Re: URLScan and IIS6

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 05/13/03

• Next message: Ken Schaefer: "Re: Environment for SSL"
• Previous message: Tran Thi Tien Giang: "Environment for SSL"
• In reply to: Douglas Martin: "URLScan and IIS6"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 12 May 2003 19:25:44 -0700

IIS6 is locked down by default, so you do not need to run IIS Lockdown
Wizard nor URLScan. However, URLScan can run on IIS6 if you wish.

IIS6 only allows upgrade from W2K if IIS Lockdown has been run on it.

URLScan, if installed, will be preserved on upgrade. However, we are aware
of several issues with running URLScan on IIS6 due to IIS6 security
restrictions.

Microsoft will be soon publishing the definitive answer on lockdown,
URLScan, and the upgrade/clean install to IIS6.

I recommend that you clean install Windows Server 2003 and don't bother with
IIS Lockdown because an upgrade from IIS5 with Lockdown is still not as
secure overall as the clean install. URLScan is optional with IIS6 -- you
don't really need it on IIS6 (many of its features are built into IIS6 with
finer control), but you can run it if it makes you feel better.

-- 
//David
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Douglas Martin" <lab@martinlab.com> wrote in message
news:05e101c318a4$2ea6eaa0$a601280a@phx.gbl...
I've upgraded one of my servers to W2K03 and installed
IIS6 on a fresh install, not an upgrade from W2K and
IIS5.  I had been running URLSCAN 2.5 (I think) on that
box prior to the rebuild.
Is URLSCAN functionality built into IIS6 or should I
install the latest URLSCAN (is there a Win 2003 specific
verion out or due out)?  What I have read just indicated
you better install URLSCAN on W2K/IIS5 prior
to "upgrading" your serve to W2K03/IIS6.
regards,
doug

---

• Next message: Ken Schaefer: "Re: Environment for SSL"
• Previous message: Tran Thi Tien Giang: "Environment for SSL"
• In reply to: Douglas Martin: "URLScan and IIS6"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Where is the IIS6 IISLockdown setup files located? ... You can install URLScan if you wish, it does have a few features that were ... You can't install IISLockdown currently on IIS6, ... (microsoft.public.inetserver.iis.security) Re: Trend C/S/M SMB on SBS2003 ... IIS6 is locked down by default, so you do not need to run IIS Lockdown ... URLScan can run on IIS6 if you wish. ... (microsoft.public.inetserver.iis) Re: Trend C/S/M SMB on SBS2003 ... IIS6 is locked down by default, so you do not need to run IIS Lockdown ... URLScan can run on IIS6 if you wish. ... (microsoft.public.windows.server.sbs) Re: Securing IIS 6 ... IIS6 comes in a secured and locked down configuration, ... Do I have to use URLScan or IIS lockdown on my W2k3 IIS 6? ... secure my IIS. ... (microsoft.public.inetserver.iis.security) Re: Where is the IIS6 IISLockdown setup files located? ... IIS6 nor give instructions on how to install it. ... URLScan on IIS6 due to security changes. ... (microsoft.public.inetserver.iis.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.inetserver.iis.security  > 2003-05