The most comprehensive information on securing Web applications is available in:
Designing Secure Web-Based Applications for Microsoft Windows 2000
ISBN: 0-735-60995-0
Authors: Michael Howard, Richard Waymire, Marc Levy
Publisher: Microsoft Press, July 2000
The following references are available online from the Microsoft TechNet Web site:
As a best practice, Microsoft recommends installing the latest service pack and security updates for IIS, as well as any other components running on the web server. Although many customers utilize the online Security Bulletin Search as a reference for what hotfixes to apply for a given Product and Service Pack choice, the information provided by that tool does not take into account cumulative rollups (it shows all updates released after the specified Service Pack). For that reason, we recommend that customers who deploy IIS use the Microsoft Baseline Security Analyzer (MBSA) to identify security risks.
For more information about the MBSA, click the following article number to view the article in the Microsoft Knowledge Base: 320454 Microsoft Baseline Security Analyzer (MBSA) version 1.2.1 is available
Once the latest Service Pack and all of the latest product updates (hotfixes) have been applied, system level security should be applied to the web server. To make securing IIS more convenient, Microsoft has produced the IIS Lockdown Wizard, available at the following location:
325864 How to install and use the IIS Lockdown Wizard
The IIS Lockdown Wizard provides a "wizard" interface to configure many security recommendations. Both the IIS Lockdown Wizard and UrlScan, an ISAPI filter that can be used to block malicious web requests, are part of the Microsoft Security Toolkit that can be obtained from the following location:
For more information about UrlScan, click the following article number to view the article in the Microsoft Knowledge Base: Microsoft is committed to providing applications that can be used to keep our customers' information secure, and maintains an Internet site dedicated to security-related topics for Microsoft products. The Microsoft Security web site is available at:
In addition to visiting the Microsoft Security web site on a regular basis, Microsoft recommends that customers stay up to date with the latest Security Bulletins, by subscribing to the Microsoft Security Notification Service at the Web site listed below:
Microsoft provides free online services for determining when updates are required, such the Critical Update Notification which is available from the Windows Update Web site. To visit the Windows Update Web site, visit the following Microsoft Web site:
You can also use the Microsoft Baseline Security Advisor to determine vulnerabilities on the system that is running the utility. To obtain the Microsoft Baseline Security Advisor, visit the following Microsoft Web site: