共用方式為


Internet Information Services and Internet Communication

Applies To: Windows Server 2003 with SP1

This section provides information about:

  • The benefits of Internet Information Services (IIS) in Microsoft Windows Server 2003

  • For servers from which you want to offer content on an intranet or the Internet, descriptions of some of the security-related features offered in IIS 6.0, and suggestions for other sources of information about security and IIS 6.0

    Note

    For servers from which you do not want to offer content on an intranet or the Internet, you do not need to remove IIS, since by default it is not installed with most products in the Windows Server 2003 family. The exception is Windows Server 2003, Web Edition, on which IIS is installed by default. If you use a server as a Web server and then deploy it for some other purpose, remove IIS from that server.

  • Controlling Internet printing

  • Subcomponents that are part of IIS, with instructions for finding out which subcomponents are installed on a given server

  • Viewing Help for IIS

  • Other sources of information about IIS

It is beyond the scope of this white paper to describe all aspects of maintaining appropriate levels of security in an organization running servers that communicate across the Internet. This section, however, provides overview information as well as suggestions for other sources of information about balancing your organization’s requirements for communication across the Internet with your organization’s requirements for protection of networked assets.

Benefits and Purposes of IIS

IIS 6.0 is one of the optional components in products in the Windows Server 2003 family. IIS is a component that provides an easy way to publish information on the Internet or an intranet. In a managed environment, IIS is usually installed on selected servers only. IIS includes innovative security features and a broad range of administrative features for managing Web sites. By using programmatic features like Active Server Pages (ASP and ASP.NET), you can more easily create and deploy scalable, flexible Web applications.

IIS is not installed by default with products in the Windows Server 2003 family other than Windows Server 2003, Web Edition. IIS and related components can be added by using either Add or Remove Programs in Control Panel or Manage Your Server. After IIS 6.0 is installed, it is configured by default in a "locked down" state. The locked down state means that IIS 6.0 accepts requests for static files only, until it is configured to serve dynamic content. It also means that all time-outs and settings are set to restrictive defaults. You can enable or disable IIS 6.0 functionality based on the needs of your organization by using IIS Manager. You can also enable IIS 6.0 functionality through programmatic and command-line interfaces.

For more information about IIS features, including features related to security, see the following Web sites:

If you have a Web site on which you want to use Microsoft .NET Passport for authentication and you also want to use Passport Manager Administration, a component available for Windows Server 2003, see Appendix I: Passport Manager Administration.

IIS 6.0 includes a variety of settings and features related to security, some of which are listed in the following table. For additional information about security-related improvements in the version of IIS 6.0 in Windows Server 2003 with SP1, see the links in the previous section.

Setting or feature Description

Disabling through Group Policy

With Windows Server 2003, domain administrators can prevent users from installing IIS 6.0 on their computers.

Running as an account with limited privileges

IIS 6.0 worker processes run in a user context with limited privileges by default. This drastically reduces the attack surface of the Web server.

Secure ASP

All functions built into ASP pages always run as an account with limited privileges (anonymous user).

Recognized file extensions

IIS 6.0 serves requests only to files that have recognized file extensions and rejects requests to file extensions it doesn’t recognize.

Command-line tools not accessible to Web users

Attackers often take advantage of command-line tools that are executable through the Web server. In IIS 6.0, the command-line tools cannot be executed by the default Web server identity.

Write protection for content

Once attackers get access to a server, they try to deface Web sites. By preventing anonymous Web users from overwriting Web content, these attacks can be mitigated.

Time-outs and limits

Product settings are set to aggressive and secure defaults.

Upload data limitations

Administrators can limit the size of data that can be uploaded to a server.

Buffer overflow protection

The Windows Administration Service in IIS will detect if a worker process had a buffer overflow and will exit that process.

File verification

The core server verifies that the requested content exists before it gives the request to a request handler (Internet Server Application Programming Interface [ISAPI] extension).

For more information about creating Web sites with IIS 6.0 and maintaining appropriate levels of awareness and control over the communication to and from those sites, see the IIS Help. For information about viewing the Help, see "To View Help After Installing IIS," later in this section.

Controlling Internet Printing

Internet printing makes it possible for clients to use printers located anywhere in the world by sending print jobs using Hypertext Transfer Protocol (HTTP). Additionally, a computer running Windows Server 2003 can use IIS to create a Web page that provides information about printers and provides the transport for printing over the Internet.

For Internet printing, it is important to consider both the server and the client:

  • Server: Internet printing is an optional component (not installed by default) of IIS 6.0. A server running Windows Server 2003 can be configured to act as a print server allowing Internet printing. In a managed environment, you might want to ensure that the Internet printing subcomponent of IIS is not installed. For information about how to do this, see "Procedures for Checking or Controlling the Installation of IIS Subcomponents," later in this section.

  • Client: Clients (typically, running Windows XP, not Windows Server 2003) can install an Internet printer using a Web browser, the Add Printer Wizard, or the Run dialog box. To control whether clients can support Internet printing, see the section about Internet printing in the white paper titled "Using Windows XP Professional with Service Pack 2 in a Managed Environment: Controlling Communication with the Internet." You can view this white paper on the TechNet Web site at:

    https://go.microsoft.com/fwlink/?LinkId=29133

Answer File Entries and Registry Keys for IIS Subcomponents

For reference purposes, the following table shows the syntax for answer file entries associated with IIS in the Windows Server 2003 family as well as the corresponding registry keys. Do not change the registry keys. They are shown for use in a script that could check whether a particular component is installed on a particular server. A registry key value of 0x00000000 means the component is not installed, and a value of 0x00000001 means the component is installed.

Note

For more details about answer file entries related to IIS components, follow the steps in "To View Help After Installing IIS," later in this section, and then search for the topic called "Installing IIS." In that topic, look for a table showing the answer file entries.

Answer file entries and registry keys associated with IIS subcomponents for the Windows Server 2003 family

IIS subcomponent Syntax for answer file entry (in the [Components] section) Registry key (for use in a script that checks whether a component is installed): 0x00000000 means it is not installed; 0x00000001 means it is installed

IIS common files

iis_common = On | Off

HKEY_LOCAL_MACHINE\Software\

Microsoft\Windows\CurrentVersion\

Setup\OC Manager\Subcomponents\

iis_common

Active Server Pages (ASP) for IIS

iis_asp = On | Off

HKEY_LOCAL_MACHINE\Software\

Microsoft\Windows\CurrentVersion\

Setup\OC Manager\Subcomponents\

iis_asp

File Transfer Protocol (FTP) service

iis_ftp = On | Off

HKEY_LOCAL_MACHINE\Software\

Microsoft\Windows\CurrentVersion\

Setup\OC Manager\Subcomponents\

iis_ftp

IIS Manager (Microsoft Management Console [MMC] snap-in)

iis_inetmgr = On | Off

HKEY_LOCAL_MACHINE\Software\

Microsoft\Windows\CurrentVersion\

Setup\OC Manager\Subcomponents\

iis_inetmgr

Internet Data Connector

iis_internetdataconnector = On | Off

HKEY_LOCAL_MACHINE\Software\

Microsoft\Windows\CurrentVersion\

Setup\OC Manager\Subcomponents\

iis_internetdataconnector

Network News Transfer Protocol (NNTP) service

iis_nntp = On | Off

HKEY_LOCAL_MACHINE\Software\

Microsoft\Windows\CurrentVersion\

Setup\OC Manager\Subcomponents\

iis_nntp

Server-Side Includes

iis_serversideincludes = On | Off

HKEY_LOCAL_MACHINE\Software\

Microsoft\Windows\CurrentVersion\

Setup\OC Manager\Subcomponents\

iis_serversideincludes

Simple Mail Transfer Protocol (SMTP) service

iis_smtp = On | Off

HKEY_LOCAL_MACHINE\Software\

Microsoft\Windows\CurrentVersion\

Setup\OC Manager\Subcomponents\

iis_smtp

Web Distributed Authoring and Versioning (WebDAV) publishing

iis_webdav = On | Off

HKEY_LOCAL_MACHINE\Software\

Microsoft\Windows\CurrentVersion\

Setup\OC Manager\Subcomponents\

iis_webdav

World Wide Web (WWW) service

iis_www = On | Off

HKEY_LOCAL_MACHINE\Software\

Microsoft\Windows\CurrentVersion\

Setup\OC Manager\Subcomponents\

iis_www

Remote administration (HTML)

sakit_web = On | Off

HKEY_LOCAL_MACHINE\Software\

Microsoft\Windows\CurrentVersion\Setup\

OC Manager\Subcomponents\sakit_web

Internet Server Application Programming Interface (ISAPI) for Background Intelligent Transfer Service (BITS) server extensions

BitsServerExtensionsISAPI = On | Off

HKEY_LOCAL_MACHINE\Software\

Microsoft\Windows\CurrentVersion\

Setup\OC Manager\Subcomponents\

bitsserverextensionsisapi

Background Intelligent Transfer Service (BITS) server extensions snap-in

BitsServerExtensionsManager = On | Off

HKEY_LOCAL_MACHINE\Software\

Microsoft\Windows\CurrentVersion\

Setup\OC Manager\Subcomponents\

bitsserverextensionsmanager

FrontPage server extensions

fp_extensions = On | Off

HKEY_LOCAL_MACHINE\Software\

Microsoft\Windows\CurrentVersion\

Setup\OC Manager\Subcomponents\

fp_extensions

Internet printing

inetprint = On | Off

HKEY_LOCAL_MACHINE\Software\

Microsoft\Windows\CurrentVersion\Setup\

OC Manager\Subcomponents\inetprint

ActiveX control and sample pages for hosting Terminal Services client connections over the Web

TSWebClient = On | Off

HKEY_LOCAL_MACHINE\Software\

Microsoft\Windows\CurrentVersion\

Setup\OC Manager\Subcomponents\

TSWebClient

Note

For several of the subcomponents in the previous table, the software for the subcomponent is installed regardless of the answer-file entry, but the subcomponent cannot be used unless the answer-file entry is set to On (or the procedure is followed for installing the subcomponent through Add or Remove Programs in Control Panel). These subcomponents are Internet Data Connector, Server-Side Includes, and WebDAV publishing.

Procedures for Checking or Controlling the Installation of IIS Subcomponents and the IIS Lockdown Tool

The following procedures explain how to:

  • View the registry keys listed in the table in the previous subsection

  • View or change the IIS components currently installed on a computer running a product in the Windows Server 2003 family

  • Specify answer file entries that control whether IIS subcomponents are included during unattended installation

  1. Open Registry Editor by clicking Start, clicking Run, and then typing regedit.

    Warning

    Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied.

  2. Navigate to:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents\.

  3. View the registry keys listed in the table in the previous subsection, and find the value associated with each key. A value of 0x00000000 means the component is not installed. A value of 0x00000001 means the component is installed.

  4. Close Registry Editor.

To View or Change the IIS Components Currently Installed on a Computer Running Windows Server 2003

  1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.

  2. Double-click Add or Remove Programs.

  3. Click Add/Remove Windows Components (on the left).

  4. Select Application Server and then click Details.

  5. Find Internet Information Services (IIS) in the list, and perform one of the following steps:

    • If IIS is installed and you want to remove it, clear the check box for IIS and complete the wizard.

    • If IIS is not installed and you want to add the default set of IIS subcomponents, select the check box for IIS and complete the wizard.

    • If you want to view or select from the list of IIS subcomponents, after selecting IIS, click Details.

      Note

      The Internet Printing component is in the list of subcomponents that appears when you click Details.

  6. Follow the instructions to complete the Windows Components Wizard.

To Specify Answer File Entries That Control Whether IIS Subcomponents are Included During Unattended Installation

  1. Using the methods you prefer for unattended installation or remote installation, create an answer file.

  2. In the [Components] section of the answer file, add the appropriate entries listed in the table in "Answer File Entries and Registry Keys for IIS Subcomponents," earlier in this section. Ensure that the entries specify Off for components you do not want to install and On for components you want to install.

    If no IIS subcomponents are listed in an answer file for unattended installation of a product in the Windows Server 2003 family other than Windows Server 2003, Web Edition, the IIS subcomponents are not installed by default.

    Note

    For more details about answer file entries related to IIS components, follow the steps in the next procedure, "To View Help After Installing IIS," and then search for the Help topic called "Installing IIS." In that topic, look for a table showing the answer file entries.

To View Help After Installing IIS

  1. After installing IIS (including the IIS Manager subcomponent, which is included in default installations of IIS), click Start.

  2. Either click Control Panel, or point to Settings and then click Control Panel.

  3. Double-click Administrative Tools, and then click Internet Information Services (IIS) Manager.

  4. Click the Help menu and then click Help Topics.

To Obtain the IIS Lockdown Tool

For more information about IIS, see the following Web sites: