchange Server, see article Q309677. If you are using the IIS Lockdown Wizard with SharePoint Portal Server, see article Q309675.
The IIS Lockdown Tool also supports custom server templates. If you want to create your own template, copy an existing template and modify it in the IISLOCKD.ini. For more information on how to perform this task, see the IIS Lockdown help file.
Configuring Internet Services
The next part of the wizard is the Internet Services configuration (Figure B), which provides you with the default configuration of the template you have chosen. In addition, you have the option of uninstalling services via the Add/Remove applet.
The next window allows you to disable the default script maps (Figure C).
Here's a description of the script maps you can disable:
- Active Server Pages—This allows you to build dynamic Web pages. It is recommended that you enable ASP only if your server or other related services require it.
- Index Server Web Interface—This allows you to administer an Index server over HTTP.
- Server Side Includes—This allows you to add graphics or text to a Web page prior to sending it the browser requesting information.
- Internet DataConnector—This performs a database query and displays these results in an HTML page. IDC scripts were used before ASP came onto the scene.
- .HTR Scripting—This allows you to use files for special types of Windows scripts. You should typically disable this feature unless you are using Outlook Web Access and password changes are required.
- Internet Printing—This allows you to manage and send print jobs on your network via the Internet.
Other security precautions
The Additional Security window (Figure D) enables you to lock down your IIS Server even further by removing virtual directories, configuring appropriate access for anonymous users, disabling WebDAV, and taking other precautions.
The Additional Security window contains these options:
- IIS Samples—This allows you to disable IIS Samples, which is recommended. IIS Samples include example scripts and Web pages that are a known and popular target for hackers. If IIS Samples are not currently installed on your server, this box will be unavailable.
- MSADC—This allows you to disable Web-based database operations via Advanced Data Connector and Remote Data Services. This check box is unavailable if you do not have the MSADC directory on your server.
- IISHelp—This allows you to remove IISHelp files from your server.
- Scripts—This allows you to remove scripts from your server.
- IISAdmin—This allows you to remove the IISAdmin folder, which contains scripts to help manage IIS.
- Running System Utilities—This prevents the IUSR_'account' from running system utilities such as cmd.exe or tftp.exe.
- Writing To Content Directories—This denies the IUSR_'account' write access to any directories that contain Web content.
- Disable Web Distributed Authoring And Versioning (WebDAV)—This allows you to disable WebDAV, which remotely creates and deploys Web content.
URLScan has been incorporated into the updated Lockdown Wizard. To install URLScan while locking down your IIS Server, select the Install URLScan Filter On The Server option on the next screen of the wizard (Figure E). For more information on how the URLScan works, see my article "Protect IIS with the URLScan Security Tool."
Putting it all together
After the wizard finishes and before opening the server up to a production environment, test all necessary connections to make sure that there is connectivity where you need it and that undesired activity is being blocked. Furthermore, check that you have installed all of your hotfixes to ensure an up-to-date IIS server. The combination of these activities should give you the confidence that you have successfully hardened your IIS server.
Have a comment or a question?
We look forward to getting your input and hearing about your experiences regarding this topic. Post a comment or a question about this article.