Windows Tip Sheet
Power Brakes for IIS
Prevent Internet Information Server from being installed automatically.
I have a client who's in the middle of upgrading a bunch of their servers
to Win2003. One of the things they like is that Windows 2003 doesn't install
IIS by default; they only use IIS on a couple of machines, and minimizing
the number of machines that have IIS installed helps cut down on maintenance
overhead (IIS does, after all, get patched a lot to cover security vulnerabilities).
They ran into a funny situation, though: An administrator who didn't know
any better installed IIS on a bunch of the servers because he thought
is was a pre-req for something else he was installing. Whoops! So while
it's nice that IIS isn't installed by default, there really should be
a way to keep it from being installed at all.
And the Answer is…
There is a way! You could, for example, configure a GPO that prevents
the IIS Admin service from starting (by setting its startup status to
Disabled). That's not a terrible solution, but it still leaves the door
open to an administrator — perhaps a malicious one, even — who
changes the startup type and starts the service anyway. Windows 2003 does,
however, provide a better solution in the form of a GPO setting that prohibits
IIS from even being installed. The following figure shows the GPO editor
showing the policy setting.
 |
| The GPO setting that prevents
IIS from being installed. |
Simply configure this policy setting and link to that GPO to wherever
you want it. Every Windows 2003 and later computer affected by the GPO
will no longer allow IIS to be installed, period. There's no way to override
it without modifying the GPO or moving the server's domain computer account
so that it's no longer affected by the GPO.
| Micro
Tip Sheet |
|
IIS 6.0 is installed by default on only one version
of Win2003: Web Edition. But you can't buy Web Edition
through retail channels; you have to buy it bundled
with a Web server or buy it through certain Microsoft
volume licensing programs.
Protect your IIS servers from a broader range of
attacks by putting them behind a firewall and reverse
proxying incoming Web traffic, rather than simply passing
it through the firewall. Products like Microsoft's Internet
Security and Acceleration (ISA) Server 2000 support
reverse proxying.
|
|
|
More Resources
Read about other changes to IIS' security philosophy: http://www.eweek.com/article2/0,4149,1499143,00.asp
What's new and changed in IIS 6.0: www.deltaguideseries.com
Top 5 Q&A on IIS: https://www.microsoft.com/technet/community/columns/
insider/iisi0603.mspx.
About the Author
With more than fifteen years of IT experience, Don Jones is one of the world’s leading experts on the Microsoft business technology platform. He’s the author of more than 35 books, including Windows PowerShell: TFM, Windows Administrator’s Scripting Toolkit, VBScript WMI and ADSI Unleashed, PHP-Nuke Garage, Special Edition Using Commerce Server 2002, Definitive Guide to SQL Server Performance Optimization, and many more. Don is a top-rated and in-demand speaker and serves on the advisory board for TechMentor. He is an accomplished IT journalist with features and monthly columns in Microsoft TechNet Magazine, Redmond Magazine, and on Web sites such as TechTarget and MCPMag.com. Don is also a multiple-year recipient of Microsoft’s prestigious Most Valuable Professional (MVP) Award, and is the Editor-in-Chief for Realtime Publishers.