Introduction

IIS security is a topic that nearly every Windows administrator will eventually face. For many companies, their IIS server is the one that takes all the beating from hackers. With anonymous visitors from around the world accessing the server, the challenge is to make sure that only designated files and programs can be accessed. The process of securing an IIS server is not difficult, but not consistently following procedure can lead to vulnerability.

IIS can be extraordinarily secure, but that largely depends on the commitment of the system administrator. While IIS in its default installation state is completely insecure, most successful attacks are not the fault of IIS. Rather, most attacks occur due to the failure of an administrator to keep a server patched or to implement proper security measures.

One of the primary challenges faced by an IIS/ISA Server administrator is balancing security with access. You can make your published Web sites so secure that no hacker or other miscreant will be able to compromise them. The problem is that legitimate users won't be able to access the sites either! Securing IIS often hobbles functionality. If you have problems with your ISA Server Web Publishing Rules, you should first check that a "security fix" didn't cause you to DoS your own machine.

We always recommend that you test all your ISA Server configurations in the lab before bringing them to the production network. This is especially true for security configurations. You might be aware of the tragic effects...