How To: Use IISLockdown.exe

  • Article

 

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

patterns & practices Developer Center

Improving Web Application Security: Threats and Countermeasures

J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan

Microsoft Corporation

Published: June 2003

Last Revised: January 2006

Applies to:

  • Internet Information Services (IIS) 5.0
  • Microsoft Windows® 2000 operating system

See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.

See the Landing Page for the starting point and a complete overview of Improving Web Application Security: Threats and Countermeasures.

Summary: You can largely automate the process of securing your Web server by running the IISLockdown tool. It allows you to pick a specific type of server role and then improve security for that server with customized templates that either disable or secure various features. In addition, the URLScan ISAPI filter is installed when you run IISLockdown. The URLScan ISAPI filter rejects potentially malicious requests and accepts or rejects client requests based on a configurable set of rules.

Note   By default, IIS 6.0 has security-related configuration settings similar to those made by the IIS Lockdown Tool. Therefore you do not need to run the IIS Lockdown Tool on Web servers running IIS 6.0. However, if you are upgrading from a previous version of IIS (5.0 or lower) to IIS 6.0, it is recommended that you run the IIS Lockdown Tool to enhance the security of your Web server.

Contents

What Does IISLockdown Do? Installing IISLockdown Running IISLockdown Undoing IISLockdown Changes Pitfalls

What Does IISLockdown Do?

For a Windows 2000 computer that serves ASP.NET pages, select the Dynamic Web server (ASP enabled) template when you run IISLockdown. When you use this template, IIS Lockdown performs the following actions:

  • It disables the following Internet Services:

    • File Transfer Protocol (FTP)
    • E-mail service (SMTP)
    • News service (NNTP)

  • It maps the following script maps to 404.dll:

    • Index Server Web Interface (.idq, .htw, .ida)
    • Server-side includes (.shtml, .shtm, .stm)
    • Internet Data Connector (.idc)
    • .HTR scripting (.htr)
    • Internet printing (.printer)

  • It removes the following virtual directories:

    • IIS Samples
    • MSADC
    • IISHelp
    • Scripts
    • IISAdmin

  • It restricts anonymous access to system utilities as well as the ability to write to Web content directories. To do this, IISLockdown creates two new local groups called Web Anonymous Users and Web Applications and then it adds deny access control entries (ACEs) for these groups to the access control list (ACL) on key utilities and directories.

    Next, IISLockdown adds the default anonymous Internet user account (IUSR_MACHINE) to WebAnonymousUsers and the IWAM_MACHINE account to WebApplications.

    Note   If you create custom, anonymous Internet user accounts, add them to the Web AnonymousUsers group.

  • It disables Web Distributed Authoring and Versioning (WebDAV).

  • It installs the URLScan ISAPI filter.

Installing IISLockdown

To install IISlockdown, download it from the Microsoft Web site at https://technet.microsoft.com/en-us/library/dd450372(WS.10).aspx.

You can save it locally or run it directly by clicking Open when you are prompted. If you save IISLockd.exe, you can unpack helpful files by running the following command:

iislockd.exe /q /c

This command unpacks the following files:

  • IISLockd.chm. This is the compiled help file for the IISLockdown tool.
  • RunLockdUnattended.doc. This file includes instructions for unattended IISLockdown execution.
  • URLScan.exe and associated files. These files install URLScan without running IISLockdown.exe.

Running IISLockdown

IISLockdown detects the Microsoft .NET Framework and takes steps to secure .NET Framework files. Install the .NET Framework on your Web server before you run IISLockdown.

IISLockd.exe is not an installation program. When you launch IISLockd.exe, it runs the IIS Lockdown Wizard.

To run IISLockdown

  1. Run IISlockd.exe on your IIS Web server, click Next, and then read and accept the license agreement.

  2. For Web servers that host ASP.NET Web applications, select DynamicWeb server (ASP enabled) from the Server templates list.

  3. Select Viewtemplatesettings and then click Next.

    This allows you to specify the changes that the IIS Lockdown tool should perform.

  4. Select Web service (HTTP) and make sure that no other services are selected.

  5. Select Remove unselected services, click Yes in response to the warning message box, and then click Next.

  6. On the Script Maps page, disable support for the following script maps, and then click Next.

    • Index Server Web Interface (.idq, .htw, .ida)
    • Server side includes (.shtml, .shtm, .stm)
    • Internet Data Connector (.idc)
    • .HTR scripting (.htr)
    • Internet printing (.printer)

  7. On the AdditionalSecurity page, select all of the available options.

    This causes IISLockdown to remove all of the listed virtual directories, configure NTFS permissions for the anonymous Internet account, and disable WebDAV.

  8. Click Next.

  9. On the URLScan page, select Install URLScan filter on the server.

  10. Click Next twice.

    IISLockdown updates your server configuration using the selected options.

  11. Click Next and then Finish to exit the tool.

Log Files

A log file detailing the changes made by IISLockdown is written to \WINNT\System32\inetsrv\oblt-log.log. When you run IISLockdown a second time, it undoes any changes it made based on this log. You can view the log file by using any text editor to see the exact changes made by IISLockdown.

Undoing IISLockdown Changes

To undo the changes made by IISLockdown, run IISlockd.exe a second time and choose to undo the changes. The undo operation restores the system settings that were in effect immediately before you previously ran IISLockdown. These details are contained in the log file \WINNT\System32\inetsrv\0blt-log. Therefore, it is important that you test the system promptly after you run IISLockdown. If an undo is required, perform it immediately.

Note   The URLScan ISAPI filter that is installed as part of IIS Lockdown is not removed as part of the undo process. You can remove URLScan manually by using the ISAPI filters tab at the server level in Internet Services Manager.

Unattended Execution

The following steps are from RunLockdUnattended.doc, which is available if you unpack files by running IISLockd.exe with the /q and /c arguments.

To configure IISLockdown for unattended execution

  1. Open IISlockd.ini in a text editor.

  2. Under the [Info] section, configure the UnattendedServerType setting by entering the name that matches the server template you want to use. For example, if you want to apply the dynamicweb template, the setting would look like this:

    UnattendedServerType=dynamicweb

  3. Change the Unattended setting to TRUE, as follows:

    Unattended=TRUE

    Note   If you want to run IISlockd.exe unattended to undo a previous set of changes, ensure that both the Unattended and Undo settings are set to TRUE.

  4. Configure the server template that you chose in step 2. The template configuration is denoted with square brackets around the server template name, for example, [dynamicweb]. The template configuration contains the various feature settings for that specific server template. These feature settings can be toggled on or off by setting them to TRUE or FALSE.

    Note   The AdvancedSetup setting is ignored during an unattended installation, and the UninstallServices setting applies only to Windows 2000.

  5. Save IISlockd.ini.

  6. Run IISlockd.exe using the command line or scripting.

Pitfalls

Be aware of the following potential pitfalls when working with IISLockdown:

  • IISLockdown configures NTFS permissions using the new group WebAnonymousUsers. By default, this contains the IUSR_MACHINE account. If you create new anonymous accounts, you must manually add these accounts to the WebAnonymousUsers group.
  • If you debug ASP.NET pages using Microsoft Visual Studio® .NET, debugging stops working. This is because IISLockdown installs URLScan and URLScan blocks the DEBUG verb. For more information about using IISLockdown on developer workstations, see "How To: Secure Your Developer Workstation" in this guide.

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

© Microsoft Corporation. All rights reserved.