Configure Web Service Extensions In order to take a more proactive stance against malicious users and attackers, Internet Information Services (IIS) is not installed on members of the Microsoft® Windows® Server 2003 family by default. Furthermore, when you initially install IIS, it is installed in a highly secure mode. By default, IIS serves only static content - features such as ASP, ASP.NET, server-side includes, WebDAV publishing, and FrontPage 2002 Server Extensions from Microsoft do not work unless they are specifically enabled. You can configure these features, also called Web service extensions, through the Web Service Extensions node in IIS Manager. Requirements
Recommendation As a security best practice, log on to your computer using an account that is not in the Administrators group, and then use the Run as command to run IIS Manager as an administrator. At the command prompt, type: runas /user:administrative_accountname "mmc %systemroot%\system32\inetsrv\iis.msc". Procedures
To use, or to deny the use of, an HTTP request handler that is not in the list of Web service extensions, you must first register it by adding the HTTP request handler to the list of Web service extensions.
You can also use IIS Manager to specify the applications that are allowed to call Web service extensions.
You can disable all Web service extensions that are registered on the local computer with one setting in the Web Service Extension node of IIS Manager.
|