In-Depth

Securing IIS

How to move the default directories created by IIS from the system drive. Plus, methods to make FTP more secure.

• By Danielle Ruest and Nelson Ruest
• 04/01/2004

For This Solution: Windows Server 2003, Internet Information Services 6.0

Q
I was reading about Internet Information Services (IIS) best practices for secure installations. One thing caught my eye. Do you activate the location of the default folders for each service? Is there an easy way to move these off my system drive?

— Tennyson, Whistler, British Columbia

A
Danielle: IIS 5.0 was notorious for its automatic installation with Windows 2000 Server. The only way to remove it from the base installation is to use a scripted installation that includes specific instructions not to install IIS. This was bad enough in terms of security, mostly because if you weren't careful, all your servers hosted IIS even if you didn't need it. At least Microsoft changed this with Windows Server 2003. IIS 6.0 is no longer installed by default, which is a good thing. Now you have to consciously decide to install IIS on your servers. Even when you do, IIS 6.0 installs in "secure" mode and automatically keeps everything disabled. For more information on IIS 6.0, look at our March feature on the subject. It still includes some legacy from IIS 5.0 though, especially in terms of security practices. That's because it still automatically installs everything in the system root drive, just like IIS 5.0. This means that your default Web site, your default FTP site, as well as the root folders for the Simple Mail Transfer Protocol (SMTP) and the Network News Transfer Protocol (NNTP) will be placed on the same drive as the operating system, usually the C drive, because that's where IIS places the Inetpub folder. It's odd that Microsoft didn't carry over the capacity to choose the installation location as you could in IIS 4.0. I'll let Nelson give you the actual instructions.

Nelson: Perhaps Microsoft will think to give you a choice when Longhorn comes out. Who knows? By then, everything should be componentized so it might not even matter anymore. Anyway, it is good practice to move the location of Inetpub to a data drive—often drive D. There are two ways to do this. The first is simple, especially if you haven't started using the Web server yet. All you have to do is take the entire contents of the Inetpub folder and copy it to another drive, for example, D:\Inetpub. Then, go to the properties of the default Web site (and FTP if it is installed) and change the folder location on the Home Directory tab (see Figure 1). Once this is done, you can delete the original Inetpub folder on the system drive.

The second method is programmatic and is based on a scripted installation of IIS. If you're working with IIS 5.0, you have two choices. If the server isn't installed yet, then include the installation instructions in your unattended installation answer file. Make sure your Unattend.txt file includes these lines:

[InternetServer]
PathFTPRoot=d:\Inetpub\ftproot
PathWWWRoot=d:\Inetpub\wwwroot

That is presuming that you want to put the Inetpub folder on drive D. If not, simply change the letter to the appropriate drive.

If you already have Windows 2000 Server installed, then you'll have to begin by removing IIS from your server and then reinstalling it, this time with a scripted component installation of IIS. To remove IIS, use Control Panel | Add/Remove Programs | Add/Remove Windows Components, and uncheck IIS from the installed components. Once this is done, you can reinstall it to a new location with a scripted file. This will work for both IIS 5.0 and 6.0.

Use a text editor—Notepad is great—to create the script file. It should contain the following:

[Components]
IIS_common = on
IIS_inetmgr = on
IIS_www = on
IIS_ftp = on
[InternetServer]
PathFTPRoot=d:\Inetpub\ftproot
PathWWWRoot=d:\Inetpub\wwwroot

Save the text file as, say, IIS.txt. Then run this command:

sysocmgr /i:%windir%\inf\sysoc.inf /u:c:\iis.txt

The command calls on the System Optional Component Manager (Sysocmgr.exe) to add the new component. It also assumes your unattended component installation file is in the root of the C drive. Note that you will require access to your Windows Server 2003 installation files for this command to work.

The components section is important, but note that as is it installs IIS, as well as turning on the World Wide Web and FTP services. If these are not the options you desire, either omit the lines or assign them the off value. For more information on the different unattended options for IIS, see Installing IIS under IIS help. Finally, if you're using IIS 6.0 (as you should because it is so much more secure), this will provide you with a locked down installation and no Web services will be enabled. You'll have to modify this configuration in IIS Manager if you want to run applications.

Q
We will be using a public Web site for the exchange of information between our company and some partner organizations. They all have different systems and we can't control the clients they use. Someone proposed FTP, but we know it has some significant security flaws. Can you recommend something more secure?

— Alice, Sioux Falls, Neb.

A
Danielle: FTP provides little security because it only supports either anonymous or basic authentication. This means that you either ask for no authentication or all passwords are transferred in clear text over the Internet. Neither is a secure practice. There are ways to secure FTP, though. For example, you can create a "blind" FTP copy site, which means that people have the right to write to the server, but not list or read its content. That way, intruders can't see what's on your server. You can also run a script that automatically removes items from the inbound folder to another, more protected, folder. A simple Xcopy command would suffice.

Another way to secure FTP is to create virtual private network (VPN) connections to the FTP site. This creates a tunnel for FTP communications that protects passwords. But this might not be practical because you state that you have no control over the client configurations of your partners. Windows Server 2003 and IIS 6.0 support FTP user isolation. This means that you can create FTP sites that will automatically isolate all users from each other. You do this by creating a home directory for each user within the FTP folder structure. When they log on, users are automatically directed to their own folder and see it as the root of the FTP site. FTP user isolation works with or without Active Directory (AD). Because you don't control the clients, you could use it in stand-alone mode.

Finally, you can also restrict access to your FTP site through TCP/IP address restrictions. If you know the IP address of all your partner networks, then you can deny all access to your FTP site (FTP site Properties | Directory Security tab), then grant access to the IP addresses or address ranges belonging to your partners' networks. This way, they will be the only ones with access.

One other way to provide secure data exchange is to replace FTP with Web-based Distributed Authoring and Versioning (WebDAV). WebDAV is an extension to HTTP 1.1, the version that enables Web sites to accept file transfers through HTTP. This gives you access to the same security levels and other functionalities normal Web sites have. This means that you can use secure connections using the Secure Sockets Layer (SSL) as well as either digest or Windows integrated authentication, both much stronger than basic authentication. Despite its strong security features, it's surprising how few people actually use WebDAV today. But in your case, Alice, this might be your best solution.

Nelson: Before I explain how to proceed, let me discuss FTP user isolation. As Danielle mentioned, this is a new feature of IIS 6.0. It works in either stand-alone or AD-integrated mode. In the latter mode, it works with a directory that is hosted by either Windows 2000 or Windows Server 2003. If you use Windows 2000, you'll need to update the AD schema to incorporate new properties to the user object. In short, it's easier to use with a Windows Server 2003 directory.

To use FTP user isolation, you need to create a new FTP site. Use the IIS Manager to right-click on FTP Sites. Select New | FTP Site. This will launch the FTP site creation wizard. Follow its instructions to create your site. When you get to the FTP User Isolation page, select the appropriate mode. In your case, Alice, select Isolate users and continue on with the wizard (see Figure 2). Once the site is created, you can create home folders for each user in the FTP folder structure. If you're using anonymous authentication, create a parent folder called LocalUser and inside this folder, create a new folder called Public. If you're working with basic authentication, you'll need to create a root folder for each domain, then a user folder for each user of that domain. Each user will think his or her folder is the root of the FTP site when he or she accesses it.

But as Danielle mentioned, you could also be using WebDAV. In IIS 5.0, WebDAV is enabled by default, and of course, it isn't in IIS 6.0. But it's not because it is enabled that it is automatically functional. WebDAV doesn't work unless and until you give write and browse access to your Web folder. First, turn WebDAV on in IIS 6.0. Begin by enabling WebDAV. Move to Web Service Extensions in IIS Manager, select WebDAV in the right pane, and click on the Allow button. Now, create your Web site. Use the same procedure as you would for any Web site, that is, right-click on Web Sites to select New | Web Site. Provide all answers to the new Web site creation wizard. When you get to the permissions page, select write and browse as well as read. These permissions will be assigned to the Home Directory properties of the Web site (see Figure 3). You must also make sure proper NTFS permissions are applied at the folder level. That's all there is to it. Now you can use any authentication method supported by HTTP such as SSL, digest, or Windows integrated authentication to let users publish to this folder. It is much more secure by default than FTP will ever be.