Before you can secure your Web server, you need to know which components are present on a Windows 2000 server after IIS and the .NET Framework are installed. This section explains which components are installed.
IIS installs a number of services, accounts, folders, and Web sites. Some components that IIS installs may not be used by your Web applications, and if present on the server, could make the server vulnerable to attack. Table 16.1 lists the services, accounts, and folders that are created by a full installation of IIS on Windows 2000 Server with all components selected.
Item | Details | Default |
---|---|---|
Services | IIS Admin Service (for administration of Web and FTP services) | Installed |
World Wide Web Publishing Service | Installed | |
FTP Publishing Service | Installed | |
Simple Mail Transport Protocol (SMTP) | Installed | |
Network News Transport Protocol (NNTP) | Installed | |
Accounts and Groups | IUSR_MACHINE (anonymous Internet users) | Added to Guest group |
IWAM_MACHINE (out-of-process ASP Web applications; not used for ASP.NET applications except those running on a domain controller; your Web server should not be a domain controller) | Added to Guest group | |
Folders | %windir%\system32\inetsrv (IIS program files) | |
%windir%\system32\inetsrv\iisadmin (Files used for remote IIS admin) | ||
%windir%\help\iishelp (IIS help files) | ||
% systemdrive %\inetpub (Web, FTP, and SMTP root folders) | ||
Web Sites | Default Web Site “port 80: %SystemDrive%\inetpub\ wwwroot | Anonymous access allowed |
Administration Web Site “port 3693: %SystemDrive%\System32\inetsrv\iisadmin | Local machine and Administrators access only |
When you install the .NET Framework on a server that hosts IIS, the .NET Framework registers ASP.NET. As part of this process, a local, least privileged account named ASPNET is created. This runs the ASP.NET worker process (aspnet_wp.exe) and the session state service (aspnet_state.exe), which can be used to manage user session state.
Note | On server computers running Windows 2000 and IIS 5.0, all ASP.NET Web applications run in a single instance of the ASP.NET worker process and application domains provide isolation. On Windows Server 2003, IIS 6.0 provides process-level isolation through the use of application pools. |
Table 16.2 shows the services, accounts, and folders that are created by a default installation of version 1.1 of the .NET Framework.
Item | Details | Default |
---|---|---|
Services | ASP.NET State Service: Provides support for outofprocess session state for ASP.NET. | Started manually |
Accounts and Groups | ASPNET: Account used for running the ASP.NET worker process (Aspnet_wp.exe) and session state service (Aspnet_state.exe). | Added to Users group |
Folders | %windir%\Microsoft.NET\Framework\{version} | |
\1033 | ||
\ASP.NETClientFiles | ||
\CONFIG | ||
\MUI | ||
\Temporary ASP.NET Files | ||
ISAPI Extensions | Aspnet_isapi.dll: Handles requests for ASP.NET file types. Forwards requests to ASP.NET worker process (Aspnet_wp.exe). | |
ISAPI Filters | Aspnet_filter.dll: Only used to support cookie-less session state. Runs inside Inetinfo.exe (IIS) process. | |
Application Mappings | ASAX, ASCX, ASHX, ASPX, AXD, VDISCO, REM, SOAP, CONFIG, CS, CSPROJ, VB, VBPROJ, WEBINFO, LICX, RESX, RESOURCES | \WINNT\Microsoft.NET \Framework \{version} Aspnet_isapi.dll |