Tip

Reduce your Web server's attack surface

There is a law of computing that states that the more code you have running on a system, the greater the chance that the system will have an exploitable security vulnerability. This means that one of the most important steps you can take to secure a system is to reduce the amount of code being executed, which helps reduce the system's attack surface.

There are essentially five steps to reducing an IIS server's attack surface:

  1. Disable all nonessential Windows Server 2003 components and services.
  2. Disable all nonessential IIS components and services.
  3. Disable all nonessential Web service extensions.
  4. Disable all nonessential Multipurpose Internet Mail Extension (MIME) types.
  5. Isolate the Web site.

Disable all nonessential Windows Server 2003 components and services

The main thing you need to know about Windows services is that some services are required in order for Windows to function. As such, the startup type for the following services should be set to automatic:

Automatic Updates
Computer Browser
Cryptographic Services
DHCP Client
Distributed Transaction Coordinator
DNS Client
Event Log
Help and Support
IPSec Services
Logical Disk Manager
Plug and Play
Protected Storage
Remote Procedure Call (RPC)
Secondary Logon
Security Accounts Manager
Server
Shell Hardware Detection
System Event Notification
TCP/IP NetBIOS Helper Service

Those are the minimum services required for running Windows Server 2003 on a server that will be hosting IIS. Depending on the nature of the site you're hosting and on the architecture of your network, you may find it necessary to enable some other services as well. As a general rule you should disable any services that are not specifically being used.

In addition to disabling unused services, I recommend going through the Add/Remove Programs applet in the Control Panel and removing any Windows components that are not specifically needed for hosting IIS.

Disable all nonessential IIS components and services

Obviously, not all Web sites are created equal. IIS includes a variety of components that can be used to facilitate running various types of Web sites. As such, there is a very good chance that some IIS components will not be needed by your Web site. I therefore recommend uninstalling any components that your Web site does not specifically require. For example, if visitors don't need to download files, then you probably want to disable the Background Intelligent Transfer Service (BITS).

Web server info
Safe enterprise Web browsing: 5 tips in 5 minutes

Running Web Applications in ISA Server: Interactive Discussion

Top Web security tips of 2006
Review the enabled individual IIS components on your system by opening the Control Panel and double clicking on the Add/Remove Programs icon. When Windows opens the Add or Remove Programs dialog box, click the Add / Remove Windows Components button. After a brief delay, Windows will open the Windows Components Wizard. Next, select the Application Server option and click the Details button. This will display a list of the Application Server components supported by Windows. Some components on the list are related to IIS, such as the ASP.NET component, so you should go through the list and disable anything you don't need. You will notice, though, that IIS itself is on the list. You should select the Internet Information Services (IIS) component and click the Details button. This causes Windows to display IIS's subcomponents, giving you a chance to disable any unwanted components.

Disable all nonessential Web service extensions

If your Web site includes any content beyond static HTML pages, you will usually need to use at least one Web Service extension in order to facilitate the use of dynamic content. As such, it is worth going through the list of Web service extensions to make sure that only the necessary extensions are enabled.

To do so, open the Internet Information Services Manager and select the Web Service Extensions container. You can enable or disable individual Web service extensions by selecting them from the list contained in the details pane and then clicking the Allow or the Prohibit button.

Disable all nonessential MIME types

For most Web sites, the default MIME types are sufficient and no additional MIME extensions will be necessary. It is worth checking to make sure that no non-essential MIME extensions are associated with the site, however. To do so, open the IIS Manager, right click on the container corresponding to your Web site and select the Properties command from the resulting shortcut menu. When the Web site's properties sheet appears, go to the HTTP Headers tab and click the MIME Types button. The resulting list of MIME types should usually be empty. If entries do exist on the MIME Type list, consider temporarily removing them and checking to see if the site can function without them.

Isolate the Web site

If your Web server hosts more than one Web site, you should consider placing each site into a dedicated application pool. Sites within application pools share a common set of server resources. Therefore, if one site drains an excessive amount of resources or becomes compromised in some other way, it could potentially affect other Web sites sharing the application pool.

You can create application pools by right clicking on the Application Pools container in the IIS Manager console and selecting the New / Application Pool command from the resulting shortcut menu. After creating a new application pool, you can make a Web site a member of the new pool by right clicking on the Web site and choosing the Properties command from the resulting shortcut menu to access the Web site's properties sheet. You can choose the Web site's application pool on the properties sheet's Home Directory tab.

As you work to secure a Web server, you must keep in mind that IIS is only as secure as the underlying Windows operating system. Therefore good Windows level security practices are a must.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at www.brienposey.com.

This was first published in March 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.