|
To improve the security of your Web server, many aspects of IIS 6.0, including
default behavior and settings, function differently than in earlier versions of
IIS. Some of the most notable changes were made to take a more proactive stance
against malicious users and attackers. A significant change is that IIS is not installed
by default on Microsoft® Windows® Server 2003, Standard Edition; Windows®
Server 2003, Enterprise Edition; and Windows® Server 2003, Datacenter
Edition operating systems, and many services and features of IIS are not installed
or enabled by default when you install IIS. Other security changes in IIS 6.0
affect components of Active Server Pages (ASP), authentication, and access control
methods. As a result of these changes, some existing applications and sites might
require you to enable services, change settings, or make other adjustments before
they run as expected. However, if you change default settings, you should do so
carefully to maintain the most secure solution possible.
The most significant security-related changes are as follows:
•
|
IIS installs in a locked-down mode.
|
|
•
|
Restrictive Multipurpose Internet Mail Extensions (MIME) types reduce the attack
surface of IIS.
|
|
•
|
Multiple worker processes affect Internet Server API (ISAPI) filter status display.
|
|
•
|
ASP and ASP.NET functionality are disabled by default.
|
|
•
|
Parent paths are disabled by default.
|
|
•
|
Global.asa events are run as anonymous user.
|
|
•
|
Anonymous password synchronization is disabled by default.
|
|
•
|
Advanced Digest authentication requires Windows Server 2003.
|
|
•
|
Microsoft® .NET Passport authentication requires LocalSystem user account
rights.
|
|
•
|
Kerberos authentication requires service principal names (SPNs) for multiple worker
processes.
|
|
•
|
Access is restricted for executables.
|
|
•
|
Access is restricted for non-default identities for Common Gateway Interface (CGI)
processes.
|
|