I can't get the silly thing to work. Keeps erroring with an "SID" error.
Was going to test it on a dev system.. But looks like it isn't going to
run anyway.
Lee Fuller
Chief Technical Officer
PrimeDNA Corporation / AAA Web Hosting Corporation
"We ARE the net."
http://www.aaawebhosting.com
> -----Original Message-----
> From: Jon Hall [mailto:[EMAIL PROTECTED]]
> Sent: Monday, August 27, 2001 2:11 PM
> To: CF-Talk
> Subject: Re: New IIS security tool
>
>
> From NTBugtraq...reprinted without permission, so sue me.
>
> I'm not exactly sure why I'm supposed to be elated, maybe its
> the fact it has an "Undo" feature. Call it sour grapes, but
> this thing falls short of what I offered as a prototype
> several weeks ago (in some ways) while being far superior in
> other ways.
>
> The tool is targeted at Novice users, offering an Express
> mode and Advanced Mode.
>
> What it does;
>
> 1. Creates two new groups, Web Anonymous Users and Web
> Applications, puts the IUSR and IWAM accounts in them
> respectively, then sets an ACE more than enough executables
> to specifically deny any access to those files. Good job.
>
> 2. Disables WebDAV. Good job.
>
> 3. Provides a new .dll, called 404.dll, that is implemented
> with all (or
> some) ISAPI filter script mappings. This provides a 404
> response to any request for such a file. Probably the best we
> could expect since its impossible to tell IIS to not allow
> the re-implementation of a given script type (i.e. you can't
> prevent it from re-implementing .ida, but if its already
> mapped to a .dll you're not likely to overwrite the existing
> mapping). So so job. I haven't checked yet whether 404.dll is
> added to the WFC dllcache, I sure hope so.
>
> 4. Removes sample files. About time.
>
> 5. Removes the \scripts and \msadc *virtual* directories (the
> actual directories themselves, and their contents, are left
> intact). The directories should have been removed as well.
>
> 6. Explicitly denies the IUSR account write access to the
> contents of the INETPUB directory. Unfortunately it does this
> using a DACE, which NT 4.0 cannot handle, so on NT 4.0
> systems you won't be able to view any security information
> about these modified files after the tool is run. W2K systems
> don't have this problem. Guess this is just another example
> of how MS seems to have forgotten how many NT 4.0 systems are
> out there, or figure that no Novices run NT 4.0?
>
> In general, I'm disappointed at Microsoft Security for
> labeling the tool as an IIS Lockdown tool. It isn't, its a
> Web Services lockdown tool. It does nothing about the default
> installations of FTP and SMTP servers out there (and there
> are way too many of them!). Most people who are likely to run
> the tool probably aren't aware they have FTP and SMTP enabled
> in addition to web services. They're likely going to get a
> false sense of security out of running an IIS Lockdown tool
> when it doesn't touch these other services. At the very least
> it should have an option to remove those services if found.
>
> MS01-037 describes a ripe scenario for the boxes which are
> prime candidates to have this tool run, stand-alone servers
> with a default install, yielding them up as SPAM relay
> servers. Microsoft seems to think that we consumers feel the
> SMTP service of IIS 5.0 isn't part of IIS 5.0 at all, even
> though its managed through IIS Manager and installed by
> default as part of IIS. Heck, even MS01-037 doesn't mention
> its part of IIS, and MS01-037 doesn't show up in a Security
> Bulletin Search of IIS 5.0.
>
> They also don't clean the machine up the way I would like to
> see it done. It should remove files, directories, and
> registry keys that are associated with the functionality they
> disable. The RDS keys, for example, aren't removed and Jet
> operation isn't set to safe mode. The \msadc directory and
> its contents are left intact.
>
> They're making the assumption that people who don't know much
> about what they should or shouldn't have on their systems, or
> what they should do to protect it, are going to use the tool
> to make themselves far more secure. They go so far as to state;
>
> "Consider this: a web server configured using the Express
> Lockdown would be completely protected against Code Red and
> virtually all known security vulnerabilities affecting IIS
> 4.0 and 5.0 - even without the patches for these
> vulnerabilities. We do, of course, recommend that all
> customers, even those running locked-down servers, continue
> to stay current on all security patches, but this vividly
> illustrates the value of the tool."
>
> All-in-all IISLockD is a few steps short of the mark I tried
> to establish with my tool. My tool was never ready for
> prime-time, and theirs is, but they really should've gone the
> whole nine yards and done it right the first time.
>
> Cheers,
> Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
>
>
>
> Chad Gray wrote:
>
> >Has anyone tried this new IIS tool?
> >
> >http://www.microsoft.com/technet/treeview/default.asp?url=/te
chnet/itso
>lutions/security/tools/locktool.asp
>
>I will try it on a development server first, but wanted to see if
>anyone
>has had good or bad experiences.
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
