Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

is IIS 5.0 safe?

1 view
Skip to first unread message

David Neff

unread,
Apr 1, 2004, 12:18:33 AM4/1/04
to
At work I use IIS to develop .Net applications and wanted to install it on
my home Windows XP Pro machine to do some work from home. I'm concerned
that I'm potentially opening up my home pc to who know what kinds of
attacks. I have a software firewall, but I don't trust that it is enough.
Is there a way to configure IIS to make it only work on the machine its
installed on in a localhost type mode or something. I basically want to cut
it off from the outside world.

Thanks!


David Wang [Msft]

unread,
Apr 1, 2004, 2:55:57 AM4/1/04
to
Several options.

IIS 5.1 comes with XP Pro and only supports one website and 10 connections.
1. It is possible to set up IP Restriction on the website such that it will
only process localhost/127.0.0.1 requests (I don't remember if this feature
is enabled in the UI or not).
2. You can also setup the Microsoft Loopback Adapter and configure the
website to only listen on that network interface, so it then becomes
impossible for IIS to even respond to non local requests while your own PC
is perfectly able to access IIS.
3. Run the software firewall and make sure that port 80 is not open.

Finally, realize that when you run server software, you become responsible
for configuring/securing it. Security is best achieved through knowledge
and configuration.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"David Neff" <neff...@hotmail.com> wrote in message
news:%23pe%23Kj6FE...@TK2MSFTNGP11.phx.gbl...

Paul Lynch

unread,
Apr 1, 2004, 3:43:44 AM4/1/04
to
On Wed, 31 Mar 2004 23:55:57 -0800, "David Wang [Msft]"
<som...@online.microsoft.com> wrote:

>Several options.
>
>IIS 5.1 comes with XP Pro and only supports one website and 10 connections.
>1. It is possible to set up IP Restriction on the website such that it will
>only process localhost/127.0.0.1 requests (I don't remember if this feature
>is enabled in the UI or not).
>2. You can also setup the Microsoft Loopback Adapter and configure the
>website to only listen on that network interface, so it then becomes
>impossible for IIS to even respond to non local requests while your own PC
>is perfectly able to access IIS.
>3. Run the software firewall and make sure that port 80 is not open.
>
>Finally, realize that when you run server software, you become responsible
>for configuring/securing it. Security is best achieved through knowledge
>and configuration.

David,

You can't set IP restrictions on the 'desktop' versions of IIS.

Items in the ISM Are Missing or Appear Dimmed on Windows
http://support.microsoft.com/?id=263857


Regards,

Paul Lynch
MCSE

Jeff Cochran

unread,
Apr 1, 2004, 12:09:46 PM4/1/04
to
On Wed, 31 Mar 2004 23:55:57 -0800, "David Wang [Msft]"
<som...@online.microsoft.com> wrote:

>Several options.
>
>IIS 5.1 comes with XP Pro and only supports one website and 10 connections.
>1. It is possible to set up IP Restriction on the website such that it will
>only process localhost/127.0.0.1 requests (I don't remember if this feature
>is enabled in the UI or not).
>2. You can also setup the Microsoft Loopback Adapter and configure the
>website to only listen on that network interface, so it then becomes
>impossible for IIS to even respond to non local requests while your own PC
>is perfectly able to access IIS.
>3. Run the software firewall and make sure that port 80 is not open.

And 4) Unplug you connection from the internet and start IIS
manually. :)

Jeff

David Neff

unread,
Apr 2, 2004, 12:13:35 AM4/2/04
to
If I stop the website using the IIS snap in when I'm not testing whatever
I've developed, does that eliminate any risk?

PS- Thanks for all of your other advice. I really appreciate it.

"David Wang [Msft]" <som...@online.microsoft.com> wrote in message
news:erFl8D8F...@TK2MSFTNGP10.phx.gbl...

David Wang [Msft]

unread,
Apr 2, 2004, 2:43:21 AM4/2/04
to
This is what I would do to toggle off/on IIS

To stop IIS and prevent it from being "accidentally" started,
1. Configure IISADMIN service to be disabled
2. Stop the IISADMIN service.

Via the commandline:
SC CONFIG IISADMIN start= disabled
NET STOP /y IISADMIN


To restart IIS,
1. Configure IISADMIN service to be started manually
2. Start the WWW Publishing Service

Via the commandline:
SC CONFIG IISADMIN start= demand
NET START W3SVC


If you remove admin privileges from yourself on the machine and do the above
only via a secured admin shell (via RUNAS, for example), it will not be
possible for you to even accidentally enable or run IIS. This is how I run
my machines from a security standpoint.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"David Neff" <neff...@hotmail.com> wrote in message

news:OPPXFFHG...@TK2MSFTNGP09.phx.gbl...

Jeff Cochran

unread,
Apr 2, 2004, 6:48:20 AM4/2/04
to
On Fri, 2 Apr 2004 00:13:35 -0500, "David Neff" <neff...@hotmail.com>
wrote:

>If I stop the website using the IIS snap in when I'm not testing whatever
>I've developed, does that eliminate any risk?

Not the snap in. The *service*. The snap in is just a method of
configuring IIS.

Jeff

0 new messages