IIS Lockdown Tool

Issue

By default, when you install and run Internet Information Services (IIS) on a Microsoft® Windows® 2000 or Windows NT® 4.0 computer, all of the available features and services of the Web server are started. Only those features and services required for the particular Web server should be enabled on the computer to ensure that the least amount of code is running on the server. In addition, all available IIS security updates should be installed on the server to patch any known vulnerabilities.

Solution

We recommend that you download the IIS Lockdown tool and run it on all IIS computers. The tool works by turning off unnecessary features and services, thereby reducing the attack surface available to attackers. To provide defense in depth, UrlScan, has been integrated into the IIS Lockdown tool.

Note

• The IIS Lockdown tool was developed for IIS 4.0, 5.0, and 5.1, and is not needed for new Windows Server 2003 installations running IIS 6.0. If an upgrade is being performed from IIS 5.0 to IIS 6.0, then the lockdown tool should be run.

Additional Resources

The Microsoft Security Tool Kit

IIS Lockdown Tool

©2002-2004 Microsoft Corporation. All rights reserved.