[This is preliminary documentation and subject to change]
IIS Security Checklist
There are several ways to enhance the security of a computer
publishing information on an intranet
or the Internet. If you
have concerns about the security of your system, review this
checklist to determine if aspects of your security could be
improved.
Note
For highly sensitive information, you should seek
the assistance of a professional security consulting firm. A
consulting firm can help you establish proper security policies and
procedures.
The security features in IIS are built upon those in Windows.
The following settings in Windows will help make your Web site
secure.
File System
| Action | Reason |
|---|
| Use NTFS | The NTFS system is more secure than the FAT system. For
information about converting your computer's hard disk from FAT to
NTFS, see the Windows documentation. |
| Review directory permissions | By default, Windows creates new folders and assigns Full
Control permissions to the Everyone group. |
| Set access control for the IUSR_computername
account | This will help limit the access anonymous users have to your
computer. |
| Store executable files in a separate directory | This makes it easier to assign access permissions and auditing
for administrators. |
| Check NTFS permissions on network drives | By default, Windows creates new shared resources and assigns
Full Control permissions to the Everyone group. |
User Accounts
| Action | Reason |
|---|
| Review user accounts often | Check for new accounts that were not created by a valid
administrator. Review the rights given to the
IUSR_computername account. All users gaining anonymous
access to your site have the rights assigned to this account. You
can also use auditing to monitor when and by whom security policies
are changed. For more information, see Auditing. |
| Choose difficult passwords | Passwords are more difficult to guess if they consist of a
combination of lowercase and uppercase letters, numbers, and
special characters. |
| Maintain strict account policies | Keep track of what types of access are given to important user
accounts and groups. This includes knowing who has the ability to
change security policies. |
| Limit the membership of the Administrators group | This group typically has full access to the computer. |
| Assign a password to the Administrator account | By default the password used for the Administrator's account is
blank. To improve security, set a difficult password for this
account, as discussed earlier. |
Services and Other Issues
| Action | Reason |
|---|
| Run minimal services | Run only the services that are absolutely neccessary for your
purposes. Each additional service that you run presents an entry
point for malicious attacks. For more information about services
and security, see the Microsoft Windows 2000 Server
Resource Kit. |
| Do not use PDC as a server | The primary domain controller (PDC) is constantly processing
authentication requests. Running a Web service on the PDC will
decrease performance. It could also expose your PDC to attacks that
could render your entire network non-secure. |
| Enable auditing | Auditing is a very valuable tool for tracking access to secure
or critical files. Auditing can also be used for tracking server
events, such as a change in your security policy. Audit logs can be
archived for later use. For more information, see Auditing. |
| Use encryption if administering your computer
remotely | Typically, remote administration involves the exchange of
sensitive information, such as the password for the Administrator's
account. To protect this information over open networks, use
Secured Sockets Layer (SSL) encryption. For more information, see
Encryption. |
| Use a low-level account to browse the Internet | Using the Administrator, Power User, or another
highly-privileged account to browse the Internet can potentially
open entry points on your computer for attacks. Likewise, never
browse the Internet from the primary domain controller (PDC). |
| Back up vital files and the registry often | No security effort can guarantee data safety. For more
information, see the Microsoft Windows 2000 Server
Resource Kit. |
| Run virus checks regularly | Any computer on an open network is susceptible to computer
viruses. Regular checkups can help avoid unnecessary data
loss. |
| Unbind unnecessary services from your Internet adapter
cards | 
Warning
Be sure to check with your system
administrator before unbinding services, because this could have
undesirable effects on other users of your server.
|
IIS provides frontline security for your Web site, including
authentication and Web permissions.
Authentication
| Action | Reason |
|---|
| Use most secure form of authentication possible | Use the most secure form of authentication that your clients
support. For example, integrated Windows authentication and Digest
authentication are more secure than Basic authentication. Client
certificates can also be used for highly secure authentication. For
more information about authentication, see About Authentication. |
| One-to-one mapping versus many-to-one mapping | You can use either or both of these methods to map client
certificates to Windows user accounts. One-to-one mapping offers a
higher level of certainty, but requires a copy of the client
certificate to be stored on the server. Many-to-one mapping is
easier to implement and does not require a copy of the certificate
to be stored on the server. For more information, see Mapping Client Certificates to User Accounts. |
Web Permissions
| Action | Reason |
|---|
| Synchronize Web and NTFS permissions | If Web permissions and NTFS permissions are not synchronized,
the more restrictive of the two is used. Synchronization can be
done manually, or by using the Permissions Wizard. For more
information about Web permissions, see About Access Control. For
information about NTFS permissions, see the Windows
documentation. |
| Use IP address restriction if administering IIS
remotely | For more information, see Granting and Denying Access to Computers. |
| Use the most restrictive permission possible | For example, if your Web site is used only for viewing
information, assign only Read permissions. If a directory or site
contains ASP applications, assign Scripts Only permissions instead
of Scripts and Executables permissions. For more information, see
Setting Web Server Permissions. |
| Write and Scripts and Executable permissions | Use this combination with extreme caution. It can allow someone
to upload potentially dangerous executable files to your server and
run them. For more information, see Setting Web Server Permissions. |
| Action | Reason |
|---|
| Lock the workstation when away | When you are not at the computer, lock the desktop by pressing
the shortcut keys CTRL + ALT + DELETE, and selecting Lock
Workstation. |
| Use a password-protected screen saver | The time delay should be short so that no one can use the
computer after you leave. The screen saver should be blank;
animated screen savers can decrease server performance. |
| Lock up the computer | Keep the computer locked in a secure room in order to reduce
the chance of access by malicious individuals. |
| Action | Reason |
|---|
| Use different Administrator accounts | Each individual who has administrative privileges should be
given a distinct user account and password. This will make it
easier to track any changes that are made. |
| Use non-disclosure agreements | Further accountability can be enforced by using non-disclosure
agreements. |
| Periodically reassign accounts | To lower the risk of user account information being
compromised, assign new user accounts to personnel with
Administrator or other high-level privileges. |
| Quickly delete unused accounts | This will lower the risk of a disgruntled former employee or
vendor gaining access to your network. |
The following resources provide additional information about Web
site security:
© 1997-2001 Microsoft Corporation. All rights reserved.