Re: MS IIS Lockdown tool

From: EPiC (epic@hack3r.com)
Date: 08/24/01


Message-ID: <004a01c12cdc$d1626b80$d2e714d8@hack3r.org>
From: "EPiC" <epic@hack3r.com>
To: "Marc Fossi" <mfossi@securityfocus.com>, "Patrick O'Donnell" <patrick@softwareonly.com>
Subject: Re: MS IIS Lockdown tool
Date: Fri, 24 Aug 2001 14:39:05 -0600

I do not have a server that I dare install this on, The IIS servers I run
are pretty modded out.

If anyone wants to set this up, or has, I will happily audit the security.

EPiC
hack3r.com
----- Original Message -----
From: "Marc Fossi" <mfossi@securityfocus.com>
To: "Patrick O'Donnell" <patrick@softwareonly.com>
Cc: "Focus-MS" <focus-ms@securityfocus.com>
Sent: Friday, August 24, 2001 12:40 PM
Subject: Re: MS IIS Lockdown tool

> The real question is does the tool really lock the server down, or is it
> lulling novice admins into a false sense of security? Has anyone tried
> locking an IIS server down with this then running a Nessus (or similar)
> scan against it?
>
> Marc Fossi, MCSE
> SecurityFocus
> www.securityfocus.com
>
> On Fri, 24 Aug 2001, Patrick O'Donnell wrote:
>
> > I think the door swings both ways on this one... I have heard the
obvious
> > horror stories of this tool, and the other side of it, which is that it
was
> > a simplistic install that went without a hitch. At this point, I guess
you
> > ask yourself the question of "Do I want the potential headache
associated
> > with this fix?"
> >
> > --Patrick
> >
> > ----- Original Message -----
> > From: Marc Fossi <mfossi@securityfocus.com>
> > To: Patrick O'Donnell <patrick@softwareonly.com>
> > Cc: Focus-MS <focus-ms@securityfocus.com>
> > Sent: Thursday, August 23, 2001 5:09 PM
> > Subject: Re: MS IIS Lockdown tool
> >
> >
> > > I don't know. I don't currently have an IIS server to test it on, and
the
> > > MS documentation is still slim on this tool. From what I can tell, it
is
> > > probably best to use on a fresh installation.
> > >
> > > Marc Fossi, MCSE
> > > SecurityFocus
> > > www.securityfocus.com
> > >
> > > On Thu, 23 Aug 2001, Patrick O'Donnell wrote:
> > >
> > > > Is this a tool that can be used with existing IIS configurations, or
for
> > a
> > > > new install??
> > > >
> > > > Thanks
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: Marc Fossi <mfossi@securityfocus.com>
> > > > To: Focus-MS <focus-ms@securityfocus.com>
> > > > Sent: Thursday, August 23, 2001 3:59 PM
> > > > Subject: MS IIS Lockdown tool
> > > >
> > > >
> > > > > Has anyone else seen or used this yet? I'm sure this list would
be
> > > > > interested in any feedback/comments about it.
> > > > >
> > > > >
> > > >
> >
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutio
> > > > ns/security/tools/locktool.asp
> > > > >
> > > > > I find it quite interesting that MS has been releasing so many
> > security
> > > > > tools lately...
> > > > >
> > > > > Marc Fossi, MCSE
> > > > > SecurityFocus
> > > > > www.securityfocus.com
> > > > >
> > > >
> > >
> >
>
>



Relevant Pages

  • Re: Security in the real world - IIS lockdown tool
    ... >I attempted to install IIS lockdown tool. ... >runs with IIS server and the whole thing didn't work. ... >uninstalling IIS lockdown tool and from there the software vendor could ... >is really challenging due to poor third party software products. ...
    (microsoft.public.win2000.security)
  • Security in the real world - IIS lockdown tool
    ... I attempted to install IIS lockdown tool. ... runs with IIS server and the whole thing didn't work. ... is really challenging due to poor third party software products. ...
    (microsoft.public.win2000.security)
  • Re: balloon tips
    ... In win95 I had been able to install the IIS server as part of a package called Visual InterDev - however my new XP Home OS was having none of that so I had to fork out nearly 100 pounds sterling to get XP Pro with its IIS. ... but was it the Home edition? ...
    (microsoft.public.windows.vista.general)
  • Re: CR II - winME? confirmation? (Slightly OT)
    ... programs install IIS 4 on NT Workstation and don't ask). ... software for Windows, chances are, that's where the IIS server came from. ... With no access to the file, the vulnerability does not exist. ...
    (Vuln-Dev)
  • Re: IIS Lockdown
    ... IIS Lockdown Tool. ... in the IIS Lockdown Tool, which might help you determine which options you ... Install and Use the IIS Lockdown Wizard ... Is there a particular reason why you want the functionality of the Lockdown ...
    (microsoft.public.inetserver.iis.security)