We recommend using Visual Studio 2017

Checklist: Securing Your Web Server


Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

patterns & practices Developer Center

Improving Web Application Security: Threats and Countermeasures

J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan

Microsoft Corporation

Published: June 2003

Applies to:

  • Internet Information Services (IIS) version 5.0
  • Microsoft Windows® 2000 operating system

See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.

See the Landing Page for the starting point and a complete overview of Improving Web Application Security: Threats and Countermeasures.


How to Use This Checklist Patches and Updates IISLockdown Services Protocols Accounts Files and Directories Shares Ports Registry Auditing and Logging Sites and Virtual Directories Script Mappings ISAPI Filters IIS Metabase Server Certificates Machine.config Code Access Security Other Check Points Dos and Don'ts

How to Use This Checklist

This checklist is a companion to Chapter 16, "Securing Your Web Server." Use it to help implement a secure Web server, or as a quick evaluation snapshot of the corresponding chapter.

This checklist should evolve with steps that you discover to secure your Web server.

Patches and Updates

Ff648198.z02bthcm01(en-us,PandP.10).gifMBSA is run on a regular interval to check for latest operating system and components updates.
Ff648198.z02bthcm01(en-us,PandP.10).gifThe latest updates and patches are applied for Windows, IIS server, and the .NET Framework. (These are tested on development servers prior to deployment on the production servers.)
Ff648198.z02bthcm01(en-us,PandP.10).gifSubscribe to the Microsoft Security Notification Service at http://www.microsoft.com/technet/security/bulletin/notify.asp.


Ff648198.z02bthcm01(en-us,PandP.10).gifIISLockdown has been run on the server.
Ff648198.z02bthcm01(en-us,PandP.10).gifURLScan is installed and configured.


Ff648198.z02bthcm01(en-us,PandP.10).gifUnnecessary Windows services are disabled.
Ff648198.z02bthcm01(en-us,PandP.10).gifServices are running with least-privileged accounts.
Ff648198.z02bthcm01(en-us,PandP.10).gifFTP, SMTP, and NNTP services are disabled if they are not required.
Ff648198.z02bthcm01(en-us,PandP.10).gifTelnet service is disabled.
Ff648198.z02bthcm01(en-us,PandP.10).gifASP .NET state service is disabled and is not used by your applications.


Ff648198.z02bthcm01(en-us,PandP.10).gifWebDAV is disabled if not used by the application OR it is secured if it is required. For more information, see Microsoft Knowledge Base article 323470, "How To: Create a Secure WebDAV Publishing Directory."
Ff648198.z02bthcm01(en-us,PandP.10).gifTCP/IP stack is hardened.
Ff648198.z02bthcm01(en-us,PandP.10).gifNetBIOS and SMB are disabled (closes ports 137, 138, 139, and 445).


Ff648198.z02bthcm01(en-us,PandP.10).gifUnused accounts are removed from the server.
Ff648198.z02bthcm01(en-us,PandP.10).gifWindows Guest account is disabled.
Ff648198.z02bthcm01(en-us,PandP.10).gifAdministrator account is renamed and has a strong password..
Ff648198.z02bthcm01(en-us,PandP.10).gifIUSR_MACHINE account is disabled if it is not used by the application.
Ff648198.z02bthcm01(en-us,PandP.10).gifIf your applications require anonymous access, a custom least-privileged anonymous account is created.
Ff648198.z02bthcm01(en-us,PandP.10).gifThe anonymous account does not have write access to Web content directories and cannot execute command-line tools.
Ff648198.z02bthcm01(en-us,PandP.10).gifASP.NET process account is configured for least privilege. (This only applies if you are not using the default ASPNET account, which is a least-privileged account.)
Ff648198.z02bthcm01(en-us,PandP.10).gifStrong account and password policies are enforced for the server.
Ff648198.z02bthcm01(en-us,PandP.10).gifRemote logons are restricted. (The "Access this computer from the network" user-right is removed from the Everyone group.)
Ff648198.z02bthcm01(en-us,PandP.10).gifAccounts are not shared among administrators.
Ff648198.z02bthcm01(en-us,PandP.10).gifNull sessions (anonymous logons) are disabled.
Ff648198.z02bthcm01(en-us,PandP.10).gifApproval is required for account delegation.
Ff648198.z02bthcm01(en-us,PandP.10).gifUsers and administrators do not share accounts.
Ff648198.z02bthcm01(en-us,PandP.10).gifNo more than two accounts exist in the Administrators group.
Ff648198.z02bthcm01(en-us,PandP.10).gifAdministrators are required to log on locally OR the remote administration solution is secure.

Files and Directories

Ff648198.z02bthcm01(en-us,PandP.10).gifFiles and directories are contained on NTFS volumes.
Ff648198.z02bthcm01(en-us,PandP.10).gifWeb site content is located on a non-system NTFS volume.
Ff648198.z02bthcm01(en-us,PandP.10).gifLog files are located on a non-system NTFS volume and not on the same volume where the Web site content resides.
Ff648198.z02bthcm01(en-us,PandP.10).gifThe Everyone group is restricted (no access to \WINNT\system32 or Web directories).
Ff648198.z02bthcm01(en-us,PandP.10).gifWeb site root directory has deny write ACE for anonymous Internet accounts.
Ff648198.z02bthcm01(en-us,PandP.10).gifContent directories have deny write ACE for anonymous Internet accounts.
Ff648198.z02bthcm01(en-us,PandP.10).gifRemote IIS administration application is removed (\WINNT\System32\Inetsrv\IISAdmin).
Ff648198.z02bthcm01(en-us,PandP.10).gifResource kit tools, utilities, and SDKs are removed.
Ff648198.z02bthcm01(en-us,PandP.10).gifSample applications are removed (\WINNT\Help\IISHelp, \Inetpub\IISSamples).


Ff648198.z02bthcm01(en-us,PandP.10).gifAll unnecessary shares are removed (including default administration shares).
Ff648198.z02bthcm01(en-us,PandP.10).gifAccess to required shares is restricted (the Everyone group does not have access).
Ff648198.z02bthcm01(en-us,PandP.10).gifAdministrative shares (C$ and Admin$) are removed if they are not required (Microsoft Management Server (SMS) and Microsoft Operations Manager (MOM) require these shares).


Ff648198.z02bthcm01(en-us,PandP.10).gifInternet-facing interfaces are restricted to port 80 (and 443 if SSL is used).
Ff648198.z02bthcm01(en-us,PandP.10).gifIntranet traffic is encrypted (for example, with SSL) or restricted if you do not have a secure data center infrastructure.


Ff648198.z02bthcm01(en-us,PandP.10).gifRemote registry access is restricted.
Ff648198.z02bthcm01(en-us,PandP.10).gifSAM is secured (HKLM\System\CurrentControlSet\Control\LSA\NoLMHash).

This applies only to standalone servers.

Auditing and Logging

Ff648198.z02bthcm01(en-us,PandP.10).gifFailed logon attempts are audited.
Ff648198.z02bthcm01(en-us,PandP.10).gifIIS log files are relocated and secured.
Ff648198.z02bthcm01(en-us,PandP.10).gifLog files are configured with an appropriate size depending on the application security requirement.
Ff648198.z02bthcm01(en-us,PandP.10).gifLog files are regularly archived and analyzed.
Ff648198.z02bthcm01(en-us,PandP.10).gifAccess to the Metabase.bin file is audited.
Ff648198.z02bthcm01(en-us,PandP.10).gifIIS is configured for W3C Extended log file format auditing.

Sites and Virtual Directories

Ff648198.z02bthcm01(en-us,PandP.10).gifWeb sites are located on a non-system partition.
Ff648198.z02bthcm01(en-us,PandP.10).gif"Parent paths" setting is disabled.
Ff648198.z02bthcm01(en-us,PandP.10).gifPotentially dangerous virtual directories, including IISSamples, IISAdmin, IISHelp, and Scripts virtual directories, are removed.
Ff648198.z02bthcm01(en-us,PandP.10).gifMSADC virtual directory (RDS) is removed or secured.
Ff648198.z02bthcm01(en-us,PandP.10).gifInclude directories do not have Read Web permission.
Ff648198.z02bthcm01(en-us,PandP.10).gifVirtual directories that allow anonymous access restrict Write and Execute Web permissions for the anonymous account.
Ff648198.z02bthcm01(en-us,PandP.10).gifThere is script source access only on folders that support content authoring.
Ff648198.z02bthcm01(en-us,PandP.10).gifThere is write access only on folders that support content authoring and these folder are configured for authentication (and SSL encryption, if required).
Ff648198.z02bthcm01(en-us,PandP.10).gifFrontPage Server Extensions (FPSE) are removed if not used. If they are used, they are updated and access to FPSE is restricted.

Script Mappings

Ff648198.z02bthcm01(en-us,PandP.10).gifExtensions not used by the application are mapped to 404.dll (.idq, .htw, .ida, .shtml, .shtm, .stm, idc, .htr, .printer).
Ff648198.z02bthcm01(en-us,PandP.10).gifUnnecessary ASP.NET file type extensions are mapped to "HttpForbiddenHandler" in Machine.config.

ISAPI Filters

Ff648198.z02bthcm01(en-us,PandP.10).gifUnnecessary or unused ISAPI filters are removed from the server.

IIS Metabase

Ff648198.z02bthcm01(en-us,PandP.10).gifAccess to the metabase is restricted by using NTFS permissions (%systemroot%\system32\inetsrv\metabase.bin).
Ff648198.z02bthcm01(en-us,PandP.10).gifIIS banner information is restricted (IP address in content location disabled).

Server Certificates

Ff648198.z02bthcm01(en-us,PandP.10).gifCertificate date ranges are valid.
Ff648198.z02bthcm01(en-us,PandP.10).gifCertificates are used for their intended purpose (for example, the server certificate is not used for e-mail).
Ff648198.z02bthcm01(en-us,PandP.10).gifThe certificate's public key is valid, all the way to a trusted root authority.
Ff648198.z02bthcm01(en-us,PandP.10).gifThe certificate has not been revoked.


Ff648198.z02bthcm01(en-us,PandP.10).gifProtected resources are mapped to HttpForbiddenHandler.
Ff648198.z02bthcm01(en-us,PandP.10).gifUnused HttpModules are removed.
Ff648198.z02bthcm01(en-us,PandP.10).gifTracing is disabled <trace enable="false"/>
Ff648198.z02bthcm01(en-us,PandP.10).gifDebug compiles are turned off.
<compilation debug="false" explicit="true" defaultLanguage="vb">

Code Access Security

Ff648198.z02bthcm01(en-us,PandP.10).gifCode access security is enabled on the server.
Ff648198.z02bthcm01(en-us,PandP.10).gifAll permissions have been removed from the local intranet zone.
Ff648198.z02bthcm01(en-us,PandP.10).gifAll permissions have been removed from the Internet zone.

Other Check Points

Ff648198.z02bthcm01(en-us,PandP.10).gifIISLockdown tool has been run on the server.
Ff648198.z02bthcm01(en-us,PandP.10).gifHTTP requests are filtered. URLScan is installed and configured.
Ff648198.z02bthcm01(en-us,PandP.10).gifRemote administration of the server is secured and configured for encryption, low session time-outs, and account lockouts.

Dos and Don'ts

  • Do use a dedicated machine as a Web server.
  • Do physically protect the Web server machine in a secure machine room.
  • Do configure a separate anonymous user account for each application, if you host multiple Web applications,
  • Do not install the IIS server on a domain controller.
  • Do not connect an IIS Server to the Internet until it is fully hardened.
  • Do not allow anyone to locally log on to the machine except for the administrator.

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.