Microsoft Posts IIS Lockdown Tool

Microsoft Corp. has a new tool designed to help administrators secure and harden Windows NT 4.0 and Windows 2000 systems running the software giant's IIS 4.0 and IIS 5.0 Web servers.

The new hardening tool, dubbed IIS Lockdown and released last week, is packaged as a 184 KB download and offers a choice between "Express Lockdown" and "Advanced Lockdown" installation options.

Microsoft says that Express Lockdown offers the tightest possible IIS security, but cautions that IT managers should bear in mind that an option of this kind disables support for a variety of IIS-specific technologies, including Active Server Pages (ASP), Index Server Web Interface, server side includes, Internet data connector, Internet printing and HTR scripting.

The notorious Code Red worm exploited a known vulnerability in IIS' .IDA ISAPI filter, which is associated with the Index Server Web Interface. An earlier potential exploit was also associated with a vulnerability in IIS' .printer ISAPI filter, which facilitates Internet printing services for end users. Potential exploits have been linked in the past to vulnerabilities in IIS' .HTR scripting facilities, as well.

Additionally, Express Lockdown removes the sample files that are installed by default along with IIS - a security practice that Microsoft has repeatedly stressed in its IIS hardening guidelines. Moreover, Express Lockdown removes the "scripts" and "msadc" virtual directories, along with all support for WebDAV.

Finally, Express Lockdown automatically configures Windows' file permissions to prevent anonymous IIS users from executing system utilities and writing data to content directories.

Advanced Lockdown, on the other hand, provides administrators with the ability to selectively allow or disable any of the features that Express Lockdown restricts by default. It is expected that most administrators will choose this lockdown method because Express Lockdown's draconian hardening measures could cause applications and services to fail in many existing Web environments.

IIS Lockdown follows hot on the heels of HTNetChk.exe and the Microsoft Personal Security Assistant, two security tools that Microsoft released less than two weeks ago to help administrators better secure their systems.

IIS Lockdown is available for download here.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.


  • Insights for MyAnalytics Getting Switched On for Office 365 Users This Month

    Microsoft is planning to activate "Insights for MyAnalytics" sometime late this month for most Office 365 users, but the ability of organizations to manage this feature won't be available until possibly mid-May.

  • SharePoint Framework 1.8 Now Generally Available

    Microsoft this week announced that SharePoint Framework 1.8 had reached "general availability" status, although some features are still at the preview stage.

  • How To Create Office 365 User Accounts in Bulk

    Manual account creation can be tedious, time-consuming and prone to human error, especially if you have more than a handful of Office 365 users to set up. Brien shows you a better way.

  • System Center 2019 Reaches General Availability

    System Center 2019 has now reached the "general availability" product stage, Microsoft indicated in a Thursday update.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.