[Dshield] Off topic: IIS lockdown tool "did not disable extensions" incident

Jonathan G. Lampe jonathan at stdnet.com
Mon Oct 15 21:15:58 GMT 2001


As expected, here's Microsoft's reply to my note to secure at microsoft.com. 
(Let me paraphrase: Yeah, so?)  I would laugh, but Microsoft's responses 
really are not funny anymore.

- Jonathan Lampe, GCIA - Standard Networks - 608.227.6100 - 
jonathan at stdnet.com -

Hi -
Thanks very much for your note. However, it sounds as though the issue
you've reported is a technical support issue rather than a security
vulnerability in a Microsoft product. As much as we wish we could
provide technical support, Microsoft Product Support Services is the
better place to go for this kind of assistance. Information on how to
contact PSS is available at http://www.microsoft.com/support/. The IIS
Lockdown tool is supported.
Regards,
Secure at microsoft.com

 >
 >This week I was involved in the setup of two Windows 2000 service pack
 >2
 >boxes with IIS 5.0. To simplify the "hardening" procedure we decided
to
 >use Microsoft's IIS lockdown tool to flip off extensions,etc. We ran
the
 >tool and it appeared to execute properly. These are the options which
 >were selected from the wizard:
 > - Custom
 > - Disable all extensions EXCEPT (.asp/.asa)
 > - Enable all extra hardening measures EXCEPT (extra prot on files to
 > keep web users from altering content)
 > The program thought for a few seconds and informed the operator that
 > the program worked, but when I did a manual check of settings
immediately
 > afterwards (and again after a reboot) I noticed that ALL extensions
were
 > STILL enabled!!!
 >
 > We performed the same procedure on another box from the same
 > manufacturer with the same results.
 >
 >- Jonathan Lampe, GCIA - Standard Networks, Inc - 608.227.6100 -
 >jonathan at stdnet.com
 >
 >P.S. Both boxes were brand-new Dell 2500 rack-mounts with Windows 2000
 >Service Pack 2 preinstalled. At the time we ran the IIS Lockdown Tool,
 >the only web site on each box was the default IIS web site. It was
this
 >site that I checked for file extensions, etc. after running the
lockdown
 >tool.
 >

At 08:01 PM 10/13/2001, (johnh at aproposretail.com) wrote:
>At Fri, 12 Oct 2001 11:14:04 -0500 , "Jonathan G. Lampe" 
><jonathan at stdnet.com> wrote:
>
> >   The program thought for a few seconds and informed the operator that the
> >program worked, but when I did a manual check of settings immediately
> >afterwards (and again after a reboot) I noticed that ALL extensions were
> >STILL enabled!!!
>
>You might want to send this to secure at microsoft.com and to bugtraq.





More information about the list mailing list