Windows Tip Sheet

Power Brakes for IIS

Prevent Internet Information Server from being installed automatically.

I have a client who's in the middle of upgrading a bunch of their servers to Win2003. One of the things they like is that Windows 2003 doesn't install IIS by default; they only use IIS on a couple of machines, and minimizing the number of machines that have IIS installed helps cut down on maintenance overhead (IIS does, after all, get patched a lot to cover security vulnerabilities). They ran into a funny situation, though: An administrator who didn't know any better installed IIS on a bunch of the servers because he thought is was a pre-req for something else he was installing. Whoops! So while it's nice that IIS isn't installed by default, there really should be a way to keep it from being installed at all.

And the Answer is…
There is a way! You could, for example, configure a GPO that prevents the IIS Admin service from starting (by setting its startup status to Disabled). That's not a terrible solution, but it still leaves the door open to an administrator — perhaps a malicious one, even — who changes the startup type and starts the service anyway. Windows 2003 does, however, provide a better solution in the form of a GPO setting that prohibits IIS from even being installed. The following figure shows the GPO editor showing the policy setting.

NO IIS
The GPO setting that prevents IIS from being installed.

Simply configure this policy setting and link to that GPO to wherever you want it. Every Windows 2003 and later computer affected by the GPO will no longer allow IIS to be installed, period. There's no way to override it without modifying the GPO or moving the server's domain computer account so that it's no longer affected by the GPO.

Micro Tip Sheet

IIS 6.0 is installed by default on only one version of Win2003: Web Edition. But you can't buy Web Edition through retail channels; you have to buy it bundled with a Web server or buy it through certain Microsoft volume licensing programs.

Protect your IIS servers from a broader range of attacks by putting them behind a firewall and reverse proxying incoming Web traffic, rather than simply passing it through the firewall. Products like Microsoft's Internet Security and Acceleration (ISA) Server 2000 support reverse proxying.

More Resources
Read about other changes to IIS' security philosophy: http://www.eweek.com/article2/0,4149,1499143,00.asp

What's new and changed in IIS 6.0: www.deltaguideseries.com

Top 5 Q&A on IIS: https://www.microsoft.com/technet/community/columns/
insider/iisi0603.mspx
.

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.

comments powered by Disqus
Most   Popular