Re: Secured IIS Project - IIS 4.0 Secure Script

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 07/24/01

Message-ID:  <>
Date:         Tue, 24 Jul 2001 12:08:12 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
Subject:      Re: Secured IIS Project - IIS 4.0 Secure Script


I've completed v1.0 of SecuredIIS.vbs, a Visual Basic script;

which, using Windows Scripting Host, implements many of the
recommendations from the;

Microsoft Internet Information Server 4.0 Security Checklist

plus additional things I felt were prudent.

The intent of this script is that it be given to owners of, and run
on, IIS 4.0 servers which have been installed accepting the defaults.
It should operate identically on NT 4.0 machines which have installed
IIS 4.0 from the NT 4.0 Option Kit using the "Typical" installation
of NTOK.

Machines which were upgraded from IIS 2.0 (original NT installation),
or IIS 3.0 may have remnants left behind which we'd like to remove
(anyone noticing anything on such machines, please drop me a note).

The basic system used for testing here is;

NT 4.0 (no IIS)
NT 4.0 SP6a 128-bit
IE 4.0 SP2 (typical)
NT 4.0 Option Kit (typical)
MDAC_TYP (MDAC 2.1 upgrade)
NT 4.0 SP6a 128-bit

This setup creates an SMTP server, FTP server, Index Server, Windows
Scripting Host (required for the script to work, but part of a
default installation of NTOK), and FrontPage extensions.

The script isn't intended to ask questions or provide options. If
someone has sufficient knowledge to know what they want, or don't
want, from their installation then they should be reading the
Security Checklist above or altering their installation via the NTOK
Setup program. Those that don't know, or don't want to know, can just
double-click on the script and know that the most common security
configurations are being done for them.

The script also doesn't incorporate any Hotfix checking. This will
come as part of a (near) future version.

Version 1.0 does the following;

Remove FTP Services and any virtual directories
Remove the IISADMPWD virtual web directory
Remove all IIS Samples
Disable FrontPage on the Default Web Site
Remove SMTP Services and any virtual directories
Disable Parent Paths
Remove Script Mappings for;
Remove SMTP Service
Remove FTP Service
Remove RDS Registry keys
Set Jet ODBC to safe Sandbox mode
Disable automatic NetBIOS shares
Disable 8.3 DOS file generation
Remove the Optional, OS/2 and Posix subsystems
Hides the last logon name
Establishes a logon notice
Removes the Shutdown button from Logon dialog
Restricts Anonymous access
Deletes physical directories associated with;
 SMTP Service
 FTP Service
 IIS Samples
 IIS Password Change directory

This version is being offered up for testing purposes only. Please be
aware that there is no option to stop the process once it has been

Suggestions, additions, comments should be sent to Some remnants of the SMTP and FTP service
remain after running the script, primarily in the Content Index
Service. I'm still checking into how best to handle this (or whether
its a problem at all).

I'm currently working v2.0 which will incorporate support for Windows

Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

Version: PGP Personal Privacy 6.5.2


Delivery co-sponsored by Trend Micro
If you would like to know about a virus outbreak before CNN and ZDNet get
Trend Micro Virus Info Feed FREE. Simply copy and paste a small piece of
code to give your visitors a real-time top 10 list and the latest virus
advisories. Setup takes just 10 minutes and requires no server-side code on
your Web site. All content is updated automatically from Trend Micro's Web

Relevant Pages

  • Re: INETINFO and ASP Trouble
    ... seeing many IIS and ASP errors in the event log, ... > Event Type: Error ... > Event Source: Service Control Manager ... IIS log failed to write entry, Script timed out. ...
  • Re: IIS 4.0 DOS attack?
    ... Subject: IIS 4.0 DOS attack? ... patch distribution script we use (exploded hotfixes applied through ... a lot of our servers were fine -- we just ...
  • Re: Webservice to an Out of process server
    ... I've create a COM server in VFP which I try to access from a Webservice ... If you want to run executables on IIS from a script (i.e. an ASP, ASP.Net, ... well as Web Service Extension for the appropriate Script Engine. ...
  • RE: Hacked NT/2K box
    ... it does effect IIS 4 and IIS 5. ... Windows 2000 IIS 5.0 IPP ISAPI 'Host:' Buffer Overflow Vulnerability"). ... > Looking through the script you posted, ... > it's able to obtain a remote shell from a Unix system. ...
  • Deploying Terminal Services after the operating system
    ... a way to script the installation of Terminal Service. ... >of IIs by script. ...