By default, when you install and run Internet Information Services (IIS) on a Windows NT 4.0 or Windows 2000 computer, all of the available features and services of the web server are started. Only those features and services required for the particular Web server should be enabled on the computer to ensure the least amount of code is running on the server. In addition, all available IIS hotfixes should be installed on the server to patch any known vulnerabilities.
It is recommended to download the IIS Lockdown tool and run it on all IIS computers. The tool works by turning off unnecessary features and services, thereby reducing the attack surface available to attackers. To provide defense in depth, URLScan, has been integrated into the IIS Lockdown tool.
Additional Resources
The Microsoft Security Tool Kit
IIS 4 Baseline Security Checklist
IIS 5 Baseline Security Checklist
⌐ 2002 Microsoft Corporation. All rights reserved.