IIS Server
Several server roles require IIS. Securing IIS properly allows SMS to function while reducing risk. Where practical, minimize the use of servers requiring IIS. For example, consolidate management points into the smallest number possible. Use only a single server locator point for your environment.
Disable IIS Functions That You Do Not Require
Only install the minimum IIS features for the server role you are supporting. In IIS 5.0, most components are installed by default but in IIS 6.0 all components must be installed manually. See the Verifying the installed IIS components procedure in Appendix E: “SMS Security Procedures.”
Table 3 Site System Roles and IIS Components
Site system role |
IIS required? |
Required IIS components to enable |
|---|---|---|
Site Server |
No |
|
SMS site database server |
No |
|
Management point (including proxy management points) |
Yes |
BITS Server Extensions |
Server locator point |
Yes |
Default IIS |
Reporting point |
Yes |
Active Server Pages. To use graphs in the reports, Office Web Components (Microsoft Office 2000 SP2 or Microsoft Office XP) must be installed. |
Distribution point |
No |
|
BITS-enabled distribution point |
Yes |
IIS and WebDAV |
Client Access Point |
No |
Important
Do not enable Secure Sockets Layer (SSL) on the management points, server locator points, or distribution points. HTTPS access can be enabled for reporting points with SMS 2003 SP1. For more information, see Enable HTTPS Access for Reporting Points later in this document.
Do Not Put the Site Server on a Computer with IIS
As mentioned earlier in this document, role separation helps reduce the attack profile and improve recoverability. If the site server role is combined with another role that requires IIS, there are additional concerns when running with advanced security. Using role separation mitigates the following risks:
The site server’s computer account has administrative privileges on other computers. IIS runs by using the LocalSystem account, which is the only account with the right to use the computer account. This typically is the case only on site servers.
When using advanced security, the SMS site server manages its local files and registry entries by using the LocalSystem account. Software running in the LocalSystem account context of IIS has equal access to those files and registry entries.
Use Windows Server 2003 with IIS 6.0
IIS 6.0 is more secure than its predecessors. IIS 5.0 is included with and installed by default on Windows 2000 Server. Upgrading a Windows 2000 Server to Windows Server 2003 also upgrades IIS, but the World Wide Web Publishing Service is disabled during the upgrade process. IIS 6.0 is not installed by default on a new installation of Windows Server 2003. If you install IIS 6.0, the default configuration does not include Active Server Pages, BITS Server Extensions, or WebDAV. If you require those services for an SMS site system role, you must enable them manually. For a list of the required IIS components, see Table 2: Site System Roles and IIS Components.
Follow the SMS IIS Hardening Checklist
The Microsoft Web site has extensive information about how to secure IIS. Certain best practices for IIS servers functioning as Web servers are inappropriate for SMS site systems that require IIS. The SMS 2003 Security checklists include a checklist for hardening IIS when used with SMS site systems. This checklist is based on published best practices for securing IIS, but includes comments about how to modify these best practices appropriately to ensure SMS functionality.
SMS 2003 IIS Hardening Checklist
Run IIS Lockdown and URLScan by Using the SMS Templates
If your site system is running Windows 2000 Server and IIS 5.0, run the IIS Lockdown Wizard with the SMS IISLockd.ini. IIS Lockdown works by turning off unnecessary features, which reduces potential attacks. The IIS Lockdown Wizard includes the URLScan Security tool, which restricts the types of HTTP requests that IIS processes.
If your site system is running Windows Server 2003 and IIS 6.0, the IIS Lockdown feature is integrated into IIS. You should still run URLScan 2.5 to apply UrlScan_SMS.ini file.
Download the SMS IISLockd.ini and UrlScan_SMS.ini as part of the SMS Toolkit from the Microsoft Download site (https://go.microsoft.com/fwlink/?LinkId=25444). For the procedure to apply these templates, see the documentation that comes with the SMS Toolkit 1.
Caution
Running the IIS Lockdown or URLScan tools without the SMS templates can cause SMS operations to fail
Apply Service Packs and Security-Related Hotfixes as They Become Available
Unpatched systems can be a significant risk to the entire organization, depending on the security issue involved. Subscribe to the Microsoft Security Notification Service (https://go.microsoft.com/fwlink/?LinkId=28819). Watch for security bulletins related to IIS and apply the latest updates for Microsoft Windows operating system, IIS server, and the Microsoft .NET Framework. Run Microsoft Baseline Security Analyzer (MBSA) on a regular interval to check for latest operating system and components updates.