IIS Security

Microsoft documentation:
Main Microsoft Security Bulletin Page (A must)
IIS Security FAQ
HOW TO: Install and Use the IIS Security "What If" Tool
What's New in Internet Information Services 6.0
Internet Information Services FAQ
Internet Information Services (IIS) Security, (Microsoft resources)
Internet Information Server Resource Guide
Microsoft Security Tool Kit
Microsoft Windows NT 4.0 C2 Configuration Checklist
How to Maintain Windows Security
Authentication and Security White Paper for Internet Developers (DOC)

Patching information:
IIS 4.0 HotFix & Security Bulletin Service
IIS 5.0 HotFix & Security Bulletin Service
Search All HotFix & Security Bulletins

Service Packs:
Windows 2000 Service Pack 1
Windows 2000 Service Pack 2
Windows 2000 Service Pack 3
Windows 2000 Service Pack 4

Security Checklists:
Microsoft Internet Information Server 4.0 Security Checklist
Microsoft Internet Information Server 5.0 Security Checklist

IIS 5.0 Baseline Security Checklist
"This document lists some recommendations and best practices to improve the security of a server on the Web running Internet Information Services (IIS) 5" - Microsoft

Microsoft security alerts:
Official microsoft alert page
If a vulnerability exists this page will display it. This page is a must for anyone running IIS.

IIS Lockdown Tool 2.1
This tool will harden your IIS server and will turn off uneeded features which could pose a security risk.

HFNetChk Security patch tool
This tool will check your system to make sure you are up to date on all the latest patches.

UrlScan Security Tool
This tool will help filter out attacks which can help prevent brand new vulnerabilities when no patch is available. This is a great tool.

IIS Security Planning Tool
"The IIS Security Planning Tool helps administrators deploy IIS with security that's appropriate for the server's role. It uses a simple HTML interface to determine what services the server will provide, and recommends the deployment and installation options that will allow it to provide them securely." - microsoft

Microsoft Security Tool Kit
"The Security Tool Kit includes tools that provide a baseline level of security for servers that are connected to the Internet. It also includes security patches for vulnerabilities that the Microsoft Security Response Center has determined to be of potentially high severity for systems that are connected to the Internet. " - Microsoft


IIS Security Tips, 2000
MRTG for Intrusion Detection with IIS 6
Securing Microsoft IIS, July 25th, 2001 (HTML)
IIS Security Checklist
IIS Security and Programming Countermeasures, 2003 (PDF)
Microsoft Internet Information Server 4.0 Security Checklist
Guide to IIS Hacking
Basic IIS Lockdown Using Scripts and Group Policy


Official bugtraq mailing list for windows users only. This is a *must* for all IIS administrators.



Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!