Microsoft Updates IIS Lockdown Tool
- By Scott Bekker
Microsoft Corp. updated its tool for locking down its beleaguered IIS Web server this month by adding templates, support for unattended installations and the ability to remove services.
Microsoft posted the 2.1 version of its IIS Lockdown Wizard to its Web site on Nov. 14. The tool, a 292-kb download, can be found at http://www.microsoft.com/downloads/release.asp?ReleaseID=33961.
The tool improves upon the first version, which Microsoft released in August. That was about the same time Microsoft made two other security tools available -- the Microsoft Personal Security Assistant and the HFNetChk.exe utility for automated hotfix checking. It was also around the time the Code Red worm and its descendants were making life difficult for IT administrators everywhere.
The new lockdown wizard is available for IIS 4.0 and IIS 5.0. Microsoft stresses that even IIS boxes secured via the wizard still require that IT administrators install all available hotfixes and any future hotfixes.
The idea behind the templates is to help administrators quickly configure secure versions of IIS for other Microsoft servers that depend upon IIS. Templates in the new wizard cover Exchange Server 5.5, Exchange 2000 Server, Commerce Server 2000, BizTalk Server 2000, Small Business Server 4.5, Small Business Server 2000, SharePoint Portal Server, FrontPage Server Extensions and SharePoint Team Server.
The previous version of the lockdown tool came in an Express and Advanced version. The Express version automatically hardened IIS in a way that would break some applications. The Advanced version afforded administrators more flexibility but required more time to configure.
Using the updated wizard, administrators can also remove or disable key IIS services, including HTTP, FTP, SMTP and NNTP.
A key feature of the new wizard is support for unattended installations, making the tool more useful to larger IIS shops.
Microsoft has taken considerable criticism for the security vulnerabilities in IIS, especially the decision to have the Web server install by default in an insecure way. Microsoft is reversing course with the Windows .NET Server family by having IIS 6.0 install by default in a locked-down fashion. The change went into effect with the Beta 3 version of the Windows .NET Servers.
Scott Bekker is editor in chief of Redmond Channel Partner magazine.