IIS Server

Several server roles require IIS. Securing IIS properly allows SMS to function while reducing risk. Where practical, minimize the use of servers requiring IIS. For example, consolidate management points into the smallest number possible. Use only a single server locator point for your environment.

Disable IIS Functions That You Do Not Require

Only install the minimum IIS features for the server role you are supporting. In IIS 5.0, most components are installed by default but in IIS 6.0 all components must be installed manually. See the Verifying the installed IIS components procedure in Appendix E: “SMS Security Procedures.”

Table 3   Site System Roles and IIS Components

Site system role

IIS required?

Required IIS components to enable

Site Server

No

 

SMS site database server

No

 

Management point (including proxy management points)

Yes

BITS Server Extensions

Server locator point

Yes

Default IIS

Reporting point

Yes

Active Server Pages. To use graphs in the reports, Office Web Components (Microsoft Office 2000 SP2 or Microsoft Office XP) must be installed.

Distribution point

No

 

BITS-enabled distribution point

Yes

IIS and WebDAV

Client Access Point

No

 

Important

Do not enable Secure Sockets Layer (SSL) on the management points, server locator points, or distribution points. HTTPS access can be enabled for reporting points with SMS 2003 SP1. For more information, see Enable HTTPS Access for Reporting Points later in this document.

Do Not Put the Site Server on a Computer with IIS

As mentioned earlier in this document, role separation helps reduce the attack profile and improve recoverability. If the site server role is combined with another role that requires IIS, there are additional concerns when running with advanced security. Using role separation mitigates the following risks:

The site server’s computer account has administrative privileges on other computers. IIS runs by using the LocalSystem account, which is the only account with the right to use the computer account. This typically is the case only on site servers.

When using advanced security, the SMS site server manages its local files and registry entries by using the LocalSystem account. Software running in the LocalSystem account context of IIS has equal access to those files and registry entries.

Use Windows Server 2003 with IIS 6.0

IIS 6.0 is more secure than its predecessors. IIS 5.0 is included with and installed by default on Windows 2000 Server. Upgrading a Windows 2000 Server to Windows Server 2003 also upgrades IIS, but the World Wide Web Publishing Service is disabled during the upgrade process. IIS 6.0 is not installed by default on a new installation of Windows Server 2003. If you install IIS 6.0, the default configuration does not include Active Server Pages, BITS Server Extensions, or WebDAV. If you require those services for an SMS site system role, you must enable them manually. For a list of the required IIS components, see Table 2: Site System Roles and IIS Components.

Follow the SMS IIS Hardening Checklist

The Microsoft Web site has extensive information about how to secure IIS. Certain best practices for IIS servers functioning as Web servers are inappropriate for SMS site systems that require IIS. The SMS 2003 Security checklists include a checklist for hardening IIS when used with SMS site systems. This checklist is based on published best practices for securing IIS, but includes comments about how to modify these best practices appropriately to ensure SMS functionality.

SMS 2003 IIS Hardening Checklist

Run IIS Lockdown and URLScan by Using the SMS Templates

If your site system is running Windows 2000 Server and IIS 5.0, run the IIS Lockdown Wizard with the SMS IISLockd.ini. IIS Lockdown works by turning off unnecessary features, which reduces potential attacks. The IIS Lockdown Wizard includes the URLScan Security tool, which restricts the types of HTTP requests that IIS processes.

If your site system is running Windows Server 2003 and IIS 6.0, the IIS Lockdown feature is integrated into IIS. You should still run URLScan 2.5 to apply UrlScan_SMS.ini file.

Download the SMS IISLockd.ini and UrlScan_SMS.ini as part of the SMS Toolkit from the Microsoft Download site (http://go.microsoft.com/fwlink/?LinkId=25444). For the procedure to apply these templates, see the documentation that comes with the SMS Toolkit 1.

Caution

Running the IIS Lockdown or URLScan tools without the SMS templates can cause SMS operations to fail

Unpatched systems can be a significant risk to the entire organization, depending on the security issue involved. Subscribe to the Microsoft Security Notification Service (http://go.microsoft.com/fwlink/?LinkId=28819). Watch for security bulletins related to IIS and apply the latest updates for Microsoft Windows operating system, IIS server, and the Microsoft .NET Framework. Run Microsoft Baseline Security Analyzer (MBSA) on a regular interval to check for latest operating system and components updates.