Internet Information Services and Internet Communication
Applies To: Windows Server 2003 with SP1
This section provides information about:
The benefits of Internet Information Services (IIS) in Microsoft Windows Server 2003
For servers from which you want to offer content on an intranet or the Internet, descriptions of some of the security-related features offered in IIS 6.0, and suggestions for other sources of information about security and IIS 6.0
Note
For servers from which you do not want to offer content on an intranet or the Internet, you do not need to remove IIS, since by default it is not installed with most products in the Windows Server 2003 family. The exception is Windows Server 2003, Web Edition, on which IIS is installed by default. If you use a server as a Web server and then deploy it for some other purpose, remove IIS from that server.
Controlling Internet printing
Subcomponents that are part of IIS, with instructions for finding out which subcomponents are installed on a given server
Viewing Help for IIS
Other sources of information about IIS
It is beyond the scope of this white paper to describe all aspects of maintaining appropriate levels of security in an organization running servers that communicate across the Internet. This section, however, provides overview information as well as suggestions for other sources of information about balancing your organization’s requirements for communication across the Internet with your organization’s requirements for protection of networked assets.
Benefits and Purposes of IIS
IIS 6.0 is one of the optional components in products in the Windows Server 2003 family. IIS is a component that provides an easy way to publish information on the Internet or an intranet. In a managed environment, IIS is usually installed on selected servers only. IIS includes innovative security features and a broad range of administrative features for managing Web sites. By using programmatic features like Active Server Pages (ASP and ASP.NET), you can more easily create and deploy scalable, flexible Web applications.
IIS is not installed by default with products in the Windows Server 2003 family other than Windows Server 2003, Web Edition. IIS and related components can be added by using either Add or Remove Programs in Control Panel or Manage Your Server. After IIS 6.0 is installed, it is configured by default in a "locked down" state. The locked down state means that IIS 6.0 accepts requests for static files only, until it is configured to serve dynamic content. It also means that all time-outs and settings are set to restrictive defaults. You can enable or disable IIS 6.0 functionality based on the needs of your organization by using IIS Manager. You can also enable IIS 6.0 functionality through programmatic and command-line interfaces.
For more information about IIS features, including features related to security, see the following Web sites:
The product information page for IIS 6.0 at:
The technical overview document for IIS 6.0 at:
The IIS page on the Microsoft Web site at:
If you have a Web site on which you want to use Microsoft .NET Passport for authentication and you also want to use Passport Manager Administration, a component available for Windows Server 2003, see Appendix I: Passport Manager Administration.
Examples of Security-Related Improvements in IIS 6.0
IIS 6.0 includes a variety of settings and features related to security, some of which are listed in the following table. For additional information about security-related improvements in the version of IIS 6.0 in Windows Server 2003 with SP1, see the links in the previous section.
Examples of security-related settings and features in IIS 6.0
| Setting or feature | Description |
|---|---|
Disabling through Group Policy |
With Windows Server 2003, domain administrators can prevent users from installing IIS 6.0 on their computers. |
Running as an account with limited privileges |
IIS 6.0 worker processes run in a user context with limited privileges by default. This drastically reduces the attack surface of the Web server. |
Secure ASP |
All functions built into ASP pages always run as an account with limited privileges (anonymous user). |
Recognized file extensions |
IIS 6.0 serves requests only to files that have recognized file extensions and rejects requests to file extensions it doesn’t recognize. |
Command-line tools not accessible to Web users |
Attackers often take advantage of command-line tools that are executable through the Web server. In IIS 6.0, the command-line tools cannot be executed by the default Web server identity. |
Write protection for content |
Once attackers get access to a server, they try to deface Web sites. By preventing anonymous Web users from overwriting Web content, these attacks can be mitigated. |
Time-outs and limits |
Product settings are set to aggressive and secure defaults. |
Upload data limitations |
Administrators can limit the size of data that can be uploaded to a server. |
Buffer overflow protection |
The Windows Administration Service in IIS will detect if a worker process had a buffer overflow and will exit that process. |
File verification |
The core server verifies that the requested content exists before it gives the request to a request handler (Internet Server Application Programming Interface [ISAPI] extension). |
For more information about creating Web sites with IIS 6.0 and maintaining appropriate levels of awareness and control over the communication to and from those sites, see the IIS Help. For information about viewing the Help, see "To View Help After Installing IIS," later in this section.
Controlling Internet Printing
Internet printing makes it possible for clients to use printers located anywhere in the world by sending print jobs using Hypertext Transfer Protocol (HTTP). Additionally, a computer running Windows Server 2003 can use IIS to create a Web page that provides information about printers and provides the transport for printing over the Internet.
For Internet printing, it is important to consider both the server and the client:
Server: Internet printing is an optional component (not installed by default) of IIS 6.0. A server running Windows Server 2003 can be configured to act as a print server allowing Internet printing. In a managed environment, you might want to ensure that the Internet printing subcomponent of IIS is not installed. For information about how to do this, see "Procedures for Checking or Controlling the Installation of IIS Subcomponents," later in this section.
Client: Clients (typically, running Windows XP, not Windows Server 2003) can install an Internet printer using a Web browser, the Add Printer Wizard, or the Run dialog box. To control whether clients can support Internet printing, see the section about Internet printing in the white paper titled "Using Windows XP Professional with Service Pack 2 in a Managed Environment: Controlling Communication with the Internet." You can view this white paper on the TechNet Web site at:
Answer File Entries and Registry Keys for IIS Subcomponents
For reference purposes, the following table shows the syntax for answer file entries associated with IIS in the Windows Server 2003 family as well as the corresponding registry keys. Do not change the registry keys. They are shown for use in a script that could check whether a particular component is installed on a particular server. A registry key value of 0x00000000 means the component is not installed, and a value of 0x00000001 means the component is installed.
Note
For more details about answer file entries related to IIS components, follow the steps in "To View Help After Installing IIS," later in this section, and then search for the topic called "Installing IIS." In that topic, look for a table showing the answer file entries.
Answer file entries and registry keys associated with IIS subcomponents for the Windows Server 2003 family
| IIS subcomponent | Syntax for answer file entry (in the [Components] section) | Registry key (for use in a script that checks whether a component is installed): 0x00000000 means it is not installed; 0x00000001 means it is installed |
|---|---|---|
IIS common files |
iis_common = On | Off |
HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows\CurrentVersion\ Setup\OC Manager\Subcomponents\ iis_common |
Active Server Pages (ASP) for IIS |
iis_asp = On | Off |
HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows\CurrentVersion\ Setup\OC Manager\Subcomponents\ iis_asp |
File Transfer Protocol (FTP) service |
iis_ftp = On | Off |
HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows\CurrentVersion\ Setup\OC Manager\Subcomponents\ iis_ftp |
IIS Manager (Microsoft Management Console [MMC] snap-in) |
iis_inetmgr = On | Off |
HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows\CurrentVersion\ Setup\OC Manager\Subcomponents\ iis_inetmgr |
Internet Data Connector |
iis_internetdataconnector = On | Off |
HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows\CurrentVersion\ Setup\OC Manager\Subcomponents\ iis_internetdataconnector |
Network News Transfer Protocol (NNTP) service |
iis_nntp = On | Off |
HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows\CurrentVersion\ Setup\OC Manager\Subcomponents\ iis_nntp |
Server-Side Includes |
iis_serversideincludes = On | Off |
HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows\CurrentVersion\ Setup\OC Manager\Subcomponents\ iis_serversideincludes |
Simple Mail Transfer Protocol (SMTP) service |
iis_smtp = On | Off |
HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows\CurrentVersion\ Setup\OC Manager\Subcomponents\ iis_smtp |
Web Distributed Authoring and Versioning (WebDAV) publishing |
iis_webdav = On | Off |
HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows\CurrentVersion\ Setup\OC Manager\Subcomponents\ iis_webdav |
World Wide Web (WWW) service |
iis_www = On | Off |
HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows\CurrentVersion\ Setup\OC Manager\Subcomponents\ iis_www |
Remote administration (HTML) |
sakit_web = On | Off |
HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows\CurrentVersion\Setup\ OC Manager\Subcomponents\sakit_web |
Internet Server Application Programming Interface (ISAPI) for Background Intelligent Transfer Service (BITS) server extensions |
BitsServerExtensionsISAPI = On | Off |
HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows\CurrentVersion\ Setup\OC Manager\Subcomponents\ bitsserverextensionsisapi |
Background Intelligent Transfer Service (BITS) server extensions snap-in |
BitsServerExtensionsManager = On | Off |
HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows\CurrentVersion\ Setup\OC Manager\Subcomponents\ bitsserverextensionsmanager |
FrontPage server extensions |
fp_extensions = On | Off |
HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows\CurrentVersion\ Setup\OC Manager\Subcomponents\ fp_extensions |
Internet printing |
inetprint = On | Off |
HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows\CurrentVersion\Setup\ OC Manager\Subcomponents\inetprint |
ActiveX control and sample pages for hosting Terminal Services client connections over the Web |
TSWebClient = On | Off |
HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows\CurrentVersion\ Setup\OC Manager\Subcomponents\ TSWebClient |
Note
For several of the subcomponents in the previous table, the software for the subcomponent is installed regardless of the answer-file entry, but the subcomponent cannot be used unless the answer-file entry is set to On (or the procedure is followed for installing the subcomponent through Add or Remove Programs in Control Panel). These subcomponents are Internet Data Connector, Server-Side Includes, and WebDAV publishing.
Procedures for Checking or Controlling the Installation of IIS Subcomponents and the IIS Lockdown Tool
The following procedures explain how to:
View the registry keys listed in the table in the previous subsection
View or change the IIS components currently installed on a computer running a product in the Windows Server 2003 family
Specify answer file entries that control whether IIS subcomponents are included during unattended installation
To View Registry Keys Related to IIS Subcomponents
Open Registry Editor by clicking Start, clicking Run, and then typing regedit.
Warning
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied.
Navigate to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents\.
View the registry keys listed in the table in the previous subsection, and find the value associated with each key. A value of 0x00000000 means the component is not installed. A value of 0x00000001 means the component is installed.
Close Registry Editor.
To View or Change the IIS Components Currently Installed on a Computer Running Windows Server 2003
Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.
Double-click Add or Remove Programs.
Click Add/Remove Windows Components (on the left).
Select Application Server and then click Details.
Find Internet Information Services (IIS) in the list, and perform one of the following steps:
If IIS is installed and you want to remove it, clear the check box for IIS and complete the wizard.
If IIS is not installed and you want to add the default set of IIS subcomponents, select the check box for IIS and complete the wizard.
If you want to view or select from the list of IIS subcomponents, after selecting IIS, click Details.
Note
The Internet Printing component is in the list of subcomponents that appears when you click Details.
Follow the instructions to complete the Windows Components Wizard.
To Specify Answer File Entries That Control Whether IIS Subcomponents are Included During Unattended Installation
Using the methods you prefer for unattended installation or remote installation, create an answer file.
In the [Components] section of the answer file, add the appropriate entries listed in the table in "Answer File Entries and Registry Keys for IIS Subcomponents," earlier in this section. Ensure that the entries specify Off for components you do not want to install and On for components you want to install.
If no IIS subcomponents are listed in an answer file for unattended installation of a product in the Windows Server 2003 family other than Windows Server 2003, Web Edition, the IIS subcomponents are not installed by default.
Note
For more details about answer file entries related to IIS components, follow the steps in the next procedure, "To View Help After Installing IIS," and then search for the Help topic called "Installing IIS." In that topic, look for a table showing the answer file entries.
To View Help After Installing IIS
After installing IIS (including the IIS Manager subcomponent, which is included in default installations of IIS), click Start.
Either click Control Panel, or point to Settings and then click Control Panel.
Double-click Administrative Tools, and then click Internet Information Services (IIS) Manager.
Click the Help menu and then click Help Topics.
To Obtain the IIS Lockdown Tool
The IIS Lockdown Tool, designed for use on computers on which IIS is installed, is available from the Microsoft TechNet Web site at:
Related Links
For more information about IIS, see the following Web sites:
The product information page for IIS 6.0 at:
The technical overview document for IIS 6.0 at:
The IIS page on the Microsoft Web site at:
The page for the IIS Lockdown Tool on the TechNet Web site at: