Securing the Windows Server 2003 IIS server

Overview

This module focuses on the instructions and steps required to harden your IIS servers in your environment. To provide comprehensive security for WEB servers and applications in your organization's corporate Intranet, you should protect each Microsoft Internet Information Services (IIS) server and each Web site and application running on those servers from clients that can connect to them Computer damage. In addition, you should protect Web sites and applications running on all of these IIS servers from Web sites and applications running on other IIS servers in your corporate Intranet.

To take the initiative in resisting malicious users and attackers, IIS is not installed on the Windows Server 2003 family of products by default. IIS was initially installed in a highly secure lockdown mode. For example, by default, IIS initially provides only static content. such as Active server Pages (ASP), asp.net, server-side include (SSI), Web Distributed Authoring and Versioning (WebDAV) publishing, and Microsoft Frontpag E? Features such as Server Extensions only work if the administrator has enabled them. These features and services can be enabled through the Web Service Extensions node in Internet Information Services Manager (IIS Manager).

The IIS Management appliance has a graphical user interface (GUI) that can be used to easily manage IIS. It includes resources for file and directory management, the ability to configure application pools, and the many features of security, performance, and reliability.

The next sections of this chapter detail the various security hardening settings that can be enforced to enhance the security of an IIS server that hosts HTML content in your corporate Intranet. However, to ensure that the IIS server is always in a secure state, you should also perform steps such as security monitoring, detection, and response.

Audit Policy settings

The audit policy settings for IIS servers are configured through the MSBP in the three environments defined in this guidance. For more information about the MSBP, see the module, "to create a member server Baseline for a Windows Server 2003 server." The MSBP settings ensure that all relevant security audit information is recorded on all IIS servers.