Microsoft Internet Information Server (IIS) has multiple security options for keeping a server and its data safe from possible intruders and hackers.

IIS relies on the foundation of Microsoft Windows NT, a C2 certifiable system, for providing excellent protection.
Securing an IIS server is a combination of configuring Windows NT security and the individual IIS service's security options.
If the server connected to the Internet, a router or firewall could be configured to provide additional security.

Steps to Secure IIS

The first step in securing IIS is to secure its foundation, Windows NT. Web, FTP, and other network services are only as secure as the platform on which they run.

Windows NT Server provides user account security and the NTFS file system to secure the server and its resources.
Before securing IIS services, you should configure your user accounts and groups, resource permissions, and security policies.

Securing User Accounts and Groups

Windows NT Security helps you protect your server and its resources by requiring assigned user accounts.
Every operation on a server running Windows NT identifies who is performing the operation. For example, the username and password you use to log on to Windows NT identifies you and defines what you can do on that server. You can control access to all computer resources by limiting the authority of these accounts.

Require Users to Choose Difficult Passwords

The easiest way for someone to gain unauthorized access to your system is with a stolen or easily guessed password.
To avoid unauthorized access to your system, require that all users—especially those with administrative rights— choose difficult-to-guess passwords (long, mixed case, alphanumeric passwords are best), and set the appropriate account policies. The User Manager utility allows you to set passwords.

Limit Administrator Accounts

Since accounts with Administrator-level authority have full access to your server, you should limit accounts with this authority by limiting members of the Administrators group. You can also rename the default Administrator account so hackers will not try to guess passwords for that account.

Applying Strict Account Policies

Configuring sound security policy is another must for a secure system. There are a variety of policy options to configure, such as password restrictions, rights on ‘ the system, and audited events.

For example, the User Manager utility provides a way for the system administrator to specify when account passwords expire.
It forces users to change passwords regularly. The administrator can also specify other policies, such as how many bad login attempts are tolerated before locking a user out.

Use these policies to manage your accounts, particularly those with administrative access, to thwart exhaustive or random password attacks.

Securing Resource Access

To secure resources, such as sensitive files and directories, NTFS must apply to the drives on which they exist. Using Windows NT Explorer with resources on an NTFS partition, you can specify what permission users and groups have to that resource. Remember, if there are conflicts between your NTFS settings and IIS settings, the most restrictive settings take effect.

Warning The file allocation table (FAT) file system does not provide file or directory security and should be avoided on secure systems.