Skip navigation

JSI Tip 4036. The IIS Lockdown Tool.

Microsoft TechNet contains the: IIS Lockdown Tool:

"Microsoft has released a new security tool that makes it simple to secure an IIS 4.0 or 5.0 web server. The tool, known as the IIS Lockdown Tool, allows web servers to quickly and easily be put into the right configuration – in which the server provides all of the services the administrator wants to provide, and no others. Customers can use this tool to instantly protect their systems against security threats that target web servers.

The tool offers two operating modes. The default is Express Lockdown which, with a single mouse click, configures the server in a highly secure way that is appropriate for most basic web servers. For administrators who want to pick and choose the technologies that will be enabled on the server, the tool offers an Advanced Lockdown mode. A comprehensive help system provides information and recommendations for selecting the best configuration, and an undo facility allows the most recent lockdown to be reversed.

Wondering whether it’s worth the time to use the tool? Consider this: a web server configured using the Express Lockdown would be completely protected against Code Red and virtually all known security vulnerabilities affecting IIS 4.0 and 5.0 – even without the patches for these vulnerabilities. We do, of course, recommend that all customers, even those running locked-down servers, continue to stay current on all security patches, but this vividly illustrates the value of the tool.

The tool is available for downloading at"

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.