Checklist: How to Hardening IIS Servers

Checklist: How to Hardening IIS Servers

Web  site and application code is becoming progressively more intricate. Dynamic Web sites and applications might contain defective code that leaks memory or causes errors such as access violations. Therefore, a Web server Application must be able to handle active manager of the application and able to handle runtime error and detect send response automatically to application server.

Microsoft includes unique capabilities for server administrators intended to appeal to Internet service providers (ISPs). It includes a single window (or “console”) from which all services and users can be administered. It’s intended to be simple to add components as snap-ins that you didn’t at first install. The administrative windows can be customized for access by individual custom

Use the following checklists given below to ensure that you have correctly implemented all security settings and actions given

Configuring Active Directory IIS Server OU Structure

  • Create the IIS Servers OU.
  • Create the Incremental IIS Server Policy
  • Link the GPO to the IIS Servers OU
  • Import the security template for the corresponding client environment into the newly created GPO.

IIS Server Hardening Steps:

Install and configure Windows Server 2003.

Install and configure IIS services:

  • Install only necessary IIS components.
  • Enable Only Essential Web Service Extensions.
  • Place Content on a Dedicated Disk Volume.
  • Configure NTFS permissions.
  • Configure IIS Web Site permissions.
  • Configure IIS logging.

Apply any required service packs and/or updates.

Install and configure a virus protection solution.

Install and configure MOM agents or similar monitoring solution as required.

Move appropriate server to the corresponding IIS Servers OU.

  1. Secure well-known accounts           Rename the built-in Administrator account, assign a complex password. Ensure      Guest account is disabled. Change default account description.

Secure services accounts.

Consider implementing IPSec Filters.

Verify Incremental IIS Server Policy has replicated between domain controllers.


Restart the server.

Check the Event Logs for errors.

Source by Andrew Demmy

Leave a Reply