Microsoft Updates IIS Lockdown Tool -- Redmondmag.com

Microsoft Updates IIS Lockdown Tool

By Scott Bekker
11/19/2001

Microsoft Corp. updated its tool for locking down its beleaguered IIS Web server this month by adding templates, support for unattended installations and the ability to remove services.

Microsoft posted the 2.1 version of its IIS Lockdown Wizard to its Web site on Nov. 14. The tool, a 292-kb download, can be found at http://www.microsoft.com/downloads/release.asp?ReleaseID=33961.

The tool improves upon the first version, which Microsoft released in August. That was about the same time Microsoft made two other security tools available -- the Microsoft Personal Security Assistant and the HFNetChk.exe utility for automated hotfix checking. It was also around the time the Code Red worm and its descendants were making life difficult for IT administrators everywhere.

The new lockdown wizard is available for IIS 4.0 and IIS 5.0. Microsoft stresses that even IIS boxes secured via the wizard still require that IT administrators install all available hotfixes and any future hotfixes.

The idea behind the templates is to help administrators quickly configure secure versions of IIS for other Microsoft servers that depend upon IIS. Templates in the new wizard cover Exchange Server 5.5, Exchange 2000 Server, Commerce Server 2000, BizTalk Server 2000, Small Business Server 4.5, Small Business Server 2000, SharePoint Portal Server, FrontPage Server Extensions and SharePoint Team Server.

The previous version of the lockdown tool came in an Express and Advanced version. The Express version automatically hardened IIS in a way that would break some applications. The Advanced version afforded administrators more flexibility but required more time to configure.

Using the updated wizard, administrators can also remove or disable key IIS services, including HTTP, FTP, SMTP and NNTP.

A key feature of the new wizard is support for unattended installations, making the tool more useful to larger IIS shops.

Microsoft has taken considerable criticism for the security vulnerabilities in IIS, especially the decision to have the Web server install by default in an insecure way. Microsoft is reversing course with the Windows .NET Server family by having IIS 6.0 install by default in a locked-down fashion. The change went into effect with the Beta 3 version of the Windows .NET Servers.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.