Microsoft Posts IIS Lockdown Tool

Microsoft Corp. has a new tool designed to help administrators secure and harden Windows NT 4.0 and Windows 2000 systems running the software giant's IIS 4.0 and IIS 5.0 Web servers.

The new hardening tool, dubbed IIS Lockdown and released last week, is packaged as a 184 KB download and offers a choice between "Express Lockdown" and "Advanced Lockdown" installation options.

Microsoft says that Express Lockdown offers the tightest possible IIS security, but cautions that IT managers should bear in mind that an option of this kind disables support for a variety of IIS-specific technologies, including Active Server Pages (ASP), Index Server Web Interface, server side includes, Internet data connector, Internet printing and HTR scripting.

The notorious Code Red worm exploited a known vulnerability in IIS' .IDA ISAPI filter, which is associated with the Index Server Web Interface. An earlier potential exploit was also associated with a vulnerability in IIS' .printer ISAPI filter, which facilitates Internet printing services for end users. Potential exploits have been linked in the past to vulnerabilities in IIS' .HTR scripting facilities, as well.

Additionally, Express Lockdown removes the sample files that are installed by default along with IIS - a security practice that Microsoft has repeatedly stressed in its IIS hardening guidelines. Moreover, Express Lockdown removes the "scripts" and "msadc" virtual directories, along with all support for WebDAV.

Finally, Express Lockdown automatically configures Windows' file permissions to prevent anonymous IIS users from executing system utilities and writing data to content directories.

Advanced Lockdown, on the other hand, provides administrators with the ability to selectively allow or disable any of the features that Express Lockdown restricts by default. It is expected that most administrators will choose this lockdown method because Express Lockdown's draconian hardening measures could cause applications and services to fail in many existing Web environments.

IIS Lockdown follows hot on the heels of HTNetChk.exe and the Microsoft Personal Security Assistant, two security tools that Microsoft released less than two weeks ago to help administrators better secure their systems.

IIS Lockdown is available for download here.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.


  • Windows Admin Center vs. Hyper-V Manager: What's Better for Managing VMs?

    Microsoft's preferred interface for Windows Server is Windows Admin Center, but can it really replace Hyper-V Manager for managing virtual machines? Brien compares the two management tools.

  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

  • Microsoft Ups Its Carbon Reduction Goals

    Microsoft on Thursday announced a corporatewide carbon reduction effort that aims to make the company "carbon negative" by 2030.

  • How To Dynamically Lock Down an Unattended Windows 10 PC

    One of the biggest security risks in any organization happens when a user walks away from their PC without logging out. Microsoft has the solution (and it's not a password-protected screensaver).

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.