Running IISLockdown

IISLockdown detects the Microsoft .NET Framework and takes steps to secure .NET Framework files. Install the .NET Framework on your Web server before you run IISLockdown.

IISLockd.exe is not an installation program. When you launch IISLockd.exe, it runs the IIS Lockdown Wizard.

 Task   To run IISLockdown

1. Run IISlockd.exe on your IIS Web server, click Next , and then read and accept the license agreement.

2. For Web servers that host ASP.NET Web applications, select Dynamic Web server (ASP enabled) from the Server templates list.

3. Select View template settings and then click Next .

   This allows you to specify the changes that the IIS Lockdown tool should perform.

4. Select Web service (HTTP) and make sure that no other services are selected.

5. Select Remove unselected services , click Yes in response to the warning message box, and then click Next .

6. On the Script Maps page, disable support for the following script maps, and then click Next .

   • Index Server Web Interface (.idq, .htw, .ida)

   • Server side includes (.shtml, .shtm, .stm)

   • Internet Data Connector (.idc)

   • .HTR scripting (.htr)

   • Internet printing (.printer)

7. On the Additional Security page, select all of the available options.

   This causes IISLockdown to remove all of the listed virtual directories, configure NTFS permissions for the anonymous Internet account, and disable WebDAV.

8. Click Next .

9. On the URLScan page, select Install URLScan filter on the server.

10. Click Next twice.

    IISLockdown updates your server configuration using the selected options.

11. Click Next and then Finish to exit the tool.