Manage Security of Your Windows IIS Web Services

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Microsoft Consulting Services Web Server Best Practices

On This Page

All Systems Must Become Managed
Security from the Start
Keeping the Systems Secure
Responding to a Crisis

All Systems Must Become Managed

The increased sophistication and power of the latest viruses and worms have proven that even a few dozen unsecured servers pose a threat to the customer environment. In every customer environment there are two types of systems: those that are managed and those that are not managed. Unfortunately, the latest viruses have helped customers identify the systems that are not managed.

The unmanaged systems can normally be classified as either rogue systems or test systems.

  • Rogue systems are those that are deployed using non-standard processes and are at odds with company policy. Rogue systems are especially dangerous because it is very unlikely that corporate standards for secure implementation and updates are being followed.

  • Test systems are those that are permitted as a normal part of system development and testing efforts, but for which there is no formalized support structure in place to ensure the services are deployed securely and stay secure.

Recommendation: Microsoft recommends that customers implement an aggressive strategy for identifying "rogue" systems that are operating under the radar.

Rogue systems allow viruses to establish beachheads and allow the viruses to propagate by means other than Web server vulnerabilities. These systems represent a clear and present danger to the stability of the computing environment and must be located and addressed.

Strategies for locating these rogue servers:

  1. Implement active port scanning of the address space to identify servers that are running unapproved services. Excellent scanning tools are available, such as the Internet Security Scanner from Internet Security Systems.

  2. Implement passive port scanning using network monitoring tools, such as remote network monitors. This is less intrusive and taxing to the network than active port scanning, but in many cases it will not identify as many rogue servers as active monitoring.

  3. Increase the number of random audits that are done in person. These audits can be automated to increase the number of machines that can be covered.

Recommendation: Microsoft recommends that customers implement a management plan for approved test and development systems that are not currently managed.

The same basic principles used to ensure security for production Internet and intranet systems should be applied to test and development systems.

Strategies for management of test and development systems:

  1. Establish clear delineation between production and test environments by creating dedicated test and development environments that are managed as if they were for production. This strategy is less convenient for application developers because they must use the test and development environments instead of using their local production systems, but it is necessary to implement.

  2. If a dedicated test and development environment is not a viable option, then a process should be put in place that allows application developers and business units to request an exception, so that a standalone test environment can be established on a separate network.

Security from the Start

Ensure all systems that have access to the production and test networks are deployed securely. This process starts by ensuring an internal organization is responsible to create, deploy, and maintain a secure base IIS image.

Recommendation: Microsoft recommends that customers establish a base image for the relevant environments and an automated installation process for the image.

Different images may be required for the Internet and intranet space, but the basic security mechanisms should be integrated into the design from the beginning.

Strategies to incorporate security mechanisms:

  1. Follow the Microsoft recommendations for securely deploying IIS 4.0 and 5.0 as outlined in the document "Secure Internet Information Services 5 Checklist"

  2. Use the IISLockdown Tool for IIS 4.0 and 5.0. This tool provides an automated way to implement the recommendations outlined in the IIS 4.0 and 5.0 checklists.

  3. Integrate the URLScan tool into the base image. This tool protects Web servers by ensuring that servers only respond to valid requests and ensuring that invalid requests never make it to the Web server.

  4. Update the base image regularly to include the latest service packs and hotfixes.

  5. Check servers coming out of the build process immediately by either scanning them or running the hotfix checking tool as the last step.

Keeping the Systems Secure

The process to ensure the secure configuration of systems does not stop with the successful deployment of a server. Security is a process that requires the daily attention of security and operations staff.

Recommendation: To ensure that deployed servers maintain the appropriate level of security, Microsoft recommends that customers implement the following:

  1. Ensure the latest hotfixes are applied to all managed systems in the environment. This process can be simplified by the use of the HFNetChk tool, which enables a system administrator to check the patch status of all the machines in a network from a central location. The tool is also available in a full-featured version that adds significant flexibility to monitor hotfix compliance.

  2. Regularly install updated anti-virus signature files from your anti-virus vendor.

  3. Incorporate into the security management plan active scans and random audits of systems throughout the company.

  4. Encourage users to use the Microsoft Personal Security Advisor Web application. This tool provides information to help users identify systems that have security vulnerabilities. Uses should be encouraged to report the results to Corporate Information Security.

  5. Monitor on a daily basis security bulletins issued by the Microsoft Security Response Center. The Security Response Center alerts customers to vulnerabilities by email or postings to

Monitor on a daily basis an open Internet mailing list maintained by the security focus group. The mailing list address is

Responding to a Crisis

It is critical that the customer establish a rapid response team that is integrated with its Technical Account Managers, if available, from PSS.

Recommendation: At a minimum, Microsoft recommends that the customer's rapid response team should include representatives from security, server management, network management, desktop management, and the help desk.

A high-level plan should be created to address the following:

  1. When an emergency that requires the rapid response team is triggered

  2. Who can call the team into action

  3. How each member of the team and/or their backups can be contacted

  4. A standing agenda that identifies the threat and associated vulnerabilities, tactical strategy for blocking or mitigating damage, a time for reconvening the team, and a post-mortem