Securing Internet Information Services 6.0

Introduction

Web servers are frequent targets for various types of security attacks. Some of these attacks are serious enough to cause significant damage to business assets, productivity, and customer relationships—and all attacks are inconvenient and frustrating. The security of your Web servers is vital to the success of your business.

This document explains how to begin the process of securing a Web server that is running Internet Information Services (IIS) 6.0 on the Microsoft Windows Server 2003, Standard Edition operating system. First, this section describes some of the most common threats that affect Web server security. Then, this document provides prescriptive guidance about making your Web server more secure against such attacks.

IIS 6.0 takes a more proactive stance against malicious users and attackers by making the following changes from earlier versions of IIS:

•	IIS 6.0 is not installed by default when you install Windows Server 2003, Standard Edition.
•	When IIS 6.0 is first installed, your Web server serves, or displays, only static Web pages (HTML), which reduces the risk posed by serving dynamic, or executable, content.
•	The World Wide Web Publishing Service (WWW service) is the only service that is enabled by default when IIS 6.0 is first installed. You can enable the specific services you need, when you need them.
•	ASP and ASP.NET are disabled by default when IIS 6.0 is first installed.
•	For additional protection, all of the default security configuration settings in IIS 6.0 meet or exceed the security configuration settings made by the IIS Lockdown Tool. The IIS Lockdown Tool, which was designed to reduce the attack surface of Web servers by disabling unnecessary features, runs on earlier versions of IIS. For more information about the IIS Lockdown Tool, see "Securing Internet Information Services 5.0 and 5." in the Security Guidance Kit.

Because the default settings in IIS 6.0 disable many of the features that are commonly used by Web services, this document explains how to configure additional features of your Web server while reducing the extent to which your server is exposed to potential attackers.

This document provides the following guidance for increasing the security of your Web server:

•	Reducing the attack surface, or the extent to which your server is exposed to potential attackers, of your Web server
•	Configuring user and group accounts for anonymous access
•	Securing files and directories from unauthorized access
•	Securing Web sites and virtual directories from unauthorized access
•	Configuring Secure Sockets Layer (SSL) on your Web server

Important: All of the step-by-step instructions that are included in this document were developed by using the Start menu that appears by default when you install your operating system. If you have modified your Start menu, the steps might differ slightly.

After you complete the procedures in this document, your Web server will be able to serve dynamic content in the form of .asp pages, and it will still have significant protection from the following types of attacks that sometimes threaten Internet-facing servers:

•	Profiling attacks that gather information about your Web site, which can be reduced by blocking unneeded ports and disabling unneeded protocols.
•	Denial-of-service attacks that flood your Web server with requests, which can be minimized by applying security patches and software updates.
•	Unauthorized access by a user without the correct permissions, which can often be thwarted by configuring Web and NTFS permissions.
•	Arbitrary execution of malicious code on your Web server, which can be minimized by preventing access to system tools and commands.
•	Elevation of privileges that allows a malicious user to use a high-privileged account to run programs, which can be minimized by using least-privileged service and user accounts.
•	Damage from viruses, worms, and Trojan horses, which can be contained by disabling unneeded functionality, using least-privileged accounts, and promptly applying the latest security patches.

Note: Because securing a Web server is a complex and ongoing process, complete security cannot be guaranteed.

Top of page

Before You Begin

This section explains the system prerequisites and the characteristics of the Web server that are described in this document.

System Requirements

The Web server that is used as an example in this document has the following system requirements:

•	The server is running Windows Server 2003, Standard Edition.
•	The operating system is installed on an NTFS partition. For information about NTFS, search for "NTFS" in Help and Support Center for Windows Server 2003.
•	All of the required patches and updates for Windows Server 2003 have been applied to the server. To verify that the latest security updates are installed on your Web server, go to the Windows Update page on the Microsoft Web site at http://windowsupdate.microsoft.com and have Windows Update scan your server for available updates.
•	Windows Server 2003 security safeguards have been applied to the server.

This document provides introductory information that can help you take the first steps to configure a more secure Web server. However, to make your Web server as secure as possible, you must understand the operation of the applications that run on the server. This document does not contain information about application-specific security configuration.

Web Server Characteristics

The Web server that is used as an example in this document has the following characteristics:

•	The Web server is running IIS 6.0 in worker process isolation mode.
•	The Web server hosts one Internet-facing Web site.
•	The Web server is behind a firewall, which allows traffic on only HTTP Port 80 and HTTPS Port 443.
•	The Web server is a dedicated Web server, which is a server that is only being used as a Web server and not for other purposes, such as a file server, print server, or database server running Microsoft SQL Server.
•	Anonymous access to the Web site is permitted.
•	The Web server serves HTML and ASP pages.
•	FrontPage 2002 Server Extensions from Microsoft are not configured on the Web server.
•	The applications on the Web server do not require database connectivity.
•	The Web server does not support FTP (file uploading and downloading), SMTP (e-mail), or NNTP (newsgroup) protocols.
•	The Web server does not use Internet Security and Acceleration Server.
•	An administrator must log on locally to administer the Web server.

Top of page

Reducing the Attack Surface of the Web Server

Begin the process of securing your Web server by reducing its attack surface, or the extent to which your server is exposed to potential attackers. For example, enable only those components, services, and ports that are necessary for your Web server to operate correctly.

Disabling SMB and NetBIOS

Host enumeration attacks scan the network to determine the IP address of potential targets. To reduce the likelihood of successful host enumeration attacks against Internet-facing ports on your Web server, disable all network protocols except Transmission Control Protocol (TCP). Web servers do not require Server Message Block (SMB) or NetBIOS on their Internet-facing network adapters.

This section provides the following step-by-step instructions for reducing the attack surface of your Web server:

•	Disabling SMB on an Internet-facing connection
•	Disabling NetBIOS over TCP/IP

Note: When you disable SMB and NetBIOS, the server cannot function as a file server or a print server, no network browsing is possible, and you cannot manage the Web server remotely. If your server is a dedicated Web server that requires administrators to log on locally, these restrictions should not affect the operation of the server.

SMB uses the following ports:

•	TCP port 139
•	TCP and UDP port 445 (SMB Direct Host)

NetBIOS uses the following ports:

•	TCP and User Datagram Protocol (UDP) port 137 (NetBIOS name service)
•	TCP and UDP port 138 (NetBIOS datagram service)
•	TCP and UDP port 139 (NetBIOS session service)

Disabling only NetBIOS will not prevent SMB communication because SMB uses TCP port 445 (known as the SMB Direct Host) if a standard NetBIOS port is unavailable. You must disable NetBIOS and SMB separately.

Requirements

•	Credentials: You must be logged on as a member of the Administrators group on the Web server.
•	Tools: My Computer, System Tools, and Device Manager.

•

To disable SMB on an Internet-facing connection

1.	Click Start, click Settings, click Control Panel, and then double-click Network Connections.
2.	Right-click your Internet-facing connection, and then click Properties.
3.	Clear the Client for Microsoft Networks check box.
4.	Clear the File and Printer Sharing for Microsoft Networks check box, and then click OK.

•

To disable NetBIOS over TCP/IP

1.	Click Start, right-click My Computer, and then click Manage.
2.	Double-click System Tools, and then select Device Manager.
3.	Right-click Device Manager, click View, and then click Show hidden devices.
4.	Double-click Non-Plug and Play Drivers.
5.	Right-click NetBios over Tcpip, click Disable, and then click Yes.

Note: Screenshots in this document reflect a test environment and the information might differ from the information that is displayed on your screen.

The preceding procedure disables the SMB direct-hosted listener on TCP port 445 and UDP port 445. It also disables the Nbt.sys driver and requires that you restart the system.

Verifying New Settings

Verify that the appropriate security settings have been applied to your Web server.

•

To verify that SMB is disabled

1.	Click Start, click Settings, and then click Network and Dial-up Connections.
2.	Right-click your Internet-facing connection, and then click Properties.
3.	Verify that both the Client for Microsoft Networks and the File and Printer Sharing for Microsoft Networks boxes are clear, and then click OK.

•

To verify that NetBIOS is disabled

1.	Click Start, right-click My Computer, and then click Manage.
2.	Double-click System Tools, and then select Device Manager.
3.	Right-click Device Manager, click View, and then click Show hidden devices.
4.	Double-click Non-Plug and Play Drivers, and then right-click NetBios over Tcpip. The Enable selection now appears on the context menu, which means that NetBIOS over TCP/IP is currently disabled.
5.	Click OK to close Device Manager.

Selecting Only Essential IIS Components and Services

IIS 6.0 includes subcomponents and services in addition to the WWW service, such as the FTP service and the SMTP service. To minimize the risk of attacks that target specific services and subcomponents, it is recommended that you select only the services and subcomponents that your Web sites and Web applications need to run correctly.

The following table shows the recommended settings in Add or Remove Programs for IIS subcomponents and services on the Web server used as an example in this document.

Recommended settings for IIS subcomponents and services

Subcomponent or Service	Default Setting	Web Server Setting
Background Intelligent Transfer Service (BITS) server extension	Disabled	No change
Common Files	Enabled	No change
FTP Service	Disabled	No change
FrontPage 2002 Server Extensions	Disabled	No change
Internet Information Services Manager	Enabled	No change
Internet Printing	Disabled	No change
NNTP Service	Disabled	No change
SMTP Service	Enabled	Disabled
World Wide Web Service	Enabled	No change

Requirements

•	Credentials: You must be logged on as a member of the Administrators group on the Web server.
•	Tools: Add or Remove Programs.

•

To configure IIS components and services

1.	Click Start, click Control Panel, and then click Add or Remove Programs.
2.	Click Add/Remove Windows Components.
3.	On the Windows Components Wizard page, under Components, click Application Server, and then click Details.
4.	Click Internet Information Services (IIS), and then click Details.
5.	Refer to the preceding table, and then select or deselect the appropriate IIS components and services by selecting or clearing the check box for that component or service.
6.	Complete the Windows Components Wizard by following the instructions in the wizard.

Verifying New Settings

Verify that the appropriate security settings have been applied to your Web server.

•

To verify that IIS components and services are selected

•	Click Start, click Control Panel, and then click Administrative Tools. Internet Information Services (IIS) Manager now appears in the menu of administrative tools.

Enabling Only Essential Web Service Extensions

A Web server that serves dynamic content requires Web service extensions. Each type of dynamic content corresponds to a specific Web service extension. For security reasons, IIS 6.0 allows you to enable and disable individual Web service extensions, so only those extensions required by your content are enabled.

CAUTION: Do not enable all of the Web service extensions. Although doing so ensures the highest possible compatibility with existing Web sites and applications, the attack surface of your Web server is greatly increased. You might need to test your Web sites and applications individually to ensure that you enable only the Web service extensions that are necessary.

Suppose the Web server is configured to serve the Default.asp file as its default page. Although the default page is configured, you must enable the Active Server Pages Web service extension to view the .asp page.

Requirements

•	Credentials: You must be logged on as a member of the Administrators group on the Web server.
•	Tools: Internet Information Services (IIS) Manager (Iis.msc).

•

To enable the Active Server Pages Web service extension

1.	Click Start, click Control Panel, click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
2.	Double-click the local computer, and then click Web Service Extensions.
3.	Click Active Server Pages, and then click Allow.

Internet Information Services (IIS) Manager

Verifying New Settings

Verify that the appropriate security settings have been applied to your Web server.

•

To verify that the Active Server Pages Web service extension is enabled

1.	Open a text editor, type some text, and save the file as Default.asp in the C:\inetpub\wwwroot directory.
2.	In the Address box of Internet Explorer, type the following URL, and then press ENTER: http://localhost The Default.asp file appears in the browser.

Top of page

Configuring Accounts

It is recommended that you remove unused accounts because an attacker might discover these accounts and use them to gain access to data and Web applications on your server. Always require strong passwords — weak passwords increase the likelihood of a successful brute force or dictionary attack, in which an attacker tries to guess passwords. Use accounts that run with least privilege. Otherwise, an attacker can gain access to unauthorized resources by using an account that runs with a high level of privilege.

This section provides the following step-by-step instructions for configuring accounts:

•	Disabling unused accounts
•	Isolating applications by using application pools

Disabling Unused Accounts

Unused accounts and their privileges can be used by an attacker to gain access to a server. You should periodically audit local accounts on the server and disable any accounts that are not being used. Disable accounts on a test server before you disable them on a production server to ensure that disabling an account does not adversely affect the way your application operates. If disabling the account does not cause any problems on the test server, disable the account on your production server.

Note: If you choose to delete an unused account instead of disabling it, be aware that you cannot recover a deleted account and that the Administrator account and the Guest account cannot be deleted. Also, be sure to delete the account on a test server before you delete it on your production server.

This section provides the following step-by-step instructions for deleting or disabling unused accounts:

•	Disabling the Guest account
•	Renaming the Administrator account
•	Renaming the IUSR_ComputerName account

Disabling the Guest Account

The Guest account is used when an anonymous connection is made to the Web server. During a default installation of Windows Server 2003, the Guest account is disabled. To restrict anonymous connections to your server, ensure that the Guest account remains disabled.

Requirements

•	Credentials: You must be logged on as a member of the Administrators group on the Web server.
•	Tools: Computer Management

•

To disable the Guest account

1.	Click Start, right-click My Computer, and then click Manage.
2.	Double-click Local Users and Groups, and then click the Users folder. The Guest account should be displayed with a red X icon to indicate that it is disabled. If the Guest account is not disabled, continue with Step 3 to disable it.
3.	Right-click the Guest account, and then click Properties.
4.	On the General tab, select the Account is disabled check box, and then click OK. The Guest account is now displayed with a red X icon.

Renaming the Administrator Account

The default local Administrator account is a target for malicious users because of its elevated privileges on the computer. To improve security, rename the default Administrator account and assign it a strong password.

Requirements

•	Credentials: You must be logged on as a member of the Administrators group on the Web server.
•	Tools: My Computer.

•

To rename the Administrator account and assign a strong password

1.	Click Start, right-click My Computer, and then click Manage.
2.	Double-click Local Users and Groups, and then click the Users folder.
3.	Right-click the Administrator account, and then click Rename.
4.	Type a name in the box, and then press ENTER.
5.	On the Desktop, press CTRL+ALT+DEL, and then click Change Password.
6.	Type the new name for the Administrator account in the User name box.
7.	Type the current password in the Old Password box, type a new password in the New Password box, retype the new password in the Confirm New Password box, and then click OK.

Caution: Do not use the Set Password menu item on the context menu to change the password unless you have forgotten the password and you do not have a password reset disk available. Using this method of changing the Administrator password might cause irreversible loss of information that is protected by this password.

Renaming the IUSR Account

The default anonymous Internet user account, IUSR_ComputerName, is created during IIS installation. The value of ComputerName is the NetBIOS name of your server when IIS is installed.

Requirements

•	Credentials: You must be logged on as a member of the Administrators group on the Web server.
•	Tools: My Computer.

•

To rename the IUSR account

1.	Click Start, right-click My Computer, and then click Manage.
2.	Double-click Local Users and Groups, and then click the Users folder.
3.	Right-click the IUSR_ComputerName account, and then click Rename.
4.	Type the new account name, and then press ENTER.

•

To change the value for the IUSR account in the IIS metabase

1.	Click Start, click Control Panel, click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
2.	Right-click the local computer, and then click Properties.
3.	Select the Enable Direct Metabase Edit check box, and then click OK.
4.	Browse to the location of the MetaBase.xml file, by default C:\Windows\system32\inetsrv.
5.	Right-click the MetaBase.xml file and then click Edit.
6.	Search for the AnonymousUserName property, and type the new name of the IUSR account.
7.	On the File menu, click Exit, and then click Yes.

Verifying New Settings

Verify that the appropriate security settings have been applied to your Web server.

•

To verify that an account is disabled

Press CTRL+ALT+DEL, and then click Log Off to log off of the Web server.

On the Log on to Windows dialog box, type the name of the disabled account in the User name box, type the password for the disabled account, and then click OK.
The following message appears:

Your account has been disabled. Please see your system administrator.

•

To verify that an account is renamed

1.	Press CTRL+ALT+DEL, and then click Log Off to log off of the Web server.
2.	On the Log on to Windows dialog box, type the former name of the renamed account in the User name box, type the password for the renamed account, and then click OK. The following message appears: The system could not log you on. Make sure your User name and domain are correct, then type your password again. Letters in passwords must be typed using the correct case.
3.	Click OK, and then type the new name of the renamed account in the User name box.
4.	Type the password for the renamed account, and then click OK. You should be able to log on to the computer with the renamed account.

Isolating Applications by Using Application Pools

Using IIS 6.0, you can isolate applications into application pools. An application pool is a group of one or more URLs that are served by a worker process or a set of worker processes. Using application pools can help improve the reliability and security of your Web server because each application operates independently of the others.

Every running process on a Windows operating system has a process identity, which determines how the process accesses the resources on the system. Every application pool also has a process identity, which is an account that runs with the minimum permissions your application requires. This process identity can be used to allow anonymous access to your Web site or applications.

Requirements

•	Credentials: You must be logged on as a member of the Administrators group on the Web server.
•	Tools: My Computer.

•

To create an application pool

1.	Click Start, click Control Panel, click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
2.	Double-click the local computer, right-click Application Pools, click New, and then click Application Pool.
3.	In the Application pool ID box, type a new ID for the application pool (for example, ContosoAppPool).
4.	Under Application pool settings, click Use default settings for the new application pool, and then click OK.

•

To assign a Web site or application to an application pool

1.	Click Start, click Control Panel, click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
2.	Right-click the Web site or application you want to assign to an application pool, and then click Properties.
3.	Click the Home Directory, Virtual Directory, or Directory tab, depending on the type of application that you have selected.
4.	If you are assigning a directory or virtual directory to an application pool, verify that the Application name box contains the correct Web site or application name. -Or- If there is no name in the Application name box, click Create, and then type a name for the Web site or application.
5.	In the Application pool list box, click the name of the application pool to which you want to assign the Web site or application, and then click OK.

Verifying New Settings

Verify that the appropriate security settings have been applied to your Web server.

•

To verify that an application pool was created

1.	Log on to the Web server using the Administrator account.
2.	Click Start, click Control Panel, click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
3.	Double-click the local computer, double-click Application Pools, and then verify that the application pool you created appears under the Application Pools node.
4.	Right-click the application pool you created, and then click Properties.
5.	Click the Identity tab, verify that the application pool identity is set to a predefined security account called Network Service, and then click OK.

•

To verify that a Web site or application is assigned to a specific application pool

1.	Log on to the Web server using the Administrator account.
2.	Click Start, click Control Panel, click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
3.	Double-click the local computer, double-click Web Sites, right-click the Web site for which you want to verify the application pool setting, and then click Properties.
4.	Click the Home Directory, Virtual Directory, or Directory tab, depending on the type of application that you have selected.
5.	In the Application pool list box, verify that the name of the application pool to which you want to assign the Web site is listed, and then click Cancel.

Top of page

Configuring Security for Files and Directories

Use strong access controls to help protect sensitive files and directories. In most situations, allowing access to specific accounts is more effective than denying access to specific accounts. Set access at the directory level whenever possible. As files are added to the folder, they inherit permissions from the folder, so you do not need to take further action.

This section provides the following step-by-step instructions for configuring security for files and directories:

•	Relocating and setting permissions for IIS log files
•	Configuring IIS metabase permissions
•	Disabling the FileSystemObject component

Relocating and Setting Permissions for IIS Log Files

To increase the security of the IIS log files, you should relocate the files to a non-system drive that is formatted to use the NTFS file system. This location should not be the same as the location of your Web site content.

Requirements

•	Credentials: You must be logged on as a member of the Administrators group on the Web server.
•	Tools: My Computer and Internet Information Services (IIS) Manager (Iis.msc).

•

To move the location of the IIS log files to a non-system partition

1.	Click Start, right-click My Computer, and then click Explore.
2.	Browse to the location where you want to relocate the IIS log files.
3.	Right-click the directory one level above where you want to relocate the IIS log files, click New, and then click Folder.
4.	Type a name for the folder, for example, ContosoIISLogs, and then press ENTER.
5.	Click Start, click Control Panel, click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
6.	Right-click the Web site, and then click Properties.
7.	Click the Web Site tab, and then click Properties in the Enable Logging frame.
8.	On the General Properties tab, click Browse, and then navigate to the folder that you just created to store the IIS log files.
9.	Click OK three times.

Note: If you already have IIS log files in the original location at Windows\System32\Logfiles, you must move these files to the new location manually. IIS does not move those files for you.

•

To set ACLs on IIS log files

1.	Click Start, right-click My Computer, and then click Explore.
2.	Browse to the folder where your log files are located.
3.	Right-click the folder, click Properties, and then click the Security tab.
4.	In the top pane, click Administrators, and ensure that the permissions in the bottom pane are set to Full Control.
5.	In the top pane, click System, ensure that the permissions in the bottom pane are set to Full Control, and then click OK.

Verifying New Settings

Verify that the appropriate security settings have been applied to your Web server.

•

To verify that log files are moved and permissions are set

Click Start, click Search, and then click For Files or Folders.

Type a partial or complete file name in the Search for files named box — for example, LogFiles — select a location in the Look in box, and then click Search Now.
The search returns the new location of the log files.

Press CTRL+ALT+DEL, and then click Log Off.

Log on to the Web server using an account that does not have permission to access the log files.

Click Start, right-click My Computer, click Explore, and then browse to the LogFiles directory.

Right-click the LogFiles directory, and then click Open.
The following message appears:

•	Access is denied.

Configuring IIS Metabase Permissions

The IIS metabase is an XML file that contains most of the IIS configuration information.

Requirements

•	Credentials: You must be logged on as a member of the Administrators group on the Web server.
•	Tools: My Computer and the MetaBase.xml file.

•

To restrict access to the MetaBase.xml file

1.	Click Start, right-click My Computer, and then click Explore.
2.	Browse to the Windows\System32\Inetsrv\MetaBase.xml file, right-click the file, and then click Properties.
3.	Click the Security tab, confirm that only members of the Administrators group and the LocalSystem account have Full Control access to the metabase, remove all other file permissions, and then click OK.

Verifying New Settings

Verify that the appropriate security settings have been applied to your Web server.

•

To verify restricted access to the MetaBase.xml file

Press CTRL+ALT+DEL and then click Log Off.

Log on to the Web server using an account that does not have permission to access the MetaBase.xml file.

Click Start, right-click My Computer, click Explore, and then browse to the location of MetaBase.xml.

Right-click the MetaBase.xml file, and then click Open.
The following message appears:

•	Access is denied.

Disabling the FileSystemObject Component

ASP, Windows Script Host, and other scripting applications use the FileSystemObject (FSO) component to create, delete, gain information about, and manipulate drives, folders, and files. Consider disabling the FSO component, but be aware that this will also remove the Dictionary object. Also, verify that no other programs require this component.

Requirements

•	Credentials: You must be logged on as a member of the Administrators group on the Web server.
•	Tools: Command prompt.

•

To disable the FileSystemObject component

1.	Click Start, click Run, type cmd in the Open box, and then click OK.
2.	Change to the C:\Windows\system32 directory.
3.	At the command prompt, type regsvr32 scrrun.dll /u and then press ENTER. The following message appears: DllUnregisterServer in scrrun.dll succeeded.
4.	Click OK.
5.	At the command prompt, type exit to close the command prompt window.

Top of page

Securing Web Sites and Virtual Directories

Relocate Web root directories and virtual directories to a non-system partition to help protect against directory traversal attacks. These attacks allow an attacker to execute operating system programs and tools. Because it is not possible to traverse across drives, relocating Web site content to another drive offers added protection against these attacks.

This section provides the following step-by-step instructions for securing Web sites and virtual directories:

•	Moving your Web site content to a nonsystem drive
•	Configuring Web site permissions

Moving Your Web Site Content to a Nonsystem Drive

Do not use the default \Inetpub\Wwwroot directory as the location for your Web site content. For example, if your system is installed on the C: drive, consider moving your site and content directory to the D: drive in order to mitigate the risks associated with directory traversal attacks, in which an attacker attempts to browse the directory structure of a Web server. Be sure to verify that all virtual directories point to the new drive.

Requirements

•	Credentials: You must be logged on as a member of the Administrators group on the Web server.
•	Tools: Internet Information Services (IIS) Manager (Iis.msc) and a command prompt.

•

To move your Web site content to a nonsystem drive

Click Start, click Control Panel, click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.

Right-click the Web site that has content you want to move, and then click Stop.

Click Start, click Run, type cmd in the Open box, and then click OK.

Type the following command at the command prompt:

xcopy c:\inetpub\wwwroot\SiteName Drive:\wwwroot\SiteName /s /i /o
In the preceding command, replace

•	SiteName >with the name of your Web site.
•	Drive with the name of the new drive, for example, D.

Go back to the Internet Information Services (IIS) Manager snap-in.

Right-click the Web site and then click Properties.

Click the Home Directory, Virtual Directory, or Directory tab, depending on the type of application you have selected, and then type the new directory location in the Local path box, and then click OK.
-Or-
Browse to the new location of the directory to which you just copied the files, and then click OK.

Right-click the Web site, and then click Start.

Verifying New Settings

Verify that the appropriate security settings have been applied to your Web server.

•

To verify that Web site content has been moved to a nonsystem drive

1.	Click Start, click Search, and then click For Files or Folders.
2.	Type a partial or complete file name in the Search for files named box, select a location in the Look in box, and then click Search Now. The search results list the files that you moved at their new location as well as the original location.

•

To delete your Web site content from the system drive

•	Navigate to the C:\Inetpub\Wwwroot\SiteName directory, and then delete the files that you moved to a nonsystem drive.

Verifying New Settings

Verify that the appropriate security settings have been applied to your Web server.

•

To verify that Web site content has been deleted from the system drive

1.	Click Start, click Search, and then click For Files or Folders.
2.	Type a partial or complete file name in the Search for files named box, select a location in the Look in box, and then click Search Now. The search results only list the files that you moved at their new location.

Configuring Web Site Permissions

You can configure access permissions for your Web server for specific sites, directories, and files. These permissions apply to all users regardless of their specific access rights.

Configuring Permissions on File System Directories

IIS 6.0 relies on NTFS permissions to help protect individual files and directories from unauthorized access. Unlike Web site permissions, which apply to anyone who tries to access your Web site, you can use NTFS permissions to define which users can access your content and how those users are allowed to manipulate that content. For improved security, use both Web site permissions and NTFS permissions.

Access control lists (ACLs) indicate which users or groups have permission to access or modify a particular file. Instead of setting ACLs on each file, create new directories for each file type, set ACLs on each directory, and then allow the files to inherit those permissions from the directory in which they reside.

Requirements

•	Credentials: You must be logged on as a member of the Administrators group on the Web server.
•	Tools: My Computer and Internet Information Services (IIS) Manager (Iis.msc).

•

To move Web site content into a separate folder

1.	Click Start, right-click My Computer, and then click Explore.
2.	Browse to the folder that contains your Web site content, and then click the top-level folder of your Web site content.
3.	On the File menu, click New and then click Folder to create a new folder in the content directory of your Web site.
4.	Give the folder a name, and then press ENTER.
5.	Press CTRL, and then select each of the pages that you want to protect.
6.	Right-click the pages, and then click Copy.
7.	Right-click the new folder, and then click Paste.

Note: If you have created links to these pages, you must update the links to reflect the new location of the site content.

•

To set permissions for Web content

Click Start, click Control Panel, click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.

Right-click the Web Sites folder, Web site, directory, virtual directory, or file you want to configure, and then click Properties.

Select or clear any of the following check boxes (if available), depending on the type of access you want to grant or deny:

•	Script Source Access. Users can access source files. If Read is selected, source can be read; if Write is selected, source can be written to. Script Source Access includes the source code for scripts. This option is not available if neither Read nor Write is selected.
•	Read (selected by default). Users can view directory or file content and properties.
•	Write. Users can change the content and properties of a directory or file.
•	Directory browsing. Users can view file lists and collections.
•	Log visits. A log entry is created for each visit to the Web site.
•	Index this resource. Allows Indexing Service to index this resource. This allows users to perform searches on the resource.

In the Execute Permissions list box, select the appropriate level of script execution:

•	None. Do not run scripts or executable files (for example, files with a file type of .exe) on the server.
•	Scripts only. Run only scripts on the server.
•	Scripts and Executables. Run both scripts and executable files on the server.

Click OK. If child nodes for a directory have different Web site permissions configured, the Inheritance Overrides box appears.

If the Inheritance Overrides box appears, select the child nodes in the Child Nodes list to which you want the Web permissions of the directory to apply.
-Or-
Click Select All to set the property to apply the Web permissions to all of the child nodes.

If you see more than one Inheritance Overrides box, select the child nodes from the Child Nodes list or click Select All, and then click OK to apply the Web permissions for this property to the child nodes.

If a child node belonging to the directory that has Web site permissions you have changed has also set the Web site permissions for a particular option, the permissions in the child node will override those you have set for the directory. If you want the Web site permissions at the directory level to apply to the child nodes, you must select those child nodes in the Inheritance Overrides box.

Verifying New Settings

Verify that the appropriate security settings have been applied to your Web server.

•

To verify that write access is denied to Web site content directories

1.	Press CTRL+ALT+DEL and then click Log Off.
2.	Log on to the Web server using an account that has Read and Execute permission on the physical or virtual directory.
3.	Click Start, right-click My Computer, click Explore, and browse to the location of a file you want to copy to the physical or virtual directory.
4.	Right-click the file and then click Copy.
5.	Browse to the location of the physical or virtual directory, and then right-click the directory. The Paste selection is not available on the context menu, which means that you do not have Write access to the directory.

Top of page

Configuring Secure Sockets Layer on Your Web Server

Configure Secure Sockets Layer (SSL) security features on your Web server to verify the integrity of your content, verify the identity of users, and encrypt network transmissions. SSL security relies on a server certificate that allows users to authenticate your Web site before they transmit personal information, such as a credit card number. Each Web site can have only one server certificate.

Obtaining and Installing a Server Certificate

Certificates are issued by non-Microsoft organizations called certification authorities (CAs). The server certificate is typically associated with your Web server, specifically with the Web site where you have configured SSL You must generate a request for a certificate, send the request to the CA, and then install the certificate after you receive it from the CA.

Certificates rely on a pair of encryption keys — one public and one private — to enforce security. When you generate a request for a server certificate, you are actually generating the private key. The server certificate you receive from the CA contains the public key.

Requirements

•	Credentials: You must be logged on as a member of the Administrators group on the Web server.
•	Tools: Internet Information Services (IIS) Manager (Iis.msc) and Web Server Certificate Wizard.

•

To generate a request for a server certificate

1.	Click Start, right-click My Computer, and then click Manage.
2.	Double-click the Services and Applications section, and then double-click Internet Information Services.
3.	Right-click the Web site on which you want to install a server certificate, and then click Properties.
4.	Click the Directory Security tab. In the Secure Communications section, click Server Certificate to start the Web Server Certificate Wizard, and then click Next.
5.	Click Create a New Certificate, and then click Next.
6.	Click Prepare the request now, but send it later, and then click Next.
7.	In the Name box, type a name that is easy to remember. (The default name is the name of the Web site for which you are generating the certificate request — for example, http://www.contoso.com.)
8.	Specify a bit length, and then click Next. The bit length of the encryption key determines the strength of the encryption. Most non-Microsoft CAs prefer that you choose a minimum of 1024 bits.
9.	In the Organization section, type your organization and organizational unit information. Ensure that this information is accurate and that the Organization fields do not contain commas, and then click Next.
10.	In the Your Site's Common Name section, type the name of the host computer with the domain name, and then click Next.
11.	Type your geographical information, and then click Next.
12.	Save the file as a .txt file. (The default file name and location is C:\certreq.txt.) The following example shows what a certificate request file looks like. -----BEGIN NEW CERTIFICATE REQUEST----- MIIDATCCAmoCAQAwbDEOMAwGA1UEAxMFcGxhbjgxDDAKBgNVBAsTA1BTUzESMBAG A1UEChMJTWljcm9zb2Z0MRIwEAYDVQQHEwlDaGFybG90dGUxFzAVBgNVBAgTDk5v cnRoIENhcm9saW5hMQswCQYDVQQGEwJVUzCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEAtW1koGfdt+EoJbKdxUZ+5vE7TF1ZuT+xaK9jEWHESfw11zoRKrHzHN0f IASnwg3vZ0ACteQy5SiWmFaJeJ4k7YaKUb6chZXG3GqL4YiSKFaLpJX+YRiKMtmI JzFzict5GVVGHsa1lY0BDYDO2XOAlstGlHCtENHOKpzdYdANRg0CAwEAAaCCAVMw GgYKKwYBBAGCNw0CAzEMFgo1LjAuMjE5NS4yMDUGCisGAQQBgjcCAQ4xJzAlMA4G A1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDATCB/QYKKwYBBAGCNw0C AjGB7jCB6wIBAR5aAE0AaQBjAHIAbwBzAG8AZgB0ACAAUgBTAEEAIABTAEMAaABh AG4AbgBlAGwAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBp AGQAZQByA4GJAGKa0jzBn8fkxScrWsdnU2eUJOMUK5Ms87Q+fjP1/pWN3PJnH7x8 MBc5isFCjww6YnIjD8c3OfYfjkmWc048ZuGoH7ZoD6YNfv/SfAvQmr90eGmKOFFi TD+hl1hM08gu2oxFU7mCvfTQ/2IbXP7KYFGEqaJ6wn0Z5yLOByPqblQZAAAAAAAA AAAwDQYJKoZIhvcNAQEFBQADgYEAhpzNy+aMNHAmGUXQT6PKxWpaxDSjf4nBmo7o MhfC7CIvR0McCQ+CBwuLzD+UJxl+kjgb+qwcOUkGX2PCZ7tOWzcXWNmn/4YHQl0M GEXu0w67sVc2R9DlsHDNzeXLIOmjUl935qy1uoIR4V5C48YNsF4ejlgjeCFsbCoj Jb9/2RM= -----END NEW CERTIFICATE REQUEST-----
13.	Confirm your request details, click Next, and then click Finish.

•

To submit a request for a server certificate

1.	Contact your CA to find out the requirements for submitting a request.
2.	Copy the contents of the .txt file that you created in the preceding procedure into the request format required by your CA.
3.	Send the request to your CA.

When you receive the certificate from your CA, you are ready to install the certificate on your Web server.

•

To install a server certificate

1.	Copy the certificate (.cer) file to the C:\Windows\System32\CertLog folder.
2.	Click Start, click Control Panel, click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
3.	Right-click the Web site on which you want to install a server certificate, and then click Properties.
4.	Click the Directory Security tab. In the Secure Communications section, click Server Certificate to start the Web Server Certificate Wizard, and then click Next.
5.	Click Process the pending request and install the certificate, and then click Next.
6.	Browse to the certificate you received from the CA. Click Next twice, and then click Finish.

Verifying New Settings

Verify that the appropriate security settings have been applied to your local computer.

•

To verify that a certificate is installed on a Web server

1.	Click Start, click Control Panel, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
2.	Right-click the Web site that has a certificate you want to view, and then click Properties.
3.	On the Directory Security tab, in the Secure communications area, click View Certificate, review the certificate, and then click OK twice.

Enforcing and Enabling SSL Connections on Your Web Server

After you install the server certificate, you must enforce SSL connections on your Web server. Then, you must enable SSL connections.

Requirements

•	Credentials: You must be logged on as a member of the Administrators group on the Web server.
•	Tools: Internet Information Services (IIS) Manager (Iis.msc).

•

To enforce SSL connections

1.	Click Start, click Control Panel, click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
2.	Right-click the Web site on which you want to enforce SSL connections, and then click Properties.
3.	Click the Directory Security tab. In the Secure Communications section, click Edit.
4.	Click Require Secure Channel (SSL),choose the encryption strength, and then click OK. Note: If you specify 128-bit encryption, client computers that use 40-bit or 56-bit strength browses cannot communicate with your site unless the browsers are upgraded to versions that support 128-bit encryption.

•

To enable SSL connections on your Web server

1.	Click Start, click Control Panel, click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
2.	Right-click the Web site on which you want to enable SSL connections, and then click Properties.
3.	Click the Web Site tab. In the Web Site Identification section, verify that the SSL Port box is populated with the numeric value 443.
4.	Click Advanced. Typically, two boxes appear, and the IP address and port of the Web site are already listed in the Multiple identities for this Web site box. Under the Multiple SSL Identities for this Web site field, click Add if port 443 is not already listed. Select the IP address of the server, type the numeric value 443 in the SSL Port box, and then click OK.

Verifying New Settings

Verify that the appropriate security settings have been applied to your Web server.

•

To verify SSL connections on your Web server

Open your browser and try to connect to your Web server by using the standard http:// protocol. For example, in the Address box, type the following: http://localhost
If SSL is being enforced, the following error message appears:

The page must be viewed over a secure channel. The page you are trying to access is secured with Secure Sockets Layer (SSL).

Try again to connect to the page that you want to see by typing the following: https://localhost
Typically, the default page for your Web server appears.

Top of page

Related Information

For more information about securing IIS 6.0, see the following:

•	"Security Enhancements in Internet Information Services 6.0" on the Microsoft Web site.
•	"Configuring Application Isolation on Windows Server 2003 and Internet Information Services (IIS) 6.0" on the TechNet Web site.
•	TechNet Webcast: Securing Internet Information Services (IIS) on the Microsoft Events and Webcasts Web site.

For more information about IIS 6.0, see the following:

•	Internet Information Services (IIS) 6.0 Resource Kit on the Microsoft Download Center.
•	Internet Information Services technology page on the TechNet Web site.
•	"Technical Overview of Internet Information Services (IIS) 6.0" on the Microsoft Web site.

| Small Business + Sign in

Windows Vista Ultimate

Windows Vista Business

Windows XP

Office

Office Small Business 2007