Data Centers

Tech Tip: Take these steps to secure your IIS Web server

Follow these steps to secure your IIS Web server.

By Mike Mullins

As you probably know, hackers love to target Internet Information Services (IIS), and it's imperative that you adequately lock down your IIS servers. The first step to securing an IIS Web server is to update the operating system before installing IIS.

After you've secured the OS and installed IIS, the real focus of securing your Web server begins. Security implementation starts at the network layer and ends at the application. You can lock down your system by taking the following actions.

Secure the network

You should configure the router, switch, and firewall in front of the Web server to only pass traffic from external networks to TCP port 80 of the Web server's IP address. (If you're using SSL, use port 443.) For example, you would use the following for Cisco routers and switches:

access-list 100 permit TCP any host your.iis.server.ip eq http
access-list 100 permit IP host your.iis.server.ip

This simple but effective security measure is one of the most overlooked security tips for any Web server. With this step, you limit external intruders to attacking the Web server and not the OS.

Of course, you'll still need to apply OS security updates and patches to your IIS server. However, rather than applying updates and patches immediately, you can now test and schedule them.

Lock down the application

After you've secured the network, it's time to remove vulnerabilities and add security to the IIS application. A common recommendation is renaming, disabling, or deleting and re-creating the IUSR account (Web Anonymous User). The easiest way to secure this account and the directories it can access is to run Microsoft's IIS Lockdown Tool.

When you use the IIS Lockdown Tool to secure your IIS server, it makes the IUSR account a member of the Web Anonymous Users local group. It automatically assigns this group the appropriate Deny Write or Deny Execute permissions on your Web directories.

You can also enforce these local group permissions on other users and groups within your domain. All you need to do is add them as members to this local group.

The IIS Lockdown Tool also includes the UrlScan Security Tool. Together, these tools remove dangerous and unnecessary Web extensions and restrict the types of HTTP requests that the IIS server will process.

Finally, you'll want to delete some installed directories that provide a known dangerous path for would-be attackers:

  • IIS samples: C:\inetpub\iissamples
  • IIS documentation: C:\winnt\help\iishelp
  • Remote Data Services: C:\program files\common files\system\msadc

Final thoughts

If the Web server doesn't require domain membership, navigate to the network properties via Control Panel, uninstall File And Printer Sharing For Microsoft Networks, and deselect the Client For Microsoft Networks check box.

Before deploying your IIS Web server, your last security step should be to run the Windows Update Service and the Microsoft Baseline Security Analyzer.

For more information on these suggestions and other recommendations for securing your IIS Web server, check out the Internet Information Services (IIS) Security Center.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.

Editor's Picks

Free Newsletters, In your Inbox