Frequently Asked Questions About IIS Security

Security is a huge concern for anyone involved in business processes, management, and administration. A good resource of information on maintaining security in Windows 2000 and IIS is the security section of the Windows 2000 site. Also see Internet Information Services (IIS) on the Microsoft TechNet site, where you can find information on securing IIS servers in addition to resources that will help you maintain a secure system and stay current with any releases, updates, and tools.

Urlscan is a powerful IIS security tool that works in conjunction with the IIS Lockdown Tool to give IIS Web site administrators the ability to restrict certain HTTP requests that the server will process, and thus prevents potentially harmful requests from reaching the server and causing damage. The URLScan Security Tool page on Microsoft TechNet describes its features and usage, provides answers to common questions, and details steps for download and installation.

This tool is part of the IIS Lockdown Wizard and it works by turning off unnecessary features of the IIS server and thereby reducing the attack surface available to an attacker. This tool also works in conjunction with URLscan to provide multiple layers of defense and protection. See the IIS Lockdown Tool page on TechNet describes its features and characteristics as well as provides steps for download and setup.

The HFNetChk Security Tool is a tool released by Microsoft that aids system administrators in the task of maintaining security across Windows-based servers; it is a command-line tool that enables the administrator to check the patch status of all the machines in a network from a central location. The HFNetChk Security Tool page on TechNet provides more information and instructions for download.

The Microsoft Baseline Security Analyzer (MBSA) is a graphical and command-line interface developed by Microsoft that can perform local or remote scans of Windows systems, assessing any missing hotfixes and vulnerabilities in certain Microsoft products. See the Microsoft Baseline Security Analyzer page on TechNet for more information.