Hardening Microsoft IIS Web Servers
Here are my notes on hardening (securing) Microsoft's Internet Information Server against attacks.
All topics are in this one large file for quick searches through all topics.
To check for the presence of a web server (IIS) on a local machine listening on port 80, open up an internet browser (Internet Explorer) and type:
If you see The webpage cannot be found a web server is not running on the machine.
By default, files are displayed from folder C:\inetpub\wwwroot, which after installation contains Default document file iisstart.htm.
Unless otherwise configured, the document displayed follows this priority of display (the top file is displayed, if defined):
Most people now use Microsoft Web Platform Installer, wpilauncher.exe (113 KB). As of May, 2014, the spotlight is on the Azure cloud rather than local instances. Click on Products, Server, Name. Scroll down. Note IIS is already Installed.
Click on Recommended Configuration.
IIS Express is required for use with WebMatrix.
IIS comes with Windows, so the service is installed from Start icon > Control Panel.
Start icon > right-click on Computer > select Manage. Within Computer Management, the Services and Applications tree.
Components can be added after initial installation in Control Panel -> Add/Remove Windows Components.
Upon initial installation, iistart.asp is shown because other files are not supplied by the IIS installer. Configure this list and other IIS web server control options from Control Panel -> Administrative Tools -> Internet Information Services.
A web form can also be selected as the Start Page by right-clicking on it.
For better security (to prevent directory traversal attacks), do not add cutom web page files in the default wwwroot folder but create a virtual folder on another drive by right-clicking on the "Default Web Site" folder and selecting "New" then "Virtual Directory.".
REMEMBER: The "WWW" service must be "bounced" (stopped and restarted) after changes to any virtual directory.
Troubleshooting IIS with Exception Monitor (Dbgplus.exe unzipped from ixcptmon.exe)
Rather than making changes manually, I prefer using the
It writes changes to log file \WINNT\System32\inetsrv\oblt-log.log used for undos (which is automatic when you run Islockd.exe a second time). So if you configure a virtual directory as an application root after running IIS lockdown, that change is lost when you run IISLockdown again.
The extracted IISLockd.exe launches the IIS Lockdown Wizard based on the template specified in IISlockd.ini.
Windows 2000 Utilities listed:
If you see this complete successfully, it's vulnerable to anonymous information gathering.
To disable support in Windows NT
To disable support in Windows 2000
IP and domain name restrictions.
Apply NTFS permissions to website folders and files.
Read and write access to the Web server is also required.
Your first name:
Your family name:
Your location (city, country):
Your Email address:
Top of Page