Microsoft Internet Information Server 4.0 Security Checklist

Last Updated: 27-Sep-1999                   

This table outlines some of the steps you should take to secure a Windows NT 4.0 Server running Microsoft Internet Information Server 4.0 on the Internet. Note, this document does not take into consideration firewalls or proxy servers. It also assumes the company has a security policy in place.

Step 1: General Information

Server Name


Asset #


Setup Date






Set up by


Step 2: Background Work



Read your corporate security policy

Configure hardware to meet security policy

Read the IIS4 Resource Kit Security Chapter

Subscribe to Microsoft Security Notification Service

Step 3: Windows NT 4.0 Settings



Latest Service Pack and Hot-fixes applied

Hard disk(s) formatted to NTFS


Turn off NTFS 8.3 Name Generation

System boot time set to zero seconds

Set Domain controller type

OS/2 Subsystem removed

POSIX Subsystem removed

Remove All Net Shares

Audit for Success/Failed Logon/Logoff

Set Overwrite interval for Audit Log

Hide last logon user name

Display a legal notice before log on

Remove Shutdown button from logon dialog

Set Password length

Disable Guest account

Rename Administrator account

Allow network-only lockout for Administrator account

Check user accounts, group membership and privileges

Only admins can assign printers/drive letters

Set a very strong password for Admin account

Restrict Anonymous Network Access

Prevent unauthenticated access to the registry

Change "Access this computer from the network" from Everyone to Authenticated Users

Run SYSKEY Utility

Unbind NetBIOS from TCP/IP

Configure TCP/IP Filtering

Disable IP Routing

Move and ACL critical files


Step 4: Internet Information Server 4.0 Settings



Install minimal Internet services required

Set appropriate authentication methods

Set appropriate virtual directory permissions and partition Web application space

Executable content validated for trustworthiness

Set IP Address/DNS Address restrictions

Set up Secure Sockets Layer

Migrate new Root Certificates to IIS

Remove Non-trusted Root Certificates

Set Appropriate IIS Log file ACLs

Logging enabled

Index Server only indexing documentation

Lock down Microsoft Certificate Server ASP Enrollment pages

Remove the iisadmpwd vdir

Remove Used Script Mappings

Disable RDS support

Disable or remove all sample applications

Disable or remove unneeded COM Components

Check <FORM> input

Disable calling the command shell with #exec

Disable 'Parent Paths'

Disable IP Address in Content-Location

Step 5: Install Scanner/Intrusion Software

Regularly run a security scanner on your Web server, such as software from one of the companies listed.

Step 6: Update the Emergency Repair Disk

You should regularly update the ERD by running the RDISK tool.