Re: Microsoft Strategic Technology Protection Program

From: David LeBlanc (dleblanc@MINDSPRING.COM)
Date: 10/03/01 

Message-ID:  <025101c14c3a$dbadf730$0100a8c0@davenet.local>
Date:         Wed, 3 Oct 2001 11:33:44 -0700
From: David LeBlanc <dleblanc@MINDSPRING.COM>
Subject:      Re: Microsoft Strategic Technology Protection Program
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

> a) Probe your internal network to identify IIS installations (this
> can be done with HFNetchk, but working with its output is no fun)

Merely identifying IIS installations can be done with a port scanner capable
of grabbing web server banners. This can also be done using the sc.exe
utility from the resource kit (BTW, it ships in XP/.NET). Most network
security scanners produced in the last 4 years have a check that will
enumerate running NT services on a system as well.

> b) Completely remove the IIS installation on command (remotely!), or
> render it stopped

sc \\server stop w3svc

if you'd like to set it to disabled, the following will work:

sc \\server config w3svc start= disabled

be sure to couple this with a stop, else it will continue to run until next
reboot.

> c) Query the IIS installation and alter it, removing RDS keys,
> updating MDAC, patching it, disabling /scripts, tightening
> permissions, etc...

I'd suggest getting to know the IMSAdmin object. It is thoroughly documented
in both the SDK and the IIS documentation. It is very scriptable. NTFS-level
permissions can be set using policies set on OUs. Additionally, you can
disable services on a per-OU basis.

> d) Report results in a comprehensive fashion

perl is wonderful.

> I don't know about the rest of you, but many people have thousands of
> IIS boxes to deal with.

It might be a good thing to learn how to use the available tools to their
maximum advantage. I'm all for having better tools available to manage large
enterprises, but much of what you're asking for above can be done (even to
large numbers of systems) using tools that have been available for some
time. As your wish list points out, education is a big component of what
needs to be done - there's a lot of available tools that are already out
there which will help you secure systems.

I'd also strongly advocate getting to know what can be done using Win2k
security policies. This can be an extremely powerful tool, and my co-worker
Eric Schultze has developed a number of templates that automate most of the
work involved in securing IIS. It's quite nice to just join a system to a
domain and have a large checklist automatically applied.

Hope this helps -

David LeBlanc
dleblanc@mindspring.com

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&BI;=245&UL;=http://www.ant
ivirus.com/smex2000_rebate