Re: IIS Lockdown Tool

From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: 07/09/05

  • Next message: Jeff Cochran: "Re: Securing IIS 6" 
    Date: Sat, 09 Jul 2005 16:17:24 GMT

    On Thu, 7 Jul 2005 06:27:02 -0700, "redrobit"
    <redrobit@discussions.microsoft.com> wrote:

    >I recently upgraded a 200 server to 2003, thus upgrading IIS to version 6. I
    >am running OWA using a re-direct to HTTPS, and want to know if I should be
    >using the IIS Lockdown tool. I think I read an article that it should be
    >used in IIS is an upgrade, and not a clean install of server 2003. Any
    >advice?

    I wouldn't use the Lockdown Tool as such, but URLScan still has some
    value. Check:

    http://www.microsoft.com/technet/security/tools/urlscan.mspx

    Especially the section:

    "Determining Whether to Use UrlScan 2.5 with IIS 6.0"

    Naturally, the Resource Kit is your other security friend. And see:

    http://www.microsoft.com/technet/security/prodtech/IIs.mspx

    Jeff

  • Next message: Jeff Cochran: "Re: Securing IIS 6"

    Relevant Pages

    • Microsoft Security Advisory MS 03-007
      ... It's likely that most servers that can be patched ... threat to a lot of the servers if you only consider the IIS ... CONFIGURATIONS OF THE IIS LOCKDOWN TOOL DO LEAVE WEBDAV ... WebDAV requests are processed in the httpext.dll. ...
      (Focus-Microsoft)
    • Re: Microsoft Security Advisory MS 03-007
      ... announcement covers IIS 5.1 but not IIS 6, ... > You say "IIS servers are actively being compromised already, ... -- permissions are checked on httpext.dll to see if Anonymous request ... CONFIGURATIONS OF THE IIS LOCKDOWN TOOL DO LEAVE WEBDAV ...
      (Bugtraq)
    • RE: Microsoft Security Advisory MS 03-007
      ... announcement covers IIS 5.1 but not IIS 6, ... > You say "IIS servers are actively being compromised already, ... -- permissions are checked on httpext.dll to see if Anonymous request ... CONFIGURATIONS OF THE IIS LOCKDOWN TOOL DO LEAVE WEBDAV ...
      (Bugtraq)
    • RE: IIS Lockdown Blues
      ... If you're having that many problems just running iislockd and the URLScan ... unrelated to IIS or the Lockdown Tool. ... > installing the corrupted URLScan installation. ...
      (microsoft.public.inetserver.iis.security)
    • Re: UrlScan available for IIS 6.0?
      ... Existing versions of URLScan can run on IIS 6, ... > manually extract and run the URLScan installer. ... >> LockDown tool only applies to IIS 5. ...
      (microsoft.public.inetserver.iis.security)