3.2. Securing IIS

The following sections cover the two major ways in which you can secure an IIS server. The first step is to reduce the number of entry points to the server. The second step is to set up your Web root on a non-system drive.

3.2.1. Reducing the server's footprint

The first major step in securing your IIS server is to reduce the server's footprint, or the number of entry points to your server, on the Web. The server should have as few points of entry to the outside world as possible; every open port is an opportunity for a cracker. A good rule is that if you don't absolutely need a port to be open, you should explicitly close it.

If you're running a dedicated server that you administer locally, you should start by disabling SMP and Netbios. Disabling these network protocols blocks the server from acting as a file/print server. It also prevents the server from being administered over the network. If you need to administer the server remotely, you can't disable these services completely, so disable any sub-components that you don't need, such as NNTP, SMTP, FTP, BITS, Internet printing, and so on. By default, most of these services come disabled.

Follow these steps to disable unneeded services:

  1. Choose StartAdministrative ToolsServices MMC.

    In the Services window that ...

Get PHP & MySQL® Web Development All-in-One Desk Reference for Dummies® now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.