Power Brakes for IIS
Prevent Internet Information Server from being installed automatically.
I have a client who's in the middle of upgrading a bunch of their servers
to Win2003. One of the things they like is that Windows 2003 doesn't install
IIS by default; they only use IIS on a couple of machines, and minimizing
the number of machines that have IIS installed helps cut down on maintenance
overhead (IIS does, after all, get patched a lot to cover security vulnerabilities).
They ran into a funny situation, though: An administrator who didn't know
any better installed IIS on a bunch of the servers because he thought
is was a pre-req for something else he was installing. Whoops! So while
it's nice that IIS isn't installed by default, there really should be
a way to keep it from being installed at all.
And the Answer is…
There is a way! You could, for example, configure a GPO that prevents
the IIS Admin service from starting (by setting its startup status to
Disabled). That's not a terrible solution, but it still leaves the door
open to an administrator — perhaps a malicious one, even — who
changes the startup type and starts the service anyway. Windows 2003 does,
however, provide a better solution in the form of a GPO setting that prohibits
IIS from even being installed. The following figure shows the GPO editor
showing the policy setting.
 |
| The GPO setting that prevents
IIS from being installed. |
Simply configure this policy setting and link to that GPO to wherever
you want it. Every Windows 2003 and later computer affected by the GPO
will no longer allow IIS to be installed, period. There's no way to override
it without modifying the GPO or moving the server's domain computer account
so that it's no longer affected by the GPO.
| Micro
Tip Sheet |
|
IIS 6.0 is installed by default on only one version
of Win2003: Web Edition. But you can't buy Web Edition
through retail channels; you have to buy it bundled
with a Web server or buy it through certain Microsoft
volume licensing programs.
Protect your IIS servers from a broader range of
attacks by putting them behind a firewall and reverse
proxying incoming Web traffic, rather than simply passing
it through the firewall. Products like Microsoft's Internet
Security and Acceleration (ISA) Server 2000 support
reverse proxying.
|
|
|
More Resources
Read about other changes to IIS' security philosophy: http://www.eweek.com/article2/0,4149,1499143,00.asp
What's new and changed in IIS 6.0: www.deltaguideseries.com
Top 5 Q&A on IIS: https://www.microsoft.com/technet/community/columns/
insider/iisi0603.mspx.
About the Author
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.