Securing a very basic IIS6 website on Windows 2003

A client of mine wants to run a very simple website (static HTML pages, no dynamic content, no Javascript, no ASP etc) from his server.

The site isn't going to be dealing with thousands of hits or anything - maybe a couple of dozen hits a day at best. If that situation should start to change, he'll get a professional involved. :-)

He's got Win 2003, service-packed up to date, and it now has IIS 6 on there. I know almost nothing about IIS. I've got it up and running for him, but before I configure his router to direct incoming web traffic to the server, I just want to check that I've done all the obvious, reasonable things to secure the site as best as I can.

Is there anything 'out of the box' that I can turn-off, given that the website really is just a half-dozen static HTML files? Should I still be using IIS6 (though I gather you can't run IIS7 on Windows 2003)?

Any advice gratefully received!


Run the Security Configuration Wizard that was introduced with 2003 SP1 - it will help configure and turn off unneeded services and protocols on the server itself. Remember that it has a roll-back feature if you by mistake lock it down too much, so don't worry about running it...

Here's a very good web cast with Jesper M Johansson about how to use SCW and a little about how to approach Windows and security. It's a bit old but most stuff including the SCW configuration is still valid but obviously aimed at Server 2003.

The old tools Urlscan and IIS Lockdown are basically not needed anymore as IIS6 uses the lockdown settings by default, and most if not all urlscan settings are built-in.

Microsofts Securing IIS6 guide - some settings here seems to be covered if you just go through the SCW first - but this guide should help you get the rest of the configuration down.

You are correct in not being able to run IIS7 on Windows 2003 - the IIS version is basically bound to the operating system version it's shipping with, so you'd have to upgrade to Windows Server 2008 or later for that.