Microsoft Posts IIS Lockdown Tool

Microsoft Corp. has a new tool designed to help administrators secure and harden Windows NT 4.0 and Windows 2000 systems running the software giant's IIS 4.0 and IIS 5.0 Web servers.

The new hardening tool, dubbed IIS Lockdown and released last week, is packaged as a 184 KB download and offers a choice between "Express Lockdown" and "Advanced Lockdown" installation options.

Microsoft says that Express Lockdown offers the tightest possible IIS security, but cautions that IT managers should bear in mind that an option of this kind disables support for a variety of IIS-specific technologies, including Active Server Pages (ASP), Index Server Web Interface, server side includes, Internet data connector, Internet printing and HTR scripting.

The notorious Code Red worm exploited a known vulnerability in IIS' .IDA ISAPI filter, which is associated with the Index Server Web Interface. An earlier potential exploit was also associated with a vulnerability in IIS' .printer ISAPI filter, which facilitates Internet printing services for end users. Potential exploits have been linked in the past to vulnerabilities in IIS' .HTR scripting facilities, as well.

Additionally, Express Lockdown removes the sample files that are installed by default along with IIS - a security practice that Microsoft has repeatedly stressed in its IIS hardening guidelines. Moreover, Express Lockdown removes the "scripts" and "msadc" virtual directories, along with all support for WebDAV.

Finally, Express Lockdown automatically configures Windows' file permissions to prevent anonymous IIS users from executing system utilities and writing data to content directories.

Advanced Lockdown, on the other hand, provides administrators with the ability to selectively allow or disable any of the features that Express Lockdown restricts by default. It is expected that most administrators will choose this lockdown method because Express Lockdown's draconian hardening measures could cause applications and services to fail in many existing Web environments.

IIS Lockdown follows hot on the heels of HTNetChk.exe and the Microsoft Personal Security Assistant, two security tools that Microsoft released less than two weeks ago to help administrators better secure their systems.

IIS Lockdown is available for download here.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.

comments powered by Disqus
Most   Popular