I am very new to IIS and the security issues of having our own web server.
We have Windows 2003 Server with the latest updates and IIS 6.

I just found the Resource Kit Tools and assume it might be helpful.

Should I be concerned about changing some of the settings in IIS right from
the beginning? Or should I leave the default settings as is?

Thanks.

Mark

[quoted text, click to view]



For most users, IIS6 default settings are sufficiently secure.

Can you first define your requirements for security, how you want to
evaluate the software system (in this case IIS6) against your
requirements, and whether there are any failed requirements which
require IIS6 configuration change?


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang

Thanks for your response, David. I am a raw beginner on this and don't want
to assume everything is OK if there is something that is common practice
that I just don't know about yet.

David:
Define requirements...

Mark:
I want to have a web site up and running without having to worry about it
being vulnerable to "hackers."

David:
How to evaluate...

Mark:
No noticeable defacement of site, no remote code execution, etc.

David:
Any failed requirements...

Mark:
None yet. I have had the site up for a few days now.


Thanks,

Mark


----- Original Message -----
From: "David Wang" <w3.4you@gmail.com>
Newsgroups: microsoft.public.inetserver.iis.security
Sent: Saturday, March 01, 2008 3:35 AM
Subject: Re: general security settings


[quoted text, click to view]



For most users, IIS6 default settings are sufficiently secure.

Can you first define your requirements for security, how you want to
evaluate the software system (in this case IIS6) against your
requirements, and whether there are any failed requirements which
require IIS6 configuration change?


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//