Data Centers

Tech Tip: Lock down IIS Web servers during installation

Web server security begins at installation. Follow these guidelines to secure your Microsoft Internet Information Services (MIIS) Web server at implementation.

By Mike Mullins

The most common point of unauthorized entry into any network is an external Web server. To prevent malicious activity, this machine requires special installation procedures. Public Web servers are definitely single-use machines
—do not install any other service, application software, or development tools.

Web server security begins with the installation. Let's look at how you can secure a Microsoft Internet Information Services (IIS) Web server from the beginning.

Start securing at installation

Never upgrade a Web server from a previous operating system version—always do a clean install. It's easier and safer to set the appropriate directory access control lists (ACLs) than it is to fix a previous poorly defined root security structure.

Don't make the Web server a member of your domain structure, and make sure the administrative account password and name are different than all other servers under your control. After a fresh installation of the OS, install all patches and security fixes before installing Web services.

Immediately after installing Web services, disable the Web services, and apply all patches and security fixes required for the new service. Partition the IIS server so the content of each service (WWW, FTP, etc.) is located on a separate partition or disk. This prevents attempts to traverse up the directory tree beyond the published content root.

Lock down services

You can disable the following services for most IIS installations:

  • Alerter
  • ClipBook Server
  • Computer Browser
  • DHCP Client
  • Distributed File System
  • Distributed Link Tracking Systems
  • Client
  • FTP Publishing Service (Disable unless users require FTP services.)
  • IPSec Policy Agent (Disable unless using IPSec policies.)
  • Licensing Logging Service
  • Logical Disk Manager Administrator
  • Service
  • Messenger
  • Net Logon (Disable unless domain users are required to log on to the server.)
  • Network DDE
  • Network DDE DSDM
  • Print Spooler
  • Remote Registry Service
  • Removable Storage
  • RPC Locator (Disable unless users require remote administration.)
  • RunAS Service
  • Server Service (Disable unless the server runs SMTP or NNTP.)
  • Task Scheduler
  • TCP/IP NetBIOS Helper
  • Telephony
  • Windows Installer
  • Windows Time
  • Workstation Service (Disable unless the server is part of a domain.)

In addition, remove all of the sample directories and sample scripts:

  • \\InetPub\iissamples
  • \\InetPub\AdminScripts
  • \%Systemroot%\help\iishelp

After disabling all unnecessary services and removing the default samples, you can start securing your directories and user permissions.

Set permissions

By default, IIS installation creates the IUSR_computername account. Under the security settings for this account, select the User Cannot Change Password and Password Never Expires options.

This account should be a local account, and it only requires the right to log on locally. Remove all other user rights from this account.

After securing the IUSR_computername account, create two new groups for use with IIS: a WebAdmins group (to define admins who will administer content) and a WebUsers group (the primary group for the IUSR_computername account).

By default, the IUSR_computername account is a member of the Guests, Everyone, Users, and Authenticated Users groups. Remove this account from the Guests group, and add it to the WebUsers group. You'll use these groups for setting NTFS permissions.

Now that you've defined your users and groups, modify the directory permissions on your \\InetPub\wwwroot\directory by removing all default permissions and granting the WebAdmins group Full Control and the WebUsers group Read Permissions. If you run any scripts or executables with your Web site, modify those directories to allow the WebUsers group Execute Permissions as well.

Final thoughts

This is just the beginning of a secure IIS server installation. Depending on the type and complexity of content, you may need to implement additional security steps.

While security isn't typically free, the National Security Agency offers an excellent in-depth installation guide for IIS. Check out the Security Recommendation Guides.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.

Editor's Picks

Free Newsletters, In your Inbox