| The moment you install IIS on your Windows 2000 or Windows 2003 Server the first thing that comes to your mind is the word "security". Obviously when you have your web server connected to the Internet, security becomes the prime concern. Windows 2000 server comes with IIS 5.0 while Windows 2003 comes with IIS 6.0 which is a far more better version compared to it's older version. In the first place, IIS 6.0 is locked down by default when it is setup on Windows 2003 server. By locked down we mean that only the basic components that are required to run a web server are enabled. Moreover, the concept of Application Pools also helps to secure the server further, but we would not be talking about all those extras in this article. |
| |
Here we are covering some basic steps which are common to both IIS 5.0 and IIS 6.0 and would help to secure the web server: |
| |
| NTFS File System: Make sure all the disk partitions are formatted with NTFS since NTFS file system has improved support for disk performance, reliability, disk utilization and access control list (ACL). |
| Use Strong Passwords: Ensure that you follow a policy of using strong passwords which are built with alpha-numeric combinations and are atleast 8 characters long. No configuration, no security hardware or software nor any configuration would help if your administrator passwords are simple and easy to guess. |
| Disable Unnecessary Services: There are many services in Windows that can be disabled if they are not being used. For example, if you do not require SNMP which is used for monitoring, it is advisable to put this service either to a Manual or Disabled state. |
| Rename Administrator Account: Windows by default creates an account called "administrator" which has Full Access through out the server. It is best to rename this user to something else with a strong password. to fool automated software's which try and crack passwords, you can go a step further and create another account with the name of "administrator" and provide it with No Access. |
| Firewall: If you are tight on budget use the firewall that comes built-in with Windows or else go ahead and buy a software firewall. |
