[Dshield] Off topic: IIS lockdown tool "did not disable extensions" incident

Jonathan G. Lampe jonathan at stdnet.com
Fri Oct 12 16:14:04 GMT 2001

This week I was involved in the setup of two Windows 2000 service pack 2 
boxes with IIS 5.0.  To simplify the "hardening" procedure we decided to 
use Microsoft's IIS lockdown tool to flip off extensions,etc.  We ran the 
tool and it appeared to execute properly.  These are the options which were 
selected from the wizard:
   - Custom
   - Disable all extensions EXCEPT (.asp/.asa)
   - Enable all extra hardening measures EXCEPT (extra prot on files to 
keep web users from altering content)
   The program thought for a few seconds and informed the operator that the 
program worked, but when I did a manual check of settings immediately 
afterwards (and again after a reboot) I noticed that ALL extensions were 
STILL enabled!!!

   We performed the same procedure on another box from the same 
manufacturer with the same results.  Has anyone else out there also 
encountered a situtation where the IIS lockdown tool didn't perform as 

- Jonathan Lampe, GCIA - Standard Networks, Inc - 608.227.6100 - 
jonathan at stdnet.com

P.S. Both boxes were brand-new Dell 2500 rack-mounts with Windows 2000 
Service Pack 2 preinstalled.  At the time we ran the IIS Lockdown Tool, the 
only web site on each box was the default IIS web site.  It was this site 
that I checked for file extensions, etc. after running the lockdown tool.


More information about the list mailing list