Recent vulnerabilities in Microsoft’s Internet Information Services Web Server have caused it to be hammered by hackers. Microsoft has responded by releasing a new utility called the IIS Lockdown Tool. This tool is designed to help Windows administrators quickly and easily secure an IIS 4.0 or 5.0 Web server. We’re going to demonstrate how to install and use this utility and see what it actually does.
Installing and using the tool
The IIS Lockdown Tool is basically a wizard you can use to turn off some of the unused parts of IIS that are the most susceptible to hacker tampering. When you download the tool, you are prompted for a location to install the files, as shown in Figure A.
When the download is complete, three files are placed in the directory you specified (Figure B).
To lock down your IIS Web server:
- Run the tool by double-clicking IISLockd to bring up the screen shown in Figure C.
- Click Next and choose either Express Lockdown or Advanced Lockdown (Figure D). If you choose Express Lockdown, you are providing maximum security for a basic Web server. With this choice, your Web server displays only static pages and does not use any advanced features, such as Internet printing or Active Server Pages.
- If you choose Express Lockdown, you’ll see the prompt shown in Figure E. Select Yes. Your Web server will be secured, and you can simply view the report.
If you choose Advanced Lockdown, you’ll see the prompt shown in Figure F.
This choice allows you to decide whether you want to disable the options shown below. (See the IIS Lockdown Tool help file for a detailed description of what these options do and why you might want to disable them.)
- Active Server Pages (.asp)
- Index Server Web Interface (.idq)
- Server-Side Includes (.shtml, .shtm, .stm)
- Internet Data Connector (.idc)
- Internet Printing (.printer)
- HTR Scripting (.htr)
When you finish, click Next to bring up the screen shown in Figure G. Here, you can take some additional security steps.
This choice allows you to select from the following options:
- Remove Sample Web Files
- Remove The Scripts Virtual Directory
- Remove The MSADC Virtual Directory
- Disable Distributed Authoring And Versioning (WebDAV)
- Set File Permissions To Prevent The IIS Anonymous User Account From Executing System Utilities
- Set File Permissions To Prevent The IIS Anonymous User Account From Writing To Web Content Directories
When you finish selecting options, click Next and then choose Yes to lock down your server. The screen in Figure H will appear.
When the process is finished, you can select the View Report Button, as we’ve done in Figure I.
To wind up the process, click Next. When the Completed screen appears (Figure J), just click Finish.
At any time, you can undo your changes by running IISLockd again to access the screen shown in Figure K and then clicking Undo. You can also click Lockdown Again to change your settings.
Going one step further
Now that your IIS Web service is secure, you should look at your other IIS services. By default, FTP and other related services are not locked down. You should take the appropriate measures to secure them. Finally, test all functionality prior to putting your Web server into production. It’s also a good idea to browse Microsoft’s additional security checklists at Microsoft TechNet and download Microsoft’s Network Security Hotfix Checker.
What's been your experience with the IIS Lockdown Tool?
We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.