Re: IIS Lockdown Tool

From: Leon Mayne [MVP] (l.rmv.mayne_at_uea.ac.uk)
Date: 07/08/05


Date: Fri, 8 Jul 2005 10:30:10 +0100

redrobit wrote:
> I recently upgraded a 200 server to 2003, thus upgrading IIS to
> version 6. I am running OWA using a re-direct to HTTPS, and want to
> know if I should be using the IIS Lockdown tool. I think I read an
> article that it should be used in IIS is an upgrade, and not a clean
> install of server 2003. Any advice?

You shouldn't need IIS Lockdown in IIS6 at all, as it has all of the
security features built in.

You need to install it BEFORE you upgrade to iis6. From the IIS Lockdown
download page:

"All of the default security-related configuration settings in IIS 6.0 meet
or exceed the security configuration settings made by the IIS Lockdown tool.
Therefore, you do not need to run this tool on Web servers running IIS 6.0.
However, if you are upgrading from a previous version of IIS, you should run
the IIS Lockdown Tool before the upgrade to enhance the security of your Web
server."

http://www.microsoft.com/technet/security/tools/locktool.mspx