Security Enhancements

Microsoft has introduced several changes to IIS 6 to enhance security, including

  • As we've already discussed, Windows Server 2003 doesn't include IIS by default. By eliminating IIS as a default installation option, Windows Server 2003 lets you more easily keep track of your Web servers for security and update purposes.

  • By default, IIS serves only static Web page types. All dynamic Web page types (ASP, ASPX, and so forth) are disabled by default. Many security vulnerabilities are associated with the incorrect use of dynamic Web pages, so administrators must take specific actions to make them accessible.

  • When upgrading to Windows Server 2003, the Setup process actually disables any IIS 5.0 installation that is configured only with the default settings. This feature turns off IIS on any servers where it doesn't appear to be used, removing a potential security vulnerability.


    Be sure to carefully review every Windows 2000 server you upgrade to Windows Server 2003. The feature that disables IIS is a new philosophical direction for Microsoft, and you should follow up on its caution with a thorough review of the upgrade to ensure that your server is configured to meet your needs and to provide maximum security for your environment.

  • A new group policy in Windows Server 2003 enables domain administrators to prevent users from installing any version of IIS on their computers. You might apply this to your client computers to prevent users from installing IIS locally and opening a potential security hole in your network.

  • By default, IIS is configured to run worker processes in the security context of a low-privilege user account. This feature helps prevent worker processes from performing dangerous actions in the event that a hacker manages to place unauthorized code on the server.

  • All requests for unrecognized file extensions are rejected. In the past, IIS would attempt to process unknown file extensions as text or HTML pages; IIS 6.0 responds with an error message. This behavior helps prevent hackers from uploading and executing malicious code.

  • The Web server process cannot execute any IIS 6 command-line tools. Having the Web server execute command-line tools was an often-used security vulnerability in prior versions of IIS, allowing hackers to reconfigure IIS remotely.

  • Previous versions of IIS used timeouts that were pretty generous, opening the server to a broader range of attacks. IIS 6 defaults to fairly aggressive timeouts, preventing long-running scripts and other security vulnerabilities.

  • IIS 6 worker processes can detect and terminate applications that generate a buffer overflow. Buffer overflows are a frequently used security attack because they can cause poorly written applications to overwrite unintended areas of memory.

  • The http.sys kernel-mode driver verifies that the content requested in an HTTP request actually exists before handing the request off to a worker process. This behavior helps protect poorly written applications that don't gracefully handle unexpected conditions, such as missing content.


For a brief history of IIS's security problems and solutions, visit and enter this book's ISBN number (no hyphens or parentheses) in the Search field; then click the book's cover image to access the book details page. Click the Web Resources link in the More Information section, and locate article ID# A010702.