DOCUMENT:Q317478 08-APR-2002 [iis] TITLE :HOW TO: Prevent IIS from Accepting Anon Requests During Install PRODUCT :Internet Information Server PROD/VER::5.0 OPER/SYS: KEYWORDS:kbAudITPro kbHOWTOmaster ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Internet Information Services version 5.0, used with: - the operating system: Microsoft Windows 2000 ------------------------------------------------------------------------------- IN THIS TASK ------------ - SUMMARY - Introduction - Disable Anonymous Access on the Default Web Site SUMMARY ======= This step-by-step article describes how to install Windows 2000 and Internet Information Services (IIS) version 5.0 from a network share without leaving the server vulnerable until you can install service packs and fixes. NOTE: This procedure works only if you install IIS from a network share. It does not work if you perform the installation directly from the Windows 2000 CD. Introduction ------------ When you install Windows 2000 and IIS 5.0 across a network, you may need to prevent IIS from serving anonymous requests until you have installed a service pack or fix. To do this, you must disable anonymous access on the default Web site during installation by modifying the Iis.inf file before you run the setup file. When you do this, the server is less likely to be compromised before it can be patched. Disable Anonymous Access on the Default Web Site ------------------------------------------------ 1. Open a command prompt and browse to the i386 folder of the shared Windows 2000 installation. 2. Run the following command to expand the Iis.inf file: expand.exe iis.in_ iis.inf 3. After the file is expanded, delete the Iis.in_ file. NOTE: Do not delete the expanded Iis.inf file. 4. Open the Iis.inf file in Notepad or any other text editor. 5. In the [WWW_REG] section of the Iis.inf file, locate the following line: 1 0 HKLM System\CurrentControlSet\Services\W3SVC\Parameters Authorization LM/W3SVC 6000 0x1 2 1 4 0x5 6. Change the last parameter (0x5) of the line to 0x4. This configures the server so that only Windows Integrated Authentication (NTLM) is enabled on the server. The line should now resemble the following: 1 0 HKLM System\CurrentControlSet\Services\W3SVC\Parameters Authorization LM/W3SVC 6000 0x1 2 1 4 0x4 Other options for this parameter are as follows: - 0x0 = No authentication (all access denied) - 0x2 = Basic authentication only - 0x6 = Basic and Windows Integrated (NTLM) authentication - 0x16 = Digest authentication only - 0x18 = Basic and Digest authentication - 0x20 = Windows Integrated (NTLM) and Digest authentication 7. After you have made the changes, save and close the file. Now, when you install Windows 2000 from this share, these changes are applied when IIS is configured during the installation process. 8. Install IIS and all necessary service packs and fixes. 9. Enable Anonymous authentication by using one of the following methods: - From a command prompt on the server, run the following command: C:\inetpub\adminscripts\cscript.exe adsutil.vbs set w3svc/AuthAnonymous True - Use the IIS Management Console. To do this, follow these steps: a. In the IIS Management Console, right-click the Computer node and then click Properties. b. Select WWW Service and then click Edit. c. On the Directory Services tab, click Edit under Anonymous access and authentication control. Additional query words: iis 5 secure install ====================================================================== Keywords : kbAudITPro kbHOWTOmaster Technology : kbiisSearch Version : :5.0 Issue type : kbhowto ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.