Chapter 12. Internet Information Services Security

Internet Information Services (IIS) 6.0 is included with Windows Server 2003. IIS provides a feature-rich set of services for publishing information on the Internet, through a variety of standard Internet protocols. IIS is one of the most popular mechanisms for businesses and organizations to publish information to the public, their business partners, and their employees. Properly configured, IIS is a secure, robust platform; however, as with any complex product, proper configuration of IIS requires careful attention to details.

Surprisingly, proper configuration and management of IIS is less common than you might expect. Many companies take little or no care when installing IIS and leave it vulnerable to many forms of compromise. And because IIS often directly communicates with untrusted people and computers, it's a frequent point of attack. This combination of vulnerability and accessibility to attackers makes it a very common point of security failure.

But this doesn't need to be the case. Simple techniques and procedures can be used to drastically increase the security of IIS. In this chapter, I'll introduce you to IIS and provide some best practices for configuring IIS within your organization.