Securing Internet Information Server (IIS) 6 for DMZ Placement

This step by step guide will enable an administrator to install, configure, and secure a Windows 2003 server with Internet Information Server (IIS) 6.0 which will be placed in a DMZ (Demilitarized Zone). The DMZ is the location on the network where servers are put so users from the Internet can access them. This guide is targeted to administrators familiar with Windows 2003 Server and IIS 6.

Windows 2003 Server has been changed from the ground up to be secure by design and secure by default.

In the past, we’ve made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We’ve done a terrific job at that, but all those great features won’t matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security - Bill Gates

IIS 6.0 is dramatically different from IIS 5.0 with increased performance, reliability, and security in the default configuration. The redesign of the IIS 6.0 architecture requires administrators with custom applications to perform in depth testing before migrating to IIS 6.0 to ensure application compatibility. A basic security tenet is that the more service features a server offers the greater the potential for exploitation. It is recommended that only the necessary features for any application be installed. For the purposes of this guide, we will focus on IIS 6.0.