Removing the Default Web Site

Several references recommend removing the Default Web Site for security reasons. The only reason I can see is because of the default virtual directories and default permissions that exist on the Default Web Site. Is this step beneficial even if I already follow best practices such as removing unneeded content and directories and setting custom permissions?

Removing the Default Web Site is good advice but not necessary in all cases. I advise most IIS administrators to turn off the Default Web Site. If, however, the Web server is connected to the Internet, I recommend removing the Default Web Site and underlying content.

The case for keeping the Default Web site is that a time might arise when you need the online documentation. In addition, Microsoft tends to depend on the Default Web Site for installing software such as Microsoft Proxy Server 2.x and the IIS Migration Wizard. However, if you keep the site, I recommend that you not use it for content and disable it. If you want to use the Default Web Site for content, you need to remove all the built-in virtual directories and provided files. Consequently, you might as well start a new Web site and leave the Default Web Site turned off.

By default, the Default Web Site's home folder is %systemroot%www rootinetpub. When you create new Web sites, the logical home directory for those new Web sites is the inetpub folder. However, by placing these new sites in the inetpub folder, you make the new Web sites' content available from the Default Web Site. Figure 4 shows a typical setup in which a new Web site resides in the inetpub folder. As you can see, an intruder can access the new Web site as either http:// securityadministrator.com or http://iisadministrator.com/newsite. The best way to avoid this potential security hole is to place all your content in a new wwwroot folder outside inetpub (and off the system drive). The only other way to avoid the hole is to delete or disable the Default Web Site.