Five simple measures to enhance IIS security

Only components that enable IIS to relate to business requirements

One of the changes in IIS 6.0 is that IIS only defaults to the static Web services that are indispensable. Keep this configuration in mind and only open the services you really need.

Strictly restrict the access rights assigned to the Iusr_systemname account

Many applications running on the server invoke the IUSR (Internet user) account to interact with the system on behalf of unauthorized network users. This actually limits the permissions that this account requires for the server.

Using automatic upgrades to update security patches in real time

Although the new version has a significant security improvement over previous versions, if history repeats itself (as Microsoft often does), release version 6.0 will soon have one or more patches for security reasons. Enable automatic upgrades to ensure you receive patches as soon as possible.

Use fast fail protection

The most notable feature of the new version is the ability to quickly fail protection (Rapid-fail Protection). This will protect your server from security incidents and performance, usually due to processes that fail too many times in a short period of time, such as a failure or a malicious attack. When this occurs, the network Management service shuts down the application pool, preventing further failures and making the application unusable until the administrator processes it.

Strict restrictions on remote administration

It's great to be able to manage servers anywhere, but make sure that only authorized users can do so. You should require all remote administrators to log on using a static IP address, and logins are limited to predefined secure IP addresses. You should also use a strong certification.