Internet Information Services and Resulting Internet Communication in Windows Server 2008

Applies To: Windows Server 2008

In This Section

Benefits and Purposes of IIS

Examples of Security-Related Features in IIS 7.0

Finding Information About Features in IIS 7.0

Procedures for Installing or Uninstalling Features in IIS 7.0

Additional References

It is beyond the scope of this white paper to describe all aspects of maintaining appropriate levels of security in an organization running Web servers that communicate across the Internet. This section, however, provides overview information as well as suggestions for other sources of information about balancing your organization’s requirements for communication across the Internet with your organization’s requirements for protection of networked assets.

Note

For servers from which you do not want to offer content on an intranet or the Internet, you do not need to remove Internet Information Services (IIS), since by default it is not installed with most editions of Windows Server 2008. The exception is Windows Web Server 2008, on which IIS is installed by default. If you use a server as a Web server and then deploy it for some other purpose, remove IIS from that server.

Benefits and Purposes of IIS

IIS 7.0 is one of the optional role services in Windows Server 2008, although it is installed by default in Windows Web Server 2008. IIS is a role service that provides an easy way to publish information on the Internet or an intranet. In a managed environment, IIS is usually installed on selected servers only. IIS includes innovative security features and a broad range of administrative features for managing Web sites. By using programmatic features like Active Server Pages (ASP and ASP.NET), you can more easily create and deploy scalable, flexible Web applications.

IIS is not installed by default on editions of Windows Server 2008 other than Windows Web Server 2008. IIS and related features can be added by using either the Initial Configuration Tasks interface or Server Manager. When IIS 7.0 is installed with the default set of IIS features (also called role services), it can accept requests for static files only. To serve dynamic content, you must choose to install additional IIS features, not just the default features.

For more information about IIS features, including features related to security, see the following:

IIS 7.0 includes a variety of settings and features related to security, some of which are described in the following list. For additional information about security-related features in IIS 7.0, see the links in the previous section.

  • Ability to limit the Web server feature set: IIS 7.0 includes a completely modular Web server that has been componentized into more than four to five times the number of installable components as previous versions of IIS. You can limit your installation to the necessary components. This decreases the attack surface of the Web server.

    The default installation for the Web server (IIS) role includes the installation of role services for serving static content, making minor customizations (such as default documents and HTTP errors), monitoring and logging server activity, and configuring static content compression.

  • Key simplifications of security management: The simplifications of security management include:

    • Rich delegated administration support, enabling scoped configuration and management tasks to be delegated to non-Administrators in a simple and security-enhancing manner.

    • Unified authentication and authorization management, allowing for all types of authentication and authorization, including Forms authentication and URL Authorization, to be managed in a single place, for all types of content.

    • Built-in user and group accounts dedicated to the Web server, enabling a common security identifier (SID) to be used across servers. This simplifies management of NTFS permissions, and simplifies on Application Pool sandboxing and identity management.

  • New security features: One example of a new security feature in IIS 7.0 is built-in Request Filtering. Request Filtering can filter requests on the fly based on verb, file name extension, size, namespace and sequences. Much of this functionality, previously delivered in URLScan (an ISAPI filter available as a web download) is now available as a built-in module in IIS 7.0.

Finding Information About Features in IIS 7.0

One way to minimize the attack surface of a server running IIS is to install only the role services (IIS features) needed for that server. The following topics can help you plan the role services you want to install and identify the correct name for the service, either as specified in the graphical interface (the Add Roles Wizard or the Add Role Services Wizard, which can be started from Server Manager) or in a command or script used for automated installation.

Note

For more details about features in IIS, follow all steps in "To View Help After Installing IIS," later in this section.

Procedures for Installing or Uninstalling Features in IIS 7.0

The following procedures explain how to:

  • Add the Web Server (IIS) role and select the role services to install on a computer running Windows Server 2008

  • View the role services that are installed for a Web Server

  • Install additional IIS role services on a server that already has the Web Server (IIS) role installed

  • Uninstall IIS role services on a server that already has the Web Server (IIS) role installed

  • View Help for IIS 7.0

For information about using the Server Core installation option for a server that will run IIS, see Additional References, later in this section.

To Add the Web Server (IIS) Role and Select the Role Services to Install

  1. If you recently installed Windows Server 2008, and the Initial Configuration Tasks interface is displayed, under Customize This Server, click Add roles. Then skip to step 3.

  2. If the Initial Configuration Tasks interface is not displayed and Server Manager is not running, click Start, click Administrative Tools, and then click Server Manager. (If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.)

    Then, in Server Manager, under Roles Summary, click Add Roles.

  3. In the Add Roles Wizard, if the Before You Begin page appears, click Next.

  4. On the Select Server Roles page, under Roles, select Web Server (IIS) and then click Next.

Note

If IIS is already installed on the server, the Web Server (IIS) check box will be selected and dimmed. For information about viewing or installing IIS role services in this situation, see the next two procedures.

  1. On the Web Server (IIS) page, click and view links for Help topics that you want to read. Close the topics when you have finished reading, and then click Next.

  2. On the Select Role Services page, select the role services to install for Web Server (IIS), and then click Next.

  3. Follow the instructions in the wizard to complete the installation process.

To View the Role Services That are Installed for a Web Server

  1. If Server Manager is not already open, click Start, click Administrative Tools, and then click Server Manager. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  2. In the console tree, under Roles, click Web Server (IIS).

  3. In the right pane, ensure that Role Services is expanded, and view the list of role services that are installed.

To Install Additional IIS Role Services on a Server That Already Has the Web Server (IIS) Role Installed

  1. If Server Manager is not already open, click Start, click Administrative Tools, and then click Server Manager. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  2. In the console tree, click Web Server (IIS).

  3. In the right pane, in the Role Services section, click Add Role Services.

  4. Follow the instructions in the wizard to select role services and complete the installation process.

To Uninstall IIS Role Services on a Server That Already Has the Web Server (IIS) Role Installed

  1. If Server Manager is not already open, click Start, click Administrative Tools, and then click Server Manager. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  2. In the console tree, click Web Server (IIS).

  3. In the right pane, in the Role Services section, click Remove Role Services.

  4. Follow the instructions in the wizard to identify and remove role services.

To View Help After Installing IIS

  1. After installing IIS (including the IIS Management console, which is included in default installations of IIS), click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  2. Click the Help menu and then click IIS Help.

Note

For more details about role services (features) in IIS, click the Search tab and search for "available role services." Open the topic called "Available Role Services in IIS 7.0."

Additional References