Wednesday, November 12, 2008

Locking Down IIS

If you are running IIS instead of MooPS on Windows, you should lock down your IIS configuration
(because security is always key, even in closed networks). If you have not done so already, you should install and run the IIS Lockdown Tool, available for free from Microsoft at

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=DDE9EFC0-BB30-47EB-9A61-FD755D23CDEC.

If that URL doesn’t work, simply go to Microsoft’s Web site (http://microsoft.com) and search for IIS Lockdown Tool. Download the IIS Lockdown Tool and run it using the Dynamic Web Server (ASP Enabled) profile (just follow the prompts—it’s pretty self explanatory). Make sure the box for Install URLScan Filter on the Server is checked (this prevents certain types of hack attempts).
Once the IIS Lockdown Tool has completed its run, put the program away in a location you’ll remember so you can undo its changes later if you need to.To undo the IIS Lockdown Tool’s changes, simply run the application again and it automatically knows it’s installed and gives you options to remove its changes.

No comments: