Servers

How do I use the IIS lockdown tool?

Vulnerabilities in Microsoft’s Internet Information Services Web Server have caused it to be hammered by hackers. Microsoft has responded by releasing a utility called the IIS Lockdown Tool. This tool is designed to help Windows administrators quickly and easily secure an IIS Web server. We’re going to demonstrate how to install and use this utility and see what it actually does.

Vulnerabilities in Microsoft's Internet Information Services Web Server have caused it to be hammered by hackers. Microsoft has responded by releasing a utility called the IIS Lockdown Tool. This tool is designed to help Windows administrators quickly and easily secure an IIS Web server. I'm going to demonstrate how to install and use this utility and see what it actually does.

The IIS Lockdown Tool is basically a wizard you can use to turn off some of the unused parts of IIS that are the most susceptible to hacker tampering. When you download the tool, you are prompted for a location to install the files, as shown in Figure A.

Figure A

When the download is complete, three files are placed in the directory you specified (Figure B).

Figure B

To lock down your IIS Web server:

  1. Run the tool by double-clicking IISLockd to bring up the screen shown in Figure C.

Figure C

  1. Click Next and choose either Express Lockdown or Advanced Lockdown (Figure D). If you choose Express Lockdown, you are providing maximum security for a basic Web server. With this choice, your Web server displays only static pages and does not use any advanced features, such as Internet printing or Active Server Pages.

Figure D

  1. If you choose Express Lockdown, you’ll see the prompt shown in Figure E. Select Yes. Your Web server will be secured, and you can simply view the report.

Figure E

If you choose Advanced Lockdown, you’ll see the prompt shown in Figure F.

Figure F

This choice allows you to decide whether you want to disable the options shown below. (See the IIS Lockdown Tool help file for a detailed description of what these options do and why you might want to disable them.)

  • Active Server Pages (.asp)
  • Index Server Web Interface (.idq)
  • Server-Side Includes (.shtml, .shtm, .stm)
  • Internet Data Connector (.idc)
  • Internet Printing (.printer)
  • HTR Scripting (.htr)
When you finish, click Next to bring up the screen shown in Figure G. Here, you can take some additional security steps.

Figure G

This choice allows you to select from the following options:

  • Remove Sample Web Files
  • Remove The Scripts Virtual Directory
  • Remove The MSADC Virtual Directory
  • Disable Distributed Authoring And Versioning (WebDAV)
  • Set File Permissions To Prevent The IIS Anonymous User Account From Executing System Utilities
  • Set File Permissions To Prevent The IIS Anonymous User Account From Writing To Web Content Directories
When you finish selecting options, click Next and then choose Yes to lock down your server. The screen in Figure H will appear.

Figure H

When the process is finished, you can select the View Report Button, as we’ve done in Figure I.

Figure I

To wind up the process, click Next. When the Completed screen appears (Figure J), just click Finish.

Figure J

At any time, you can undo your changes by running IISLockd again to access the screen shown in Figure K and then clicking Undo. You can also click Lockdown Again to change your settings.

Figure K

4 comments
techrepublicsucks
techrepublicsucks

The IIS Lockdown tool is 6-years old and not designed for IIS 6 or 7 which means that you can not use it on Windows Server 2003 or 2008. (Follow the link in Steve's article for more information.) If you need secure web services on a Microsoft server then upgrade to Windows Server 2003 or 2008. Steve, I had to look twice, make that three times, to be sure that I wasn't reading an old article. Anyway, welcome to 2008! Balthor, wrong place to start ragging on MS. They gave out the Lockdown tool for free when they could have easily made money selling it. That is not complicit in my book.

BALTHOR
BALTHOR

"Everybody on Earth uses this stuff".

Steven Warren
Steven Warren

The tool is old but as an IIS-MVP with Microsoft, there are still plenty of Windows 2000 servers out there. Trust me! The tool still has an audience and I wanted to make sure people understand that the tool exists. We are in 2008 but I do not see massive rollouts of 2008. I see upgrades in the planning from Windows 2000 servers all the way to 2008 skipping 2003 but I do not see many 2003 servers moving to 2008.

LouCed
LouCed

Management feels that W2K does the job, so why upgrade?

Editor's Picks