Windows Tip Sheet

Power Brakes for IIS

Prevent Internet Information Server from being installed automatically.

I have a client who's in the middle of upgrading a bunch of their servers to Win2003. One of the things they like is that Windows 2003 doesn't install IIS by default; they only use IIS on a couple of machines, and minimizing the number of machines that have IIS installed helps cut down on maintenance overhead (IIS does, after all, get patched a lot to cover security vulnerabilities). They ran into a funny situation, though: An administrator who didn't know any better installed IIS on a bunch of the servers because he thought is was a pre-req for something else he was installing. Whoops! So while it's nice that IIS isn't installed by default, there really should be a way to keep it from being installed at all.

And the Answer is…
There is a way! You could, for example, configure a GPO that prevents the IIS Admin service from starting (by setting its startup status to Disabled). That's not a terrible solution, but it still leaves the door open to an administrator — perhaps a malicious one, even — who changes the startup type and starts the service anyway. Windows 2003 does, however, provide a better solution in the form of a GPO setting that prohibits IIS from even being installed. The following figure shows the GPO editor showing the policy setting.

NO IIS
The GPO setting that prevents IIS from being installed.

Simply configure this policy setting and link to that GPO to wherever you want it. Every Windows 2003 and later computer affected by the GPO will no longer allow IIS to be installed, period. There's no way to override it without modifying the GPO or moving the server's domain computer account so that it's no longer affected by the GPO.

Micro Tip Sheet

IIS 6.0 is installed by default on only one version of Win2003: Web Edition. But you can't buy Web Edition through retail channels; you have to buy it bundled with a Web server or buy it through certain Microsoft volume licensing programs.

Protect your IIS servers from a broader range of attacks by putting them behind a firewall and reverse proxying incoming Web traffic, rather than simply passing it through the firewall. Products like Microsoft's Internet Security and Acceleration (ISA) Server 2000 support reverse proxying.

More Resources
Read about other changes to IIS' security philosophy: http://www.eweek.com/article2/0,4149,1499143,00.asp

What's new and changed in IIS 6.0: www.deltaguideseries.com

Top 5 Q&A on IIS: https://www.microsoft.com/technet/community/columns/
insider/iisi0603.mspx
.

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.

Featured

  • Microsoft Buys Orions Systems To Enhance Vision AI Capabilities in Dynamics 365

    Microsoft announced on Tuesday that it has acquired Orions Systems with the aim of enhancing Dynamics 365 capabilities, as well as the Microsoft Power Platform.

  • Microsoft Hires Movial To Build Android OS for Microsoft Devices

    Microsoft has hired the Romanian operations of software engineering and design services company Movial to develop an Android-based operating system solution for the Microsoft Devices business segment.

  • Microsoft Ending Workflows for SharePoint 2010 Online Next Month

    Microsoft on Monday gave notice that it will be ending support this year for the "workflows" component of SharePoint 2010 Online, as well as deprecating that component for SharePoint 2013 Online.

  • Why Windows Phone Is Dead, But Not Completely Gone

    Don't call it a comeback (because that's not likely). But as Brien explains, there are three ways that today's smartphone market leaves the door open for Microsoft to bring Windows back to smartphones.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.