The Microsoft IIS security world has been quiet for some time. Nearly 2 years have passed since Microsoft released the last Internet Information Services (IIS) 5.0 hotfix, and the company hasn't yet released a hotfix that directly affects IIS 6.0. The security changes that Microsoft made with Windows Server 2003 let administrators get an IIS 6.0 server up and running securely with little effort. Even IIS 5.0, after a quick hardening with the IIS Lockdown Tool, provides relatively good security.
But don't let this lack of security problems make you complacent. Although Microsoft's efforts have dramatically reduced the attack surface of IIS servers, intruders still break in. But because of a lack of published vulnerabilities, the focus of attacks has shifted from exploiting the platform to exploiting applications and server configuration. I've compiled some tips and best practices that you can implement to make your IIS server even more resistant to attack.
Use Granular Access Controls
The key to hardening an IIS Web site is to use the available access controls. IIS lets you restrict access by limiting the allowed file types and HTTP verbs used with each file type; setting IP restrictions for certain content; and allowing or disallowing read, write, and directory access. You can configure these settings through IIS 6.0's IIS Manager UI or through the Microsoft Management Console (MMC) IIS snap-in in IIS 6.0 and earlier. (For more information about IIS access controls, see "The Truth About Web-Based Permissions," January 2002, InstantDoc ID 23280, and "Web and FTP Permissions in IIS 5.0," March 2001, InstantDoc ID 19773.) Also take advantage of the granularity of NTFS file permissions and set individual permissions for each content type and area on your Web site. (For information about setting NTFS permissions, see "NTFS Permissions for IIS Web Servers," October 2002, InstantDoc ID 26358.) . . .
