Securing IIS - It's More than a Web Server

Last time, we talked about several of the different steps you could take to lock down Microsoft's Internet Information Systems (IIS) on Windows Server 2003. But that discussion only covered the Web server parts of IIS and, being the bright IT guru that you are, you've probably realized that's only part of the problem.

Though most people are generally referring to the Web server side of the house when they talk about IIS, many other common Internet-related services are included in that package. File Transfer Protocol (FTP), Network News Transfer Protocol (NNTP), and Simple Mail Transfer Protocol (SMTP) services are all part of the Microsoft bundle and each should be locked down as tightly as possible.

The same basic rules we mentioned in the first part of this article apply to these ancillary IIS services. We should all know them by now, but in case you've already forgotten them ...

The most important thing to remember when dealing with IIS or any other service is "if you don't need it, don't install it." That's even more important when you're talking about services and applications specifically designed to allow access to your servers with other people. By necessity, these services open ports to the outside world, giving hostile outsiders a larger attack surface.

The good news is that you need to enable them yourself rather than deal with them each time you install Windows Server 2003 on a new machine, even if you've already installed the Web portion of IIS. Like IIS in general, Microsoft was smart enough to make sure that they aren't running in a default Windows Server 2003 installation.