Windows Tip Sheet

Power Brakes for IIS

Prevent Internet Information Server from being installed automatically.

I have a client who's in the middle of upgrading a bunch of their servers to Win2003. One of the things they like is that Windows 2003 doesn't install IIS by default; they only use IIS on a couple of machines, and minimizing the number of machines that have IIS installed helps cut down on maintenance overhead (IIS does, after all, get patched a lot to cover security vulnerabilities). They ran into a funny situation, though: An administrator who didn't know any better installed IIS on a bunch of the servers because he thought is was a pre-req for something else he was installing. Whoops! So while it's nice that IIS isn't installed by default, there really should be a way to keep it from being installed at all.

And the Answer is…
There is a way! You could, for example, configure a GPO that prevents the IIS Admin service from starting (by setting its startup status to Disabled). That's not a terrible solution, but it still leaves the door open to an administrator — perhaps a malicious one, even — who changes the startup type and starts the service anyway. Windows 2003 does, however, provide a better solution in the form of a GPO setting that prohibits IIS from even being installed. The following figure shows the GPO editor showing the policy setting.

NO IIS
The GPO setting that prevents IIS from being installed.

Simply configure this policy setting and link to that GPO to wherever you want it. Every Windows 2003 and later computer affected by the GPO will no longer allow IIS to be installed, period. There's no way to override it without modifying the GPO or moving the server's domain computer account so that it's no longer affected by the GPO.

Micro Tip Sheet

IIS 6.0 is installed by default on only one version of Win2003: Web Edition. But you can't buy Web Edition through retail channels; you have to buy it bundled with a Web server or buy it through certain Microsoft volume licensing programs.

Protect your IIS servers from a broader range of attacks by putting them behind a firewall and reverse proxying incoming Web traffic, rather than simply passing it through the firewall. Products like Microsoft's Internet Security and Acceleration (ISA) Server 2000 support reverse proxying.

More Resources
Read about other changes to IIS' security philosophy: http://www.eweek.com/article2/0,4149,1499143,00.asp

What's new and changed in IIS 6.0: www.deltaguideseries.com

Top 5 Q&A on IIS: https://www.microsoft.com/technet/community/columns/
insider/iisi0603.mspx
.

About the Author

With more than fifteen years of IT experience, Don Jones is one of the world’s leading experts on the Microsoft business technology platform. He’s the author of more than 35 books, including Windows PowerShell: TFM, Windows Administrator’s Scripting Toolkit, VBScript WMI and ADSI Unleashed, PHP-Nuke Garage, Special Edition Using Commerce Server 2002, Definitive Guide to SQL Server Performance Optimization, and many more. Don is a top-rated and in-demand speaker and serves on the advisory board for TechMentor. He is an accomplished IT journalist with features and monthly columns in Microsoft TechNet Magazine, Redmond Magazine, and on Web sites such as TechTarget and MCPMag.com. Don is also a multiple-year recipient of Microsoft’s prestigious Most Valuable Professional (MVP) Award, and is the Editor-in-Chief for Realtime Publishers.

comments powered by Disqus
Upcoming Events

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.