Locking Down IIS 6.0 with .NET: The Default Security Wizard
Now, the minute you install and start up the IIS 6.0 product on Windows .NET Server, you are hit with the words "security" immediately with a new Wizard. First off, IIS 6.0 had to be installed on my version of Windows .NET Server. It was not running by default (another good thing), and can be installed in the Control Panel, Add/remove programs applet, and then by selecting to add a Windows based component. Once you installed Windows IIS 6.0, then you can launch it from the Administrative tools folder within the Console Panel or the Start menu programs folder.
The minute you open the IIS 6.0 MMC, you launch a new Wizard immediately. The Wizard seen here is the Web Server Security Lockdown Wizard. This Wizard is used to help you lock down default services, CGI and ISAPI handlers down before you even launch the console.
You are also shown in the above Wizard dialog box that you can access this later if you want to cancel is now by going to the Computer Icon, going to the Action Menu in the MMC and selecting 'security'
You will then proceed to be able to set your services up that run by default. They are:
* HTTP (Hypertext Transfer Protocol)
* FTP (File Transfer Protocol)
* SMTP (Simple Mail Transfer Protocol)
* NNTP (Network News Transfer Protocol)
At times though, you may want to disable certain services or set them to only run manually when you initiate them. For purposes of this exercise, I am setting my HTTP and FTP services to run automatically, but I would like news and email to be disabled.
Clicking Next advances you to the next screen, which is to let you enable or disable handlers. CGI (Common Gateway Interface) is almost always exploited by hackers and finally you can enable or disable by default.
What are Event Handlers you ask? Event Handlers allow embedded scripting languages to trap events and actions that occur as a reader experiences a page. These optional attributes then trigger script code. OnMouseOver is one of the most common.
Once you select what you want to enable, you can click next. Now, you have successfully completed the IIS Security Lockdown Wizard. (notice the name change from Web Server to IIS?
Now you can open the IIS console and view your web site. One last check for the security minded will show you that this wizard did its job. Close the IIS MMC.
Go the Administrative tools folder within the Control Panel and click on the services Icon. When you open the Icon, browse to the Simple Mail Transfer protocol and click on it. You can see it is definitely disabled now.
We have now gone through and experienced the new version of IIS 6.0 and its new security features that will help to aid in Microsoft security.