Secure an IIS Web server with these 10 steps

原创 2005年06月02日 08:44:00


Internet Information Services (IIS) is a favorite target of hackers. Thus, it's critical for administrators who manage IIS Web servers to make sure that they are locked down. The default installations of IIS 4.0 and IIS 5.0 are particularly vulnerable.


Take these 10 steps to secure IIS:

  1. Set up an NTFS drive just for the IIS application and data. If possible, don't allow IUSER (or whatever the anonymous username is) access to any of the other drives. If the application runs into any problems because the anonymous user doesn't have access to programs on the other drive(s), then use FileMon from Sysinternals to troubleshoot which file it can't access and try working around it by moving the program to the IIS drive. If that is impossible, then allow IUSER access just to that file.
  2. Set the NTFS permissions on the drive:
    Developers = Full
    IUSER = Read and execute only
    System and admin = Full
  3. Use a software firewall to make sure that none of the end users (only the developers) have access to any other port on the IIS machine besides port 80.
  4. Use the Microsoft tools for locking down the machine: IIS Lockdown and UrlScan.
  5. Enable logging using IIS. In addition to the IIS logging, if possible, use logging from the firewall as well.
  6. Move the logs from the default location, and make sure that they are being backed up. Set up a replication for the log folders so that a copy is always available in a second location.
  7. Enable Windows auditing on the machine, because there is never enough data when trying to backtrack any attacker's activity. It's even possible to have a script run to check for any suspicious activity using the audit logs, and then send a report to an administrator. Now this might sound a bit extreme, but if security is really important in your organization, this type of action is a good practice. Set up auditing to report any failed account logons. Plus, as with the IIS logs, change the default location (c:/winnt/system32/config/secevent.log) to a different location, and make sure that you have a backup and a replicated copy.
  8. On a regular basis, go through as many security articles (from various sources) as you can. It is always better that you understand as much as possible about IIS and general security practices and not just follow what others (like me) tell you.
  9. Sign up to a mailing list for IIS bugs and stay up to date in reading it. One such list is X-Force Alerts and Advisories from Internet Security Systems.
  10. Finally, make sure that you regularly run Windows Update and verify that the patches actually get deployed.


Win10下IIS配置 1.找到控制面板:【开始】菜单鼠标右击,打开【控制面板】 2.打开控制面板,点击【程序】,点击【启用或关闭Windows功能】 下一步...
  • u010763324
  • u010763324
  • 2016年08月11日 14:58
  • 21071

CSS 动画的 steps()

本文转自: animation默认以ease方式过渡,会以在每个关键帧之间插入补间动画,所以动画效果是连贯性的。ea...
  • ssisse
  • ssisse
  • 2016年05月10日 10:25
  • 340

Application Server Role, Web Server (IIS) Role: configuration error

I’m installing SharePoint 2013 on Windows 2012 ‘offline’ – the server has no Internet access.  Withi...
  • jacky5154
  • jacky5154
  • 2013年09月21日 13:40
  • 1503

云服务器Windows Server2012 配置http服务器(又称Web服务器,IIS)

一、安装WEB服务器 1.选择添加角色和功能 2.一直下一步到选择web服务器 3.添加功能 4.角色服务可以按需选择,这里直接默认 5.一直下一步,耐心等待安装成功 二、配置II...
  • luchengtao11
  • luchengtao11
  • 2017年05月16日 14:42
  • 5367

Windows+IIS+ASP+SQL Sever web应用部署

一、安装IIS 二、安装.net 三、安装SQL Sever 四、配置web默认文档、IP:端口号、链接字符串等 问题: IIS网站属性中没有ASP.NET选项 打开IIS6...
  • Adimecoin
  • Adimecoin
  • 2017年03月22日 17:42
  • 721

CSS3 timing-function: steps() 详解

CSS3 timing-function: steps() 详解 原文
  • xianyu410725
  • xianyu410725
  • 2015年01月21日 13:00
  • 1038

邮件发送中的"server does not support secure connection."

 最近在修改公司的邮件发送系统。不熟悉C#,浏览代码以后,增加了通过SSL方式,GMAIL的smtp服务器需要SSL安全连接。测试通过,可以发送邮件。但是部署在备用机房服务器以后(windows se...
  • moxuansheng
  • moxuansheng
  • 2009年10月28日 22:44
  • 1644

转载--Windows Server 2016 配置指南 之 IIS 设置 HTTPS HTTP/2 并跑分到 A+

Windows Server 2016 配置指南 之 IIS 设置 HTTPS HTTP/2 并跑分到 A+ 一、首先我们需要申请一款证书,然后证书一定要是 IIS 支持的 pfx 格式,不然的话 ...
  • xl_lx
  • xl_lx
  • 2018年01月09日 15:40
  • 138

IIS7.5 安装设置-Sql Sever2008安装设置-移动端设置等必读

IIS7.5 安装设置-Sql Sever2008安装设置-移动端设置等必读
  • boomcode
  • boomcode
  • 2015年10月15日 22:53
  • 2100

windows 2008 server 实现 IIS 虚拟目录共享

设备: Server A :    Server B :  需求: Server A 和 Server B 作为两台 web , 采用双机的...
  • fairplay_li
  • fairplay_li
  • 2013年01月20日 21:35
  • 4544
您举报文章:Secure an IIS Web server with these 10 steps