Windows Tip Sheet

Unlocking IIS 6.0, Part 2

The new version of IIS thankfully ditches automatic install.

This week’s tip is the second in a series of four tips specific to IIS 6.0.

One of the major complaints about IIS 5.0 (in Win2000) was that the software was installed by default. Most servers wound up with IIS installed and running, even if it wasn’t being used, simply because of that default. Unfortunately, when IIS 5 turned out to be fairly chock-full of exploitable vulnerabilities, every Win2000 server became a target. But “installed by default” only covered half the problem: Often, IIS was installed on test servers, dev servers, and other servers without real need. That meant administrators had a tough time figuring out what servers needed to be patched when IIS 5 patches were released.

Microsoft addressed these problems in a couple of ways for Win2003. First, IIS 6.0 isn’t installed by default. That means you have to actively choose to install it, meaning you can take the opportunity to document which servers are running IIS, making it easier to keep them updated when critical patches are released.

Second, Microsoft added a Group Policy setting to Win2003 which allows IIS installation itself to be prohibited. Simply configure this setting in a Group Policy object (GPO) and link it to your domain; place your IIS servers (the ones that are supposed to be running IIS, that is) in a separate organizational unit (OU) and block inheritance of that domain-level GPO. Poof: Your IIS servers will run fine, and IIS 6 won’t allow itself to be installed anywhere else. That’s just one deployment idea for this Group Policy setting; depending on your domain hierarchy you could obviously come up with other ideas. The point, however, is to make prohibited installation a default condition that applies to all future servers, no matter where in the domain they wind up, so that IIS can’t be installed without your knowledge.

You’ll find this Group Policy setting in Computer Configuration, Administrative Templates, Windows Components, Internet Information Services. It’s named “Prevent IIS installation” and you simply need to enable the setting to have it take effect. Keep in mind that it only affects Win2003 (and presumably subsequent versions of Windows); Win2000 boxes don’t obey the setting (which is a pity; you’d think Microsoft could add this capability to a service pack for Win2000).

Knowing where IIS is running is a great way to help manage it more effectively and to ensure that all copies of IIS in your environment receive any critical updates that Microsoft releases.

More Resources:

  • Find more IIS tips and answers here.
  • Find Group Policy tips and answers here.
  • Get the IIS Resource Kit here.

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at

comments powered by Disqus
Most   Popular