What Does IISLockdown Do?

For a Windows 2000 computer that serves ASP.NET pages, select the Dynamic Web server (ASP enabled) template when you run IISLockdown. When you use this template, IIS Lockdown performs the following actions:

• It disables the following Internet Services:

  • File Transfer Protocol (FTP)

  • E-mail service (SMTP)

  • News service (NNTP)

• It maps the following script maps to 404.dll:

  • Index Server Web Interface (.idq, .htw, .ida)

  • Server-side includes (.shtml, .shtm, .stm)

  • Internet Data Connector (.idc)

  • .HTR scripting (.htr)

  • Internet printing (.printer)

• It removes the following virtual directories:

  • IIS Samples

  • MSADC

  • IISHelp

  • Scripts

  • IISAdmin

• It restricts anonymous access to system utilities as well as the ability to write to Web content directories. To do this, IISLockdown creates two new local groups called Web Anonymous Users and Web Applications and then it adds deny access control entries (ACEs) for these groups to the access control list (ACL) on key utilities and directories.

  Next, IISLockdown adds the default anonymous Internet user account (IUSR_MACHINE) to Web Anonymous Users and the IWAM_MACHINE account to Web Applications .

  Note	If you create custom, anonymous Internet user accounts, add them to the Web Anonymous Users group .

• It disables Web Distributed Authoring and Versioning (WebDAV).

• It installs the URLScan ISAPI filter.