Re: IIS 6.0 Resource Kit
From: Phillip LeMaster (PhillipLeMaster_at_discussions.microsoft.com)
Date: 03/17/05
- Next message: Matze: "Re: Problem with Integrated Windows authentication on SSL connection"
- Previous message: Jason Brown [MSFT]: "Re: IIS 6.0 Resource Kit"
- In reply to: Jason Brown [MSFT]: "Re: IIS 6.0 Resource Kit"
- Next in thread: Jeff Cochran: "Re: IIS 6.0 Resource Kit"
- Reply: Jeff Cochran: "Re: IIS 6.0 Resource Kit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 17 Mar 2005 06:15:02 -0800
Thank you Jason. I agree to some extent. Our servers are in a remote
location and when working with Microsoft support in the past they have asked
that the resouce kit be installed for them to trouble shoot. I also agree
partially that tools should not be installed unless used. Our tools are used
al least every month, but to take the time to install and uninstall is too
cumbersome. And my last point. If a security professional writes up
something then they should be able to relate that issue to a known bug or
case where this is an issue and not just their personal preferences. So for
the sake of being professional we need to know what Microsoft's view is if
possible. I thought most tools and especially yhe system32 directories are
locked down pretty much. If someone has already gotten to your system32
directory then those tools are not going to prevent them from doing
irreprable damage.
"Jason Brown [MSFT]" wrote:
> To agree with Bernard, I don't see any specific threat posed by the RK
> tools, however it's usually a good policy to keep production servers in as
> clean a state as possible, and only install the tools if you have a specific
> need. This goes for pretty muchtools not directly related to the day-to-day
> running of a production box.
>
> Most, if not all of the tools in the kit can be used from a connected
> workstation, so there isn't necessarily a need for them to be there anyway,
> but at the end of the day the choice is yours. As far as I'm aware,
> Microsoft provides no specific guidance on the IIS 6.0 resource kit in this
> direction, though I'll be happy to check this out further if you like.
>
>
> --
> Jason Brown
> Microsoft GTSC, IIS
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Phillip LeMaster" <PhillipLeMaster@discussions.microsoft.com> wrote in
> message news:8BD7C351-37C1-4504-A409-82A90A839154@microsoft.com...
> > We just had our annual security audit. We were advised that we should not
> > have IIS 6.0 tools installed on web server connected to the internet. I
> > can
> > not find any information that states this. Does anyone know Microsoft's
> > policy on resource kit installations?
>
>
>
- Next message: Matze: "Re: Problem with Integrated Windows authentication on SSL connection"
- Previous message: Jason Brown [MSFT]: "Re: IIS 6.0 Resource Kit"
- In reply to: Jason Brown [MSFT]: "Re: IIS 6.0 Resource Kit"
- Next in thread: Jeff Cochran: "Re: IIS 6.0 Resource Kit"
- Reply: Jeff Cochran: "Re: IIS 6.0 Resource Kit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
