SUS, IIS Lockdown and Terminal Server

From: Rob Smyth - MCSE CCNP CISSP (rsmyth_at_oakwoodsys.com)
Date: 04/30/03 

Date: Wed, 30 Apr 2003 10:38:22 -0700

Greetings All,
Recently I ran into an issue with SUS and a Web Server.
Terminal Server was setup in administrative mode.

As part of the SUS install it runs IIS Lockdown, you are
not given a chance to modify this - Be warned - DO NOT
INSTALL SUS on a PRODUCTION WEB SERVER - it will disable
FTP, Session states and many other things along with
creating new web users accounts - What fun.

After a reboot we found that the domain admins could not
logon to the box via Terminal Server. You would not get
an error, nothing in the event log, It would appear that
you were logging in then imediately logging off - Neato.

Logging on as the local admin - we were able to look at
security settings and all the permissions were correct for
allowing the users to log on from the network and remotely.
nothing showed up in the registry, (looked for the
logoff.exe utility that comes with W2K - used on accounts
that need to run as service but not actually log on -
stick it in the logon script). We also looked at the
local polices using poledit and saw nothing that seemed
wacked.

I was unable to find any Q articles or referances in any
group.

We removed SUS and still had the same problem with
Terminal Server.

The solution was to locate the Iislockd.exe on the box and
run it. Since it already locked the box down it prompts
to restore back to pre-lockdown state.

Once the program completed the process - the Domain Admins
were able to get back on via Terminal Server.

SUS should go on a clean dedicated server.

Any comments welcome - or insight into what was the
answer without uninstalling IISLockdown.

Relevant Pages

  • Re: SUS, IIS Lockdown and Terminal Server
    ... > Recently I ran into an issue with SUS and a Web Server. ... > Terminal Server was setup in administrative mode. ... > you were logging in then imediately logging off - Neato. ...
    (microsoft.public.win2000.security)
  • Re: SUS, IIS Lockdown and Terminal Server
    ... many newsgroups for solutios and no luck...I think MS ... >> Recently I ran into an issue with SUS and a Web Server. ... >> Terminal Server was setup in administrative mode. ... >> an error, nothing in the event log, It would appear that ...
    (microsoft.public.win2000.security)
  • Re: Using http server on Windows 2003 server
    ... I am planning to set up a web server on this machine, ... Microsoft support did not give a straight answer. ... I should purchase a terminal server call ... I read recently that anonymous users do not need a cal to connect. ...
    (microsoft.public.windows.server.general)
  • Re: Remote log on over the web
    ... > Port 80 is only used to get to the TSWEB page, You still need to open port ... > running a web server on the TS box.) ... >> Terminal server on our active directory network, behind a firewall, ...
    (microsoft.public.windows.terminal_services)
  • Re: TS in a DMZ
    ... My opinion is that it's certainly possible but probably isn't secure - ... especially if you are running a web server on the same system. ... from the terminal server to the internal ... internal network so, if the web server was compromised, it could be used to ...
    (microsoft.public.windows.terminal_services)