Re: New IIS Lockdown tool from Microsoft
From: Dave Salovesh (salovesh@RAMASSOCIATES.COM)Date: 10/04/01
- Previous message: Hughes, Don: "FW: Microsoft Strategic Protection Program"
- Next in thread: Buchenauer, Christian: "Re: New IIS Lockdown tool from Microsoft"
- Reply: Buchenauer, Christian: "Re: New IIS Lockdown tool from Microsoft"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <887F9D149D25D211B34500A0C986EB3E2753AB@ramassociates.com> Date: Thu, 4 Oct 2001 14:39:13 -0400 From: Dave Salovesh <salovesh@RAMASSOCIATES.COM> Subject: Re: New IIS Lockdown tool from Microsoft To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Russ said:
> What it does;
>
> 1. Creates two new groups, Web Anonymous Users and Web Applications,
> puts the IUSR and IWAM accounts in them respectively, then sets an
> ACE more than enough executables to specifically deny any access to
> those files. Good job.
Unmentioned in most places is the fact that this may break FrontPage server
extensions.
See:
http://www.iisanswers.com/articles/IISLockdownTool.htm
(NB - gray box just below halfway down that page)
I'm looking for an answer to that problem, as in my case FP still works, but
it generates a few MB of FrontPage errors per day in my application event
log. This is drowning out the other useful information in there, and it has
to stop. I haven't convinced myself that it's due to IISLockDown, but it
seems likely.
Other good stuff y'all might want to look at in the iisanswers.com article
as well, including one thing EVERYONE using the tool should be aware of:
<quote>
While [denying "Everyone" permission to HTTPEXT.DLL, the way IISLockDown
disables WebDAV] is an effective solution to WebDAV vulnerabilities, is it
very important to remember to UNDO this setting when you apply hotfixes and
service packs. If not, the System (part of Everyone) cannot update the
HTTPEXT.DLL. It is not likely that most administrators realize this and so I
predict future problems with this aspect of the LockDown tool.
</quote>
I haven't tested much beyond day-to-day use, but I don't recall that the
undo feature is selective. Since undo will restore the pre-lockdown
metabase, and the metabase necessarily changes as the sites and features on
a server change, undo may not be a good option at all. That's even more
likely now that MS's own recommendations seem to say that IIS lockdown
should be run before a new server is brought online. See:
http://www.microsoft.com/technet/security/tools/w2knew.asp
So now adding a hotfix that "may" involve updating a file I don't really
want to have at all requires either manually backing up my metabase, undoing
lockdown, running the hotfix, redoing lockdown, and restoring the metabase
OR remembering to relax permissions on HTTPEXT.DLL first, applying the
hotfix, then restricting permissions again after.
-- Dave Salovesh RAM Associates, Inc. (800) 543-3635The Ten Immutable Laws of Security Administration, By Scott Culp Law #2: Security only works if the secure way also happens to be the easy way.
============================================================================ Delivery co-sponsored by Trend Micro, Inc. ============================================================================ BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000 Earn 5% rebate on licenses purchased for Trend Micro ScanMail for Microsoft Exchange 2000 between October 1 and November 16. ScanMail ensures 100% scanning of inbound and outbound traffic and provides remote software management. For program details or to download your 30-day FREE evaluation copy: http://www.antivirus.com/banners/tracking.asp?si=53&BI;=245&UL;=http://www.ant ivirus.com/smex2000_rebate
- Previous message: Hughes, Don: "FW: Microsoft Strategic Protection Program"
- Next in thread: Buchenauer, Christian: "Re: New IIS Lockdown tool from Microsoft"
- Reply: Buchenauer, Christian: "Re: New IIS Lockdown tool from Microsoft"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
