Install a lock on the IIS Web server

To improve IIS security, Microsoft provides two tools: IIS Lockdown and URLScan. IIS Lockdown 2.1 contains URLScan. IIS Lockdown 2.1 has the following functions:

(1) Disable or delete unnecessary IIS services and components.

(2) modify the default configuration to improve the security of system files and Web content directories.

(3) Use URLScan to filter HTTP requests.

This article describes how to use the first two functions of IIS Lockdown 2.1. Note that the description in this article is applicable to IIS Lockdown version 2.1. the usage of previous versions is very different.

I. Notes

IIS Lockdown may change the running mode of IIS, so it is likely to conflict with applications that depend on some features of IIS. In particular, exercise caution when installing IIS Lockdown and URLScan on a Server that runs Microsoft Exchange 2000 Server, Exchange Server 5.5, or Microsoft SharePoint Portal Server.

Two Microsoft articles explain possible difficulties and solutions: XADM: Known issues and adjustment policies for using the IIS Lockdown Wizard in an Exchange 2000 environment (http://support.microsoft.com/default.aspx? Scid = kb; en-us; q309677), and SPS: IIS Lockdown Tool affects SharePoint Portal Server (http://support.microsoft.com/default.aspx? Scid = kb; en-us; q309675 ).

In addition, before applying IIS Lockdown or URLScan, you must search the Microsoft Knowledge Base to collect the latest information that may cause problems. After understanding the information and the suggestions, install IIS Lockdown on the test server to fully test whether the IIS functions required by Web applications are affected. Finally, make a comprehensive system backup so that the system can be quickly restored when the system functions are seriously affected.

Ii. Installation

Is IIS Lockdown 2.1 available from a http://www.microsoft.com/downloads/release.asp? Releaseid = 33961 download. Download iislockd.exe and double-click it to run it. decompress it to a temporary directory and start the IIS Lockdown Wizard. However, if you want to use IIS Lockdown to protect multiple servers, it is best to extract it to a dedicated directory as described below, so that you do not have to re-decompress IIS Lockdown every time you run it.

Note that the downloaded file is a self-decompressed execution file, which is the same as the application execution file in the compressed package. For this reason, if you extract iislockd.exe to its own directory, it will cause a file name conflict. Follow the steps below to avoid possible problems: [page]

(I) download iislockd.exe to a temporary directory.

(2) Open the control window, access the directory, and execute the command “iislockd.exe/q/c/t: c: IISLockdown To uncompress./q requires "quiet" mode and/c requires that IIS Lockdown only Extract files, used with the-t option. The-t option specifies the directory to which the file is to be decompressed (for example, in this example, the file must be decompressed to the c: IISLockdown directory ). The table lists the main files that iislockd.exeunzipped to. iislockd.exe contains the URLScan file, but this article does not discuss URLScan in detail.

Table 1: IIS Lockdown 2.1 main file IIS Lockdown file description iislockd.exe IIS Lockdown main execution file. Iislockd. ini configuration and option files. Iislockd. chm online help. Runlockdunattended.doc documentation on the "unattended" running mode. 404. dll "file not found" response file. The URLScan file specifies the urlscan.exe URLScan installation package. Urlscan.doc URLScan document. Urlscan *. ini configuration and option files. Urlscan_unattend.txt install the URLScan configuration file in unattended mode. Readme.txt instructions for running URLScan in unattended mode unattend. cmd command file for installing URLScan in unattended mode.

Iii. Practical Application

IIS Lockdown is easy to use. Double-click iislockd.exe and the Internet Information Services Lockdown Wizard appears. Follow the instructions in the Wizard to add a lock to the Web server. The welcome screen appears first. Click "Next" to display the final user license agreement screen. Select the I Agree option and click "Next" to go to the server Template Selection dialog box.