Welcome to the third installment of Internet Information Services 6.0 on Windows Server 2003. This series of articles discusses IIS 6.0 on Windows Server 2003 and is designed as both a refresher for the IT professional familiar with designing and administrating IIS 4.0 and IIS 5.0, and for newcomers looking to get their feet wet.
This installment continues our introduction to Internet Information Services 6.0 on Windows Server 2003 by providing an initial overview of the differences between the default installation state of IIS 6.0 vs. that of IIS 4.0 and IIS 5.0.
Those who have administered IIS in the past, either Internet Information Server 4.0 on the NT 4 platform or Internet Information Services 5.0 on the Windows 2000 platform, are well aware of the difficulty in securing the service from would-be attackers, as both versions installed with most of the services running by default. IIS 6.0 on Windows Server 2003 is a departure from this, as all of the services are disabled by default.
As a brief overview: Internet Information Server 4.0 on the NT 4 platform was not part of the Windows NT 4 Server operating system. Rather, it was an add-on made available through the Windows NT 4 Option Pack, and it included Internet Information Server 4.0, Microsoft Transaction Server 2.0, Microsoft Message Queue Server 1.0, and Internet Connection Services for Microsoft Remote Access Service (RAS).
The Windows NT 4 Option Pack also included the Personal Web Server (PWS) for Windows 95 and Windows NT Workstation. PWS 4.0 on an NT Workstation is more limited in functionality than its NT 4 Server cousin in that it has less available functionality. Index Server, Certificate Server, Multiple Web Hosting, ODBC logging, Internet Protocol restrictions, and Process Isolation cannot be used on PWS 4.0.
Another reduction in services on Windows NT Workstation comes from the fact that Windows NT Workstation can have only 10 simultaneous inbound connections at any given time, which would thus limit the number of Web connections the Web services installed on a Windows NT workstation could have.
Over the time and with use, many exploits were discovered within the program itself. They have been fixed with service packs and hot fixes for the Windows NT 4 operating system.
The main issue with IIS 4.0 on NT 4 is the amount of time it takes to secure the underlying NT 4 server operating system by installing service pack 6a and all of the subsequent hot fixes. In addition, the default installation of IIS 4.0 enables many options that are inherently insecure if not properly configured and oftentimes are not needed for a standard Web server used for little to no dynamic content.
The default installation of IIS 4.0 included FTP, SMTP, and Web server capabilities. The Network News Transfer Protocol (NNTP) is not installed during a default installation and must be chosen intentionally.
Internet Information Services 5.0 is installed on Windows 2000 Server by default when the operating system is loaded onto server hardware. Effectively, any Windows 2000 Server build that uses the default settings, be it a Web server, file server, print server, or domain controller, is going to have the IIS 5.0 services installed, running, and listening for calls on the network.
We assume the thought process behind having IIS 5.0 install by default was for ease of use. In reality, however, it provided nothing but hassles for system administrators who needed to secure their environments. There was always the option to script out the IIS 5.0 installation during an unattended install or via initial builds for imaging, but in situations where this wasn't done, it was a larger problem.
There is also Web server functionality available for Windows 2000 Professional; however, unlike NT 4, where it is referred to as PWS 4.0 on the client, it is just called Internet Information Services 5.0 in both the Professional and Server editions.
Like on IIS 4.0, the default installation of IIS 5.0 on the Server and Professional platforms includes FTP, SMTP, and Web server functionality. NNTP is not installed during a default installation, however, and must be selected.
IIS 6.0 on Windows Server 2003 is not installed by default when the operating system is installed. When the application is installed, the default installation enables it to be a static content Web server only. ASP and ASP.NET must be explicitly installed by the administrator for dynamic content to be made available for use on the particular system. Additional functionality, such as FTP, SMTP, and NNTP, is available but must be explicitly installed.
In situations where Windows 2000 Server with IIS 5.0 installed is upgraded to Windows Server 2003, IIS 6.0 will be automatically installed as a simple static content Web server unless an administrator installed and ran the IIS Lockdown Tool or configured the RetainW3SVCStatus registry key to secure the Windows 2000 Server operating system and IIS 5.0 installation.
IIS Lockdown Tool version 2.1 turns off unnecessary features and services of IIS 4.0, 5.0, and 5.1 in an effort to reduce the available attack surface for would-be attackers. The tool can be run to secure IIS 4.0 on Windows NT 4.0 Server systems as well as IIS 5.0, which, as noted above, is installed by default on Windows 2000 Server installations. IIS 5.1, which is found under the Windows XP family of operating systems (but not installed by default), can also be locked down via the tool.
Version 2.1 of the tool can use templates supplied for Microsoft Exchange 5.5 and 2000, Commerce Server, BizTalk, Small Business Server 4.5 and 2000, SharePoint Portal Server, FrontPage Server Extensions, and SharePoint Team Server in an effort to lock down these IIS-dependent applications when they are installed and using IIS.
In effect, the base installation of IIS 6.0 does not require the additional step of running the IIS Lockdown Tool, as the default installation of IIS 6.0 is already in a locked-down state.
Many additional steps must be taken to properly lock down IIS services on older platforms, including ensuring all of the latest service packs are installed and the most recent hot fixes downloaded.
Running URLscan 2.5 is yet another part of this overall effort. UrlScan blocks specific HTTP requests in an effort to restrict the types of calls that can be made to the IIS server. It runs on all versions of IIS -- 4.0, 5.0, 5.1, and 6.0.
UrlScan provides some additional functionality to IIS 6.0 installations beyond the initial security provide by IIS 6.0. Future articles in this series will detail the differences between the features found in UrlScan 2.5 and those built into IIS 6.0.