There is a law of computing that states that the more code you have running on a system, the greater the chance that the system will have an exploitable security vulnerability. This means that one of the most important steps you can take to secure a system is to reduce the amount of code being executed, which helps reduce the system's attack surface.
There are essentially five steps to reducing an IIS server's attack surface:
- Disable all nonessential Windows Server 2003 components and services.
- Disable all nonessential IIS components and services.
- Disable all nonessential Web service extensions.
- Disable all nonessential Multipurpose Internet Mail Extension (MIME) types.
- Isolate the Web site.
Disable all nonessential Windows Server 2003 components and services
The main thing you need to know about Windows services is that some services are required in order for Windows to function. As such, the startup type for the following services should be set to automatic:
Distributed Transaction Coordinator
Help and Support
Logical Disk Manager
Plug and Play
Remote Procedure Call (RPC)
Security Accounts Manager
Shell Hardware Detection
System Event Notification
TCP/IP NetBIOS Helper Service
Those are the minimum services required for running Windows Server 2003 on a server that will be hosting IIS. Depending on the nature of the site you're hosting and on the architecture of your network, you may find it necessary to enable some other services as well. As a general rule you should disable any services that are not specifically being used.
In addition to disabling unused services, I recommend going through the Add/Remove Programs applet in the Control Panel and removing any Windows components that are not specifically needed for hosting IIS.
Disable all nonessential IIS components and services
Obviously, not all Web sites are created equal. IIS includes a variety of components that can be used to facilitate running various types of Web sites. As such, there is a very good chance that some IIS components will not be needed by your Web site. I therefore recommend uninstalling any components that your Web site does not specifically require. For example, if visitors don't need to download files, then you probably want to disable the Background Intelligent Transfer Service (BITS).
Disable all nonessential Web service extensions
If your Web site includes any content beyond static HTML pages, you will usually need to use at least one Web Service extension in order to facilitate the use of dynamic content. As such, it is worth going through the list of Web service extensions to make sure that only the necessary extensions are enabled.
To do so, open the Internet Information Services Manager and select the Web Service Extensions container. You can enable or disable individual Web service extensions by selecting them from the list contained in the details pane and then clicking the Allow or the Prohibit button.
Disable all nonessential MIME types
For most Web sites, the default MIME types are sufficient and no additional MIME extensions will be necessary. It is worth checking to make sure that no non-essential MIME extensions are associated with the site, however. To do so, open the IIS Manager, right click on the container corresponding to your Web site and select the Properties command from the resulting shortcut menu. When the Web site's properties sheet appears, go to the HTTP Headers tab and click the MIME Types button. The resulting list of MIME types should usually be empty. If entries do exist on the MIME Type list, consider temporarily removing them and checking to see if the site can function without them.
Isolate the Web site
If your Web server hosts more than one Web site, you should consider placing each site into a dedicated application pool. Sites within application pools share a common set of server resources. Therefore, if one site drains an excessive amount of resources or becomes compromised in some other way, it could potentially affect other Web sites sharing the application pool.
You can create application pools by right clicking on the Application Pools container in the IIS Manager console and selecting the New / Application Pool command from the resulting shortcut menu. After creating a new application pool, you can make a Web site a member of the new pool by right clicking on the Web site and choosing the Properties command from the resulting shortcut menu to access the Web site's properties sheet. You can choose the Web site's application pool on the properties sheet's Home Directory tab.
As you work to secure a Web server, you must keep in mind that IIS is only as secure as the underlying Windows operating system. Therefore good Windows level security practices are a must.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at www.brienposey.com.
This was first published in March 2007