Installing IIS 6.0 with the Configure Your Server Wizard
When you first boot a clean Windows Server 2003 installation, the operating system comes with a minimal set of components. IIS 6.0 is one of those optional pieces, and it isn’t added automatically like IIS 5.0 was on Windows 2000 Server. The result is a server that boots faster and has fewer attack vectors, but it also means that administrators must explicitly enable the web platform if they need it. One of the most straightforward ways to add IIS 6.0 is through the built‑in Configure Your Server Wizard, which is accessible from the Start menu under All Programs – Administrative Tools – Manage Your Server.
Before you begin, log on to the server with an account that has local administrator privileges. The wizard will query the system’s network configuration, verify that required files are available, and then offer a list of roles you can add. If you only need a static web server, you can select the Application Server role and let the wizard handle the rest. The wizard will install the core Web Service, the Windows Authentication and Authorization components, and the basic configuration files needed for a functional web site.
During the role selection step, the wizard presents several options: File Server, Print Server, Application Server, Mail Server, Terminal Server, Remote Access/VPN Server, Domain Controller, DNS Server, DHCP Server, Streaming Media Server, and WINS Server. Choose Application Server, and click Next. The wizard will then verify that the server’s network interfaces are up and that the Windows Installer can locate the required setup files. If you’re installing from a network share, the wizard will prompt for the path; if you’re using a DVD or CD, it will detect the media automatically.
Once the prerequisites are satisfied, the wizard presents the Application Server Options page. Here you can toggle additional services such as FrontPage Server Extensions, ASP, and ASP.NET. By default, the wizard installs only the core Web Service; ASP and ASP.NET are optional and must be checked if you plan to host dynamic content. FTP, NNTP, or SMTP are not part of this role and will not be added unless you select the corresponding role in a later wizard run.
After you finish the options screen, the wizard displays a Summary of Selections. It confirms that IIS 6.0 will be installed, along with any selected extensions. Click Next to start the installation. A series of progress bars appear as the Windows Component Wizard copies files, registers DLLs, and applies registry changes. At this point the system may reboot once or twice to apply new services.
When the installation completes, the Configure Your Server Wizard shows a final page that reads “This Server is Now an Application Server.” A link labeled “Next Steps” opens the help file that describes post‑installation tasks, such as configuring web sites, setting up security permissions, or installing additional features. The wizard also creates a log file in the Windows\Logs\ConfigureYourServer directory, which records timestamps and success or failure messages for each step. You can review this log to troubleshoot if something doesn’t work as expected.
Once the wizard finishes, the IIS Manager MMC console appears under Administrative Tools. Open it to verify that the World Wide Web Service is listed and that the service status shows Running. The console also lists the default web site, which points to C:\inetpub\wwwroot. By default this site serves static files only; if you selected ASP or ASP.NET, the same directory will now support dynamic pages. From here you can create additional sites, configure SSL bindings, set up authentication methods, and fine‑tune the application pool settings.
Because the Configure Your Server Wizard installs IIS 6.0 with a minimal configuration, administrators often follow up with the “Add or Remove Programs” path if they need to enable additional protocols like FTP or SMTP. That approach gives you a more granular view of each component, but it requires more steps. For most users who only need a web server, the wizard’s default install is adequate.
Remember that after installation, you should still apply the latest security updates for Windows Server 2003 and for IIS itself. Keeping the server patched reduces the risk of known vulnerabilities, and the Windows Update mechanism will handle most of the heavy lifting. In the next section we’ll dive into how to tighten IIS’s attack surface using Microsoft’s Lockdown tools and the RunAs feature.
Securing the New Web Server – Lockdown Tools and RunAs
Once IIS 6.0 is running, the next priority for a sysadmin is hardening the service. Microsoft released the IIS Lockdown Tool (version 2.1) to disable unnecessary features and services in IIS 4.0, 5.0, and 5.1. The same tool can also be applied to IIS 6.0 to reduce its attack surface. The tool turns off features such as CGI, Basic authentication, and the Server Banner, which can reveal the server version to attackers. The lockdown process is automated; you download the tool, run it, and the script makes the required registry changes.
Lockdown Tool 2.1 includes templates for popular Microsoft applications that rely on IIS, such as Exchange 2000, SharePoint Portal, and BizTalk. These templates enable a tighter configuration that keeps the web service running while disabling unneeded modules. The tool also bundles URLScan 2.5, which provides request filtering. URLScan blocks suspicious HTTP requests based on a set of rules that can be customized to your environment’s needs. You can configure it to deny POST requests that exceed a particular size or to block certain file extensions. Once URLScan is installed, it sits in front of IIS and inspects each request before the Web Service processes it.
Another useful mechanism for limiting administrative exposure is the Secondary Logon service, commonly known as RunAs. Instead of logging in with a full administrator account, you can launch a program with elevated privileges on a per‑task basis. This approach keeps the majority of the system’s daily operations under a standard user account, reducing the risk of accidental or malicious changes. The RunAs command is built into Windows Server 2003; for example, to start a command prompt as an administrator, open a normal console and type:
runas /user:MachineName\Administrator cmd
Replace “MachineName” with the name of your server. After pressing Enter, you’ll be prompted for the administrator’s password. Once you enter it, a new console window opens, displaying the command prompt in an elevated context. Any tools launched from that console inherit the administrative rights. You can also right‑click an executable, hold the Shift key, and select “Run as other user” to launch the program with elevated privileges. On Server 2003 the Shift key is no longer required for built‑in tools; a simple right‑click brings up the Run As… option automatically.
RunAs is especially handy when installing optional IIS components that require administrator rights, such as the IIS Administration Tool or the World Wide Web Services Manager. You can install them once, then run the configuration console as a standard user for everyday management. If you need to apply a configuration change that demands elevation, launch the console with RunAs and revert to the standard account afterward. This practice aligns with the principle of least privilege and mitigates the risk of a compromised admin session affecting the entire server.
To verify that RunAs works as intended, you can check the Process Explorer (from Microsoft Sysinternals) and confirm that the user token for the elevated process shows “Administrator.” Similarly, you can inspect the IIS process itself to see if it inherits the correct token. If you notice that an IIS service is running under a non‑administrator account, you may need to adjust the application pool identity or re‑install the service with the proper privileges.
In combination, the IIS Lockdown Tool and RunAs provide a layered approach to hardening the web server. The lockdown script disables the surface area of the service, while RunAs limits the scope of elevated operations. Together, they help keep your IIS 6.0 instance secure against both external attacks and internal misconfigurations.
After hardening, you should test the server from an external client. Use a web browser to access the default site, verify that static files are served, and confirm that the site doesn’t expose the server version. If you enabled ASP.NET, deploy a simple “Hello World” page and ensure it renders correctly. Run a vulnerability scanner, such as Nessus or OpenVAS, against the server to confirm that the lock‑down rules are effective. If any issues surface, revisit the Lockdown Tool configuration or adjust URLScan rules accordingly.
Managing Server Roles and Removing IIS 6.0 When It’s No Longer Needed
Server roles are a central part of Windows Server 2003’s modular design. Each role encapsulates a set of services, registry entries, and configuration files that enable a particular function on the machine. The Manage Your Server wizard presents a list of roles you can add or remove. If you’ve installed IIS 6.0 as an Application Server role and later decide you no longer need the web service, the same wizard can uninstall it cleanly.
To begin the removal process, open Manage Your Server from the Administrative Tools menu. In the wizard’s introduction page, click the green arrow that says “Add or Remove a Role.” The preliminary steps screen will confirm that the server’s network connections are available and that the installation files for Windows Server 2003 are accessible, either from a network share or from the original media. Click Next to proceed.
The Role screen lists all roles currently installed on the server. If IIS 6.0 was added as an Application Server, you’ll see that role listed. Select it, then click Next. The wizard presents a Role Removal Confirmation screen that summarizes the components that will be affected. For IIS, this includes the Web Service, the IIS Manager MMC console, and any application pools created during installation.
Before proceeding, you may want to back up the web site content, configuration files, and any custom settings. Typically, the site files live in C:\inetpub\wwwroot, but you should double‑check that your content hasn’t been moved to a different location. Copy the entire folder to a secure backup drive or network share.
Once you’re ready, check the box that confirms you understand the implications of removing the role, then click Next. The wizard may prompt you for the location of the installation files if they’re not available in the default location. Provide the path or insert the original DVD. The removal process then begins, and you’ll see a progress bar similar to the installation screens.
After the wizard completes, it displays a confirmation that the Application Server role has been removed successfully. The IIS Manager MMC console is no longer listed under Administrative Tools, and the World Wide Web service does not appear in the Services snap‑in. If you had installed any additional protocols, such as FTP or SMTP, they will still remain because the wizard removed only the Application Server role; those protocols are part of separate roles and would need to be removed individually.
To ensure the removal was thorough, launch Services.msc and verify that no IIS-related services remain. Also, open the Windows registry and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InetStp to confirm that the keys have been deleted. If any remnants persist, you can manually delete the remaining keys or use a registry cleaning tool to sanitize the registry.
After a role removal, it’s a good practice to run a cleanup utility like Disk Cleanup or use the built‑in Windows Server tools to remove orphaned files and registry entries. This step frees up disk space and keeps the server lean, which is particularly valuable for servers that are dedicated to a single purpose.
In summary, adding and removing roles through the Manage Your Server wizard is straightforward and preserves the integrity of the server’s configuration. Whether you’re installing IIS 6.0 to host a new web application or removing it to tighten security, the wizard provides a guided, error‑proof process that requires minimal manual intervention. By pairing the wizard with hardening tools like IIS Lockdown and RunAs, administrators can maintain a robust and secure web infrastructure on Windows Server 2003.
No comments yet. Be the first to comment!