Audit and Security of Internet Information Services

Microsoft's Internet Information Server (IIS) provides the services for a huge number of Internet web sites and internal office Intranets. It provides web pages; file transfer, mail and news services. Because it is in such wide use on the Internet and in corporate intranets, IIS has become a popular target for intruders. Microsoft has responded by constantly upgrading IIS security features. The current versions of IIS, versions 7and 7.5, have been extensively re-designed by Microsoft and provide still more security and administrative tools that the auditor needs to be aware of.

This one-day workshop is intended to give auditors an introduction to the features of IIS, and provide a fast-paced view of the principal risk and control areas. By the end of the day, you'll have an excellent knowledge of the security and management issues involved in deploying an IIS system either inside your company or as an Internet-connected server. For auditors who want practical experience of securing an IIS server, we have a ‘hands-on’ version available.

Suggested duration: 1 day, but can be customised to your requirements


How IIS integrates with Windows Server
The IIS services and how they work
The IIS directory structure
Web sites and virtual directories
File and directory permissions and how IIS uses them
How IIS handles users and groups
The Microsoft Management Console (MMC)
Remote administration
Controlling Access to the web site
Anonymous access
Secure Web sites
Digital certificates
Monitoring access to IIS web sites
What are the main risks in using IIS?
Sources of Information
Testing your IIS server's security
The metabase – IIS’s information store
Querying the IIS metabase to document your IIS settings