Hi guys,
Secure Windows server with IIS Lockdown
Download and install the IIS Lockdown Wizard
Step 1) Double-click the executable file that you downloaded in the Prepare to run the IIS Lockdown Wizard section to start the wizard.
Step 2) On the Welcome page, read the explanatory text, and then click Next.
Step 3) On the License Agreement page, read the license agreement, click I Agree, and then click Next.
Step 4) On the Select Server Template page, select the template that most closely matches the role of this server, and then click to select View Template Settings. The pages that follow this have options already selected based on the role of the server that you selected earlier in the previous page, so you can use all of the default selections.
Step 5) If the server has multiple roles (for example, a dynamic Web server that is also a proxy server), click to select Other (Server that does not match any of the listed roles), and make sure that you carefully consider all the options that are presented on the following pages, because the default selections may not be appropriate for your server. When you have selected the appropriate settings, click Next.
Step 6) On the Internet Services page, select the services that you want your server to provide. Most servers require the Web service. If you do not want your server to provide File Transfer Protocol (FTP) or Simple Mail Transfer Protocol (SMTP) services (that is, file transfer or e-mail services), you can click to clear these options. Note that you must leave SMTP selected if you are running Exchange or Small Business Server.
Step 7) The services that you do not select on this page are set to Disabled and cannot start. If you are running the Lockdown Wizard on IIS 5.0, you can also click to select Remove unselected services, which completely removes the services that you did not select from your system. When you have selected the appropriate settings, click Next.
Step
On the Script Maps page, click to clear the check box next to any file type or file types that you want your server to provide. If you are not sure what to disable, you can search your content directories to find out if those file name extensions exist. Note that most servers require Active Server Pages (.asp), so you must click to clear that check box unless you are sure that your server does not serve ASP pages. Click Next.
Step 9) On the Additional Security page, select the virtual directories that you want to remove from this server. By default, these virtual directories are installed by default with IIS, so they are well-known targets for attackers and you might want to remove these virtual directories or rename them on production computers. Removing these virtual directories from IIS does not remove the corresponding physical directories on the disk, so you do not lose any data by selecting this option.
Step 10) On the Additional Security page, click to select Running system utilities if you want to deny rights on executable files in the Windows directory to the Internet guest account (by default, IUSR_<computername>). This option should be selected on most systems.
Step 11) On the Additional Security page, click to select Writing to content directories if you want to deny Write rights to the Internet guest account on the directories that contain your Web content. Make sure that you leave this option unselected if you are using FrontPage Server Extensions on this server or if this server functions as a proxy server.
Step 12) On the Additional Security page, click to select Disable Web Distributed Authoring and Versioning (WebDAV) if you are not using WebDAV to create and deploy Web content on this server. If this server runs Outlook Web Access (OWA) for Exchange 2000, make sure that you leave this option unselected.
NOTE: If you select this option, the Lockdown Wizard sets the rights on the DLL that implements WebDAV functionality (Httpext.dll) to deny execute permission. This may still permit certain WebDAV requests to execute. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
307934 Locking down WebDAV through ACL still allows PUT and DELETE requests
Click Next.
Step 13) On the URLScan page, select the option to install URLScan if you want to use URLScan to filter out incoming requests based on a set of rules. If a client tries to make a request that is not valid based on the URLScan rules, IIS replies with a 404 File Not Found error and logs the request in the URLScan log file. By default, this file is located in %WINDIR%\System32\Inetsrv\Urlscan\Urlscan.log.
Note If you leave WebDAV enabled on the Additional Security page but you decide to install URLScan, note that URLScan blocks WebDAV requests by default. You must modify the Urlscan.ini file if you want to use WebDAV with URLScan.
Step 14) On the Ready to Apply Settings page, review the changes that will be made, and then click Next.
The Lockdown Wizard backs up your metabase and makes the selected changes. When this process has completed, click View Report to see a report that describes the changes that the wizard has made. Click Next to continue.
Note You can see the installation report by opening %WINDIR%\System32\Inetsrv\Oblt-rep.log in Notepad.
Step 15) Click Finish to close the IIS Lockdown Wizard.
Fully test all functionality of your server. This step is very important. If you discover that you have accidentally disabled required functionality of your server, immediately roll back the changes that the Lockdown Wizard made, and then rerun the wizard to select the correct options. For additional information, click the following article number to view the article in the
Microsoft Knowledge Base: 317052 How to undo changes made by the IIS Lockdown Wizard
