Configure Web Server Security (IIS 7)
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
For enhanced security, IIS 7 is not installed on Windows Server® 2008 by default. When you install IIS 7, your Web server is configured to serve only static content. This includes HTML and image files.
The following list describes new security features in IIS 7 and briefly explains their benefits:
A new Windows built-in group named IIS_IUSRS replaces the local IIS_WPG group. A new Windows built-in account called IUSR replaces the local IUSR_MachineName anonymous account from IIS 6.0. However, the IUSR_MachineName account will continue to be used for FTP. These changes combine to offer four benefits.
Ability to use a custom anonymous account without disabling the IIS anonymous account.
Maintenance of consistent access control lists (ACLs) across several Web servers by using a common Security Identifier (SID).
Improvement of the DCPROMO process by making sure that the local anonymous account does not become a domain account.
Elimination of the need to manage passwords.
The IP restriction list can be configured to deny content access by a single computer, a group of computers, a domain, or all IP addresses and unlisted entries. This provides support for inheritance and merging of IP restriction rules in addition to IIS 6.0 grant/deny support.
Features of the UrlScan 2.5 security tool are incorporated in IIS 7. This removes the requirement to download a separate tool.
IIS 7 supports URL authorization in native code. For consistency, this change provides support for all the functionality of the existing ASP.NET managed code implementation.
Use the following tasks to configure security features in IIS 7: