Re: What I would like the MS IIS Lockdown tool todo

From: Thor@HammerofGod.com
Date: 08/28/01 

From: Thor@HammerofGod.com
To: focus-ms@securityfocus.com
Message-ID: <037401c12fff$6296f1f0$af05a8c0@anchorsign.com>
Subject: Re: What I would like the MS IIS Lockdown tool todo
Date: Tue, 28 Aug 2001 13:23:44 -0700

> Amen to your wish-list on the MS Lockdown tool. It seems to me that MS is
> really out of touch with realities as far as their user-base and
> expectations are are concern. I think they only did this tool to satisfy
> their marketroids and image makers. It got them a lot of ink and media,
but
> it does not even begin to meet the expectations of any systems admin I
have
> spoken to so far.

I think this is a little over the top. The tool was most certainly not
written "only to satisfy their marketroids..." Contrary to popular belief,
the security team at MS really does care about the security of their
products and the people that use them. I know some of the guys personally,
and they are hard working, dedicated professionals.

I also think saying that it does "not even begin to meet the
expectations..." is a bit naive. There are vast amounts of people out there
deploying web sites that have no concept of security. This tool is a great
first step for them. While there are certainly issues with the tool, I know
that they are being addressed. For instance- some people have problems with
the tool because they already deleted icq.dll; this will be fixed, but I
would submit that if people already knew what idq.dll was, and knew to
delete it in the first place, then they are not the intended users of the
tool in the first place.

What would really be helpful is for people to submit these issues to MS
rather than just letting them die in a public forum. That way, options could
be written into the tool and other people who are not as smart as you can
benefit from your knowledge. That's what the forum is all about.

Personally, I would like to see the tool built into the default setup of
IIS- that way you could lock it down from the get go. Well, I guess it
would be even better to have the reverse true- everything is off by default
and you turn on what you want (IIS 6?). Until then, I think it would be
good to get the IISLockdown too developed out to meet everyone's needs.

AD

Relevant Pages

  • Re: SMS 2003 Reporting - Service Unavailable
    ... We have an issue with the Security Accounts under which the SMS application ... >> I assume you ran the IIS lockdown tool ... >> AFTER the Reporting Point was installed. ... >> Check that the Active Server Pages ISAPI extension ...
    (microsoft.public.sms.misc)
  • Re: What I would like the MS IIS Lockdown tool todo
    ... What I would like the MS IIS Lockdown tool todo ... believe MS teams are doing a good job of taking their customers' security ... as an entity does not appear to care much for our expectations. ...
    (Focus-Microsoft)
  • Re: Lockdown tool newbie
    ... >ran the IIS Lockdown tool, although I cancelled out before it finished. ... The Lockdown Tool doesn't lock you out of anything, ... understand what you're doing and why, and the risks involved in each ...
    (microsoft.public.inetserver.iis.security)
  • IIS Lock Down Tool
    ... URLScan, the IIS lockdown tool was reinitiated and we were ... reset the IIS metabase and changes made to IIS between ...
    (microsoft.public.inetserver.iis.security)
  • Re: Reporting Service doesnt Work
    ... Anyhow Lockdown tool removes the enable session state mark under ... be sure to apply it to IIS-enabled SMS site system ... > computer as an SMS site system. ... For more information about the IIS Lockdown tool, ...
    (microsoft.public.sms.admin)