Windows Tip Sheet
Unlocking IIS 6.0, Part 3
Control exactly what you want installed with the new IIS.
This week's tip is third in a series of four tips specific to IIS 6.0.
One problem with versions of IIS prior to IIS 6 is that they had too many moving parts by default. IIS 5, for example, enabled WebDAV, Active Server Pages (ASP), server-side includes, and tons of other functionality, all by default. That meant you had a lot of executable code on your IIS server, even if you weren't using some of those pieces, and some of those pieces wound up having highly exploitable vulnerabilities (FrontPage extensions are a notorious example). The situation made it tough on administrators because they wound up having to drop patches onto systems to fix software that weren't even being used.
IIS 6 corrects the problem and then provides some additional security on top of it. To begin with, each little component of IIS—WebDAV, server-side includes, ASP, ASP.NET, FrontPage extensions, you name it—can be installed or uninstalled individually, ensuring that your server only has the bits you need. If you're not using WebDAV, for example, then you can uninstall it and be assured that any WebDAV-related vulnerabilities which may be discovered in the future won't affect you, even if you don't get around to patching them immediately.
But IIS 6 goes a step further. In its console, you can open the Web Service Extensions folder to individually enable or disable specific extensions (server-side includes, ASP, and so forth). The nice part is that, by default, any unknown extensions are disabled. So if an attacker manages to get some evil ISAPI extension onto your servers, it won't run unless you specifically enable it. Even if you specifically install a new extension like ASP, IIS doesn't automatically enable that extension for use. So adding a feature like WebDAV requires two steps: Install it, and then enable it. This one-two punch pretty much ensures that only the bits you want running will be running—and makes it firmly your responsibility to make sure the right bits are on your servers and are kept up-to-date with patches.
- Find more IIS tips and answers here.
- Check out Microsoft's official IIS site.
- Security-specific guidance for IIS can be found here.
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.