Re: IIS 6.0 Resource Kit
From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: 03/18/05
- Next message: Jeff Cochran: "Re: does w2k3 server automatically change user's settings based on time?"
- Previous message: Jeff Cochran: "Re: IIS 6.0 Resource Kit"
- In reply to: Phillip LeMaster: "Re: IIS 6.0 Resource Kit"
- Next in thread: Jeff Cochran: "Re: IIS 6.0 Resource Kit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 18 Mar 2005 03:37:20 GMT
On Thu, 17 Mar 2005 06:15:02 -0800, "Phillip LeMaster"
<PhillipLeMaster@discussions.microsoft.com> wrote:
>Thank you Jason. I agree to some extent. Our servers are in a remote
>location and when working with Microsoft support in the past they have asked
>that the resouce kit be installed for them to trouble shoot. I also agree
>partially that tools should not be installed unless used. Our tools are used
>al least every month, but to take the time to install and uninstall is too
>cumbersome. And my last point. If a security professional writes up
>something then they should be able to relate that issue to a known bug or
>case where this is an issue and not just their personal preferences. So for
>the sake of being professional we need to know what Microsoft's view is if
>possible. I thought most tools and especially yhe system32 directories are
>locked down pretty much. If someone has already gotten to your system32
>directory then those tools are not going to prevent them from doing
>irreprable damage.
First, you didn't ask Microsoft to review your security, why do you
need them to provide a view on what fits your needs in your
environment?
But the real reason a security audit will list those is that if you
don't use them, you should remove them. Every audit has
recommendations, some of which you follow and others you justify not
following. An audit may recommend removing the FTP service to provide
more security on the box. Remoing it *does* increase security. But
if you use it, it's not an option to remove it. Justify that you use
the tools, and make whatever changes make sense in your organization.
Jeff
>"Jason Brown [MSFT]" wrote:
>
>> To agree with Bernard, I don't see any specific threat posed by the RK
>> tools, however it's usually a good policy to keep production servers in as
>> clean a state as possible, and only install the tools if you have a specific
>> need. This goes for pretty muchtools not directly related to the day-to-day
>> running of a production box.
>>
>> Most, if not all of the tools in the kit can be used from a connected
>> workstation, so there isn't necessarily a need for them to be there anyway,
>> but at the end of the day the choice is yours. As far as I'm aware,
>> Microsoft provides no specific guidance on the IIS 6.0 resource kit in this
>> direction, though I'll be happy to check this out further if you like.
>>
>>
>> --
>> Jason Brown
>> Microsoft GTSC, IIS
>>
>> This posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "Phillip LeMaster" <PhillipLeMaster@discussions.microsoft.com> wrote in
>> message news:8BD7C351-37C1-4504-A409-82A90A839154@microsoft.com...
>> > We just had our annual security audit. We were advised that we should not
>> > have IIS 6.0 tools installed on web server connected to the internet. I
>> > can
>> > not find any information that states this. Does anyone know Microsoft's
>> > policy on resource kit installations?
>>
>>
>>
- Next message: Jeff Cochran: "Re: does w2k3 server automatically change user's settings based on time?"
- Previous message: Jeff Cochran: "Re: IIS 6.0 Resource Kit"
- In reply to: Phillip LeMaster: "Re: IIS 6.0 Resource Kit"
- Next in thread: Jeff Cochran: "Re: IIS 6.0 Resource Kit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
