Locking down website/ IIS

I'm setting up a website using MS Server 2003 IIS.

I want to make sure it's secure. Anyone have any tips, good reads, links etc on the procedures needed to secure this?



Okay, well, I know that 2003 first installs in a "secure" mode, meaning thats its closed. You'll have to end up opening a thing here and there to maybe get it working normally. (locked mode is what its called)

Help you ID different areas on the server to help harden it.



Few articles to read over it, to help educate you more.


there's a free book floating around out there from Jason Coombs on IIS Security.

thanks for the input Fin and Rob. I'll check those out.

and don't forget to check your box against Nessus or some other
security auditing tool, because its what kiddies are going to use to find
the holes too. And a good IPS is always a good precaution to use since
you're not going to be able to keep up with M$ and their daily patch

these days, kiddies just fire the exploit blind.

Check out National Security Agency's guides, they're pretty good too, though they lock down too much sometimes, so depending on the functionality you need, pick a choose certain things they recommend.


they have a guide for IIS? I thought about suggesting that, but I thought they didn't have a IIS guide.

Kiddies might shoot them blind, but you should know what exploit will
actually work against your box. ;-)

IIS Lockdown & Baseline Security Analyzer - 2 must have security tools.



  • sorry too lazy to make the A tags. :-) *