Security Changes in IIS 6.0 (IIS 6.0)
To improve the security of your Web server, many aspects of IIS 6.0, including default behavior and settings, function differently than in earlier versions of IIS. Some of the most notable changes were made to take a more proactive stance against malicious users and attackers. A significant change is that IIS is not installed by default on Microsoft® Windows® Server 2003, Standard Edition; Windows® Server 2003, Enterprise Edition; and Windows® Server 2003, Datacenter Edition operating systems, and many services and features of IIS are not installed or enabled by default when you install IIS. Other security changes in IIS 6.0 affect components of Active Server Pages (ASP), authentication, and access control methods. As a result of these changes, some existing applications and sites might require you to enable services, change settings, or make other adjustments before they run as expected. However, if you change default settings, you should do so carefully to maintain the most secure solution possible.
The most significant security-related changes are as follows:
The following sections describe the security-related changes and provide information about how to customize your IIS work environment.