Securing a Windows 2000 IIS Web Server - Lessons Learned

With Microsoft quickly becoming the dominant and more popular web server, it is also becoming the number one target for viruses, worms and hackers. Due to this, it is essential to be able to confidently secure the IIS web server. While there is an overabundance of information pertaining to IIS security, it often fails in identifying the many issues that can result. Some of the steps you take towards securing your web server may result in a loss of functionality. While it goes without saying that no guide is going to be able to cover every conceivable configuration, it is essential for those in charge of security to be familiar with their own environment. It is very important not to look at patches as a generic cure-all. What I've found to be effective is to adopt a trial and error approach when attempting to balance security with functionality, as you may experience many issues pertaining to your specific environment. Some of these issues are outlined in this paper and, hopefully, will aid you in avoiding some of the pitfalls that I experienced and ultimately save you some time.