Microsoft Posts IIS Lockdown Tool
- By Stephen Swoyer
- August 27, 2001
Microsoft Corp. has a new tool designed to help administrators secure and harden Windows NT 4.0 and Windows 2000 systems running the software giant's IIS 4.0 and IIS 5.0 Web servers.
The new hardening tool, dubbed IIS Lockdown and released last week, is packaged as a 184 KB
download and offers a choice between "Express Lockdown" and "Advanced
Lockdown" installation options.
Microsoft says that Express Lockdown offers the tightest possible IIS security, but cautions that IT managers should bear in mind that an
option of this kind disables support for a variety of IIS-specific
technologies, including Active Server Pages (ASP), Index Server Web
Interface, server side includes, Internet data connector, Internet
printing and HTR scripting.
The notorious Code Red worm exploited a known
IIS' .IDA ISAPI filter, which is associated with the Index Server Web
Interface. An earlier potential exploit was also associated with a vulnerability in IIS' .printer ISAPI filter, which facilitates Internet printing services for end users. Potential exploits have been linked in the past to vulnerabilities in IIS' .HTR scripting facilities, as well.
Additionally, Express Lockdown removes the sample files that are
installed by default along with IIS - a security practice that Microsoft has repeatedly stressed in its IIS hardening guidelines. Moreover, Express Lockdown removes the "scripts" and "msadc" virtual directories, along with all support for WebDAV.
Finally, Express Lockdown automatically configures Windows' file
permissions to prevent anonymous IIS users from executing system
utilities and writing data to content directories.
Advanced Lockdown, on the other hand, provides administrators with the ability to selectively allow or disable any of the features that Express Lockdown restricts by default. It is expected that most administrators will choose this lockdown method because Express Lockdown's draconian hardening measures could cause applications and services to fail in many existing Web environments.
IIS Lockdown follows hot on the heels of HTNetChk.exe and the
Microsoft Personal Security Assistant, two security tools that Microsoft released less than two weeks ago to help administrators better secure their systems.
IIS Lockdown is available for download here.
Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.