Install and Configure IIS

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server Update Services

Before installing WSUS, make sure you have Internet Information Services (IIS) installed. By default, WSUS uses the default Web site in IIS. WSUS Setup also gives you the option of creating a Web site on a custom port.

If the IIS service (W3SVC) is stopped during WSUS installation, WSUS Setup starts the service. Likewise, if you install WSUS to the default Web site and the site is stopped, WSUS Setup starts it.

To install IIS on Windows Server 2003

  1. Click Start, point to Control Panel, and then click Add or Remove Programs.

  2. Click Add/Remove Windows Components.

  3. In the Components list, click Application Server.

  4. Click OK, click Next, and then follow the instructions on the screen.

IIS Lockdown Tool

The information about IIS Lockdown Wizard can vary, depending on whether you are using Windows Server 2003 or Windows 2000 Server. No matter which operating system you use, if you decide to use IIS Lockdown Tool on a server running WSUS, and you elect to use the URLScan tool, then you must edit the Urlscan.ini file to allow *.exe requests.

After you edit this file, you must restart both IIS and the WSUS server. You can find the Urlscan.ini file in the \WINNT\System32\Inetserv\Urlscan folder on the boot drive of your computer.

To edit the Urlscan.ini file

  1. Open Urlscan.ini in a text editor.

  2. Remove ".exe" from the [DenyExtensions] section.

  3. Ensure that the following settings appear under the [AllowVerbs] section:

    • GET

    • HEAD

    • POST

    • OPTIONS

Windows Server 2003 and IIS Lockdown Tool

You do not need to run the IIS Lockdown Wizard on computers running Windows Server 2003, because the functionality is built into that operating system.

Windows 2000 Server and IIS Lockdown Tool

If you are running IIS on a server running Windows 2000 Server, download and install the latest version of IIS Lockdown Tool from Microsoft TechNet at https://go.microsoft.com/fwlink/?LinkId=29896. WSUS Setup does not install this tool.

Microsoft strongly recommends that you run the IIS Lockdown Wizard to help keep your servers running IIS secure. The IIS Lockdown Wizard turns off unnecessary features, thereby reducing vulnerability to attackers. If you install the IIS Lockdown Tool and the URLScan tool on a server running WSUS, you must also read and perform the steps in the following sections.

IIS Lockdown Tool and WSUS on Windows 2000

When IIS Lockdown is installed on Windows 2000, it denies Execute permissions to %windir% folder, which then causes an error in the WSUS administrative console. To recover from this error, you must manually grant Read and Execute permissions to %windir%\Microsoft.net\Framework\V1.1.4322\Csc.exe.

For more information, see this Knowledge Base article on the Microsoft Support site at https://go.microsoft.com/fwlink/?LinkId=42681.

Client Self-Update

WSUS uses IIS to automatically update most client computers to the WSUS-compatible Automatic Updates software. To accomplish this, WSUS Setup creates a virtual directory named Selfupdate, under the Web site running on port 80 of the computer where you install WSUS. This virtual directory, called the self-update tree, contains the WSUS-compatible Automatic Updates software. The earlier Automatic Updates software included with SUS can only update itself if it finds the self-update tree on a Web server running on port 80.

If you have Microsoft Windows XP without any service packs in your organization, you can find more information about the limitations of the client self-update feature in the "Updating Automatic Updates in Windows XP with no service packs" section in Update Automatic Updates.

Using the WSUS Custom Web Site

If you put the WSUS Web site on a custom port, you must have a Web site running on port 80. The Web site on port 80 does not have to be dedicated to WSUS. In fact, WSUS only uses the site on port 80 to host the self-update tree.

Malicious programs can target the default port for HTTP traffic (port 80). If WSUS is using a custom port, you can temporarily shut down port 80 throughout your network, but still be able to distribute updates to combat malicious programs. For this reason, some administrators find it helpful to have the WSUS Web site on a custom port.

If you already have a Web site on the computer where you intend to install WSUS, you should use the setup option for creating a custom Web site. This option puts the WSUS Web site on port 8530. This port is not configurable. If you are installing WSUS on a computer with a SUS installation, WSUS Setup will only let you install WSUS using the custom port. For more information about SUS to WSUS migration, see Migrate from a SUS Server to a WSUS Server later in this guide.

Note

If you change the port number after WSUS installation, in order to access the WSUS administration console from a shortcut, you have to create a new shortcut on your Start menu with the new URL. See Help and Support in Windows Server 2003 for instruction on creating shortcuts.
If you change the WSUS port number after WSUS installation, you must manually restart the IIS service.

Accessing WSUS on a Custom Port

Because the custom WSUS Web site is not on port 80, you must use a custom URL to access the WSUS console and Web service. Use the following instructions to access the WSUS Web site and to configure WSUS when it is running on port 8530.

  • Include a custom port number in the URL directing the client computer to the WSUS server—for example, https://WSUSServerName:portnumber.

  • For more information about pointing client computers to the WSUS server, see Determine a Method to Configure Automatic Updates Clients later in this guide.

  • Include a custom port number in the URL for accessing the WSUS console—for example, https://WSUSServerame:portnumber/WSUSAdmin/.

  • If you set up any WSUS servers downstream of a server that uses a custom port number, you must enter the custom port number on the WSUS console on the downstream WSUS server. You do not form a URL to make this connection.

    You can find instructions for connecting a downstream WSUS server to an upstream WSUS server in Chain WSUS Servers Together.