Windows Tip Sheet
Unlocking IIS 6.0, Part 2
The new version of IIS thankfully ditches automatic install.
This week’s tip is the second in a series of four tips specific
to IIS 6.0.
One of the major complaints about IIS 5.0 (in Win2000) was that the software
was installed by default. Most servers wound up with IIS installed and running,
even if it wasn’t being used, simply because of that default. Unfortunately,
when IIS 5 turned out to be fairly chock-full of exploitable vulnerabilities,
every Win2000 server became a target. But “installed
by default” only covered half the problem: Often, IIS was installed on
test servers, dev servers, and other servers without real need. That meant administrators
had a tough time figuring out what servers needed to be patched when IIS 5 patches
were released.
Microsoft addressed these problems in a couple of ways for Win2003. First,
IIS 6.0 isn’t installed by default. That means you have to actively choose
to install it, meaning you can take the opportunity to document which servers
are running IIS, making it easier to keep them updated when critical patches
are released.
Second, Microsoft added a Group Policy setting to Win2003 which allows IIS
installation itself to be prohibited. Simply configure this setting in a Group
Policy object (GPO) and link it to your domain; place your IIS servers (the
ones that are supposed to be running IIS, that is)
in a separate organizational unit (OU) and block inheritance of that domain-level
GPO. Poof: Your IIS servers will run fine, and IIS 6 won’t allow itself
to be installed anywhere else. That’s just one deployment idea for this
Group Policy setting; depending on your domain hierarchy you could obviously
come up with other ideas. The point, however, is to make prohibited installation
a default condition that applies to all future servers, no matter where in the
domain they wind up, so that IIS can’t be installed without your knowledge.
You’ll find this Group Policy setting in Computer Configuration, Administrative
Templates, Windows Components, Internet Information Services. It’s named
“Prevent IIS installation” and you simply need to enable the setting
to have it take effect. Keep in mind that it only affects Win2003 (and presumably
subsequent versions of Windows); Win2000 boxes don’t obey the setting
(which is a pity; you’d think Microsoft could add this capability to a
service pack for Win2000).
Knowing where IIS is running is a great way to help manage it more effectively
and to ensure that all copies of IIS in your environment receive any critical
updates that Microsoft releases.
More Resources:
- Find more IIS tips and answers here.
- Find Group Policy tips and answers here.
- Get the IIS Resource Kit here.
About the Author
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.