Secure your Windows Web servers with the IIS Lockdown Tool
Takeaway: A step-by-step guide for installing the IIS Lockdown Tool
Recent vulnerabilities in Microsoft’s Internet Information Services Web Server have caused it to be hammered by hackers. Microsoft has responded by releasing a new utility called the IIS Lockdown Tool. This tool is designed to help Windows administrators quickly and easily secure an IIS 4.0 or 5.0 Web server. We’re going to demonstrate how to install and use this utility and see what it actually does.
Installing and using the tool
The IIS Lockdown Tool is basically a wizard you can use to turn off some of the unused parts of IIS that are the most susceptible to hacker tampering. When you download the tool, you are prompted for a location to install the files, as shown in Figure A.
| Figure A |
 |
When the download is complete, three files are placed in the directory you specified (Figure B).
| Figure B |
 |
To lock down your IIS Web server:
- Run the tool by double-clicking IISLockd to bring up the screen shown in Figure C.
| Figure C |
 |
- Click Next and choose either Express Lockdown or Advanced Lockdown (Figure D). If you choose Express Lockdown, you are providing maximum security for a basic Web server. With this choice, your Web server displays only static pages and does not use any advanced features, such as Internet printing or Active Server Pages.
| Figure D |
 |
- If you choose Express Lockdown, you’ll see the prompt shown in Figure E. Select Yes. Your Web server will be secured, and you can simply view the report.
| Figure E |
 |
If you choose Advanced Lockdown, you’ll see the prompt shown in Figure F.
| Figure F |
 |
This choice allows you to decide whether you want to disable the options shown below. (See the IIS Lockdown Tool help file for a detailed description of what these options do and why you might want to disable them.)
- Active Server Pages (.asp)
- Index Server Web Interface (.idq)
- Server-Side Includes (.shtml, .shtm, .stm)
- Internet Data Connector (.idc)
- Internet Printing (.printer)
- HTR Scripting (.htr)
When you finish, click Next to bring up the screen shown in Figure G. Here, you can take some additional security steps.
| Figure G |
 |
This choice allows you to select from the following options:
- Remove Sample Web Files
- Remove The Scripts Virtual Directory
- Remove The MSADC Virtual Directory
- Disable Distributed Authoring And Versioning (WebDAV)
- Set File Permissions To Prevent The IIS Anonymous User Account From Executing System Utilities
- Set File Permissions To Prevent The IIS Anonymous User Account From Writing To Web Content Directories
When you finish selecting options, click Next and then choose Yes to lock down your server. The screen in Figure H will appear.
| Figure H |
 |
When the process is finished, you can select the View Report Button, as we’ve done in Figure I.
| Figure I |
 |
To wind up the process, click Next. When the Completed screen appears (Figure J), just click Finish.
| Figure J |
 |
At any time, you can undo your changes by running IISLockd again to access the screen shown in Figure K and then clicking Undo. You can also click Lockdown Again to change your settings.
| Figure K |
 |
Going one step further
Now that your IIS Web service is secure, you should look at your other IIS services. By default, FTP and other related services are not locked down. You should take the appropriate measures to secure them. Finally, test all functionality prior to putting your Web server into production. It’s also a good idea to browse Microsoft’s additional security checklists at Microsoft TechNet and download Microsoft’s Network Security Hotfix Checker.
What's been your experience with the IIS Lockdown Tool?
We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.
Print/View all Posts Comments on this article
Present more info on the different optio
Chris Hoff | 09/17/01
|
Agree!
jcj@... | 09/19/01
|
|
Error, pls help
wedward@... | 09/21/01
|
|
I got the same error
Wissam | 10/06/01
|
I found it !!!!!!
Wissam | 10/06/01
|
|
I Aggree
jeff.pothorst@... | 11/30/01
|
|
Affect on OWA?
rradzville | 09/17/01
|
Response
Steven S. Warren | 09/17/01
|
|
IISLockD error message
eSadacca | 09/19/01
|
|
Other options in IIS Lockdown for OWA
bgws | 09/19/01
|
White Papers, Webcasts, and Downloads
- Building the Virtualized Enterprise with VMware Iinfrastructure VMware VMware virtualization software has been adopted by over 120,000 enterprise ... Download Now
- Why Isn't Server Virtualization Saving Us More? A Few Small Changes May Dramatically Increase Your Efficiency VMware Ever wonder why your company isn't saving more from its server virtualization? Making a few small changes could dramatically increase your efficiency. Download Now
- VMware Infrastructure: A Guide to Bottom-Line Benefits VMware Frustrated by the high cost of maintaining or building ever-larger data centers? Get the facts you need to formulate your Virtualization Action Plan. Download Now
- The True Costs of Virtual Server Solutions VMware Discover ways to streamline and simplify your assessment of the total acquisition costs of a server virtualization environment. Download Now
- Leveraging SMB ERP for an Economic Recovery ZDNet Times are tough but better days are sure to follow. In the wake of an ... Download Now
Article Categories
- Security
- Security Solutions, IT Locksmith
- Networking and Communications
- E-mail Administration NetNote, Cisco Routers and Switches
- CIO and IT Management
- Project Management, CIO Issues, Strategies that Scale
- Desktops, Laptops & OS
- Windows 2000 Professional, Microsoft Word, Microsoft Excel, Microsoft Access, Windows XP,
- Data Management
- Oracle, SQL Server
- Servers
- Windows NT, Linux NetNote, Windows Server 2003
- Career Development
- Geek Trivia
- Software/Web Development
- Web Development Zone, Visual Basic, .NET
