CYA: Securing IIS 6.0: Cover Your A** By Getting It Right the First Time

Now that you have a hardened Windows 2003 Server running IIS 6.0, you can focus on a few basic security configurations. The information in this chapter will help you secure your newly deployed IIS 6.0 server, provide you with a basic understanding of new security changes in IIS 6.0, and prepare you for the more advanced configurations discussed in Chapter 5.
Enabling and Disabling Web Service Extensions
Configuring Multipurpose Internet Mail Exchange
Configuring IP Address Restrictions
Setting Website Permissions
Securing Web Resources
Enabling and Securing Web Access Log Files
By the end of this chapter, you will understand how to secure your Web server by enabling the required dynamic application extensions and configuring Multipurpose Internet Mail Exchange (MIME) types. You will also understand how to prevent resource access by configuring website properties and NT File System (NTFS) permissions.
In order to take a more proactive stance against malicious attacks, IIS 6.0 is not installed by default on most operating systems in the Windows Server 2003 family (the exception is Windows Server 2003 Web Edition). Furthermore, once you do install IIS, its default behavior is to serve only static content (such as Hypertext Markup Language (HTML) and image files), and to block all requests to dynamic applications. If you want IIS to run dynamic applications, you can configure it by creating web service extension access lists, which control the type of dynamic content that the IIS server will provide to its clients.