[Dshield] Off topic: IIS lockdown tool "did not disable extensions" incident

Sean Graham seangra at yahoo.com
Tue Oct 16 00:49:47 GMT 2001

"as expected"?

You emailed the wrong people, they told you where to go.  They are not 
allowed/able to give technical support for products, even if those products 
are security products.  Email PSS, and see what they say.  Would you expect 
to be able to go to some (or your) companies IS tech support department and 
ask for product support on a product that your company makes?  Didn't think 
so.  If you are the tech support, if someone came to you, would you (be 
able to) help them, or would you refer them to your tech support department?

And BTW, when I ran the tool it worked fine, do you have any other machines 
that you can try the tool on?  Can you manually remove the 
extensions?  What other software was installed on the machines prior to 
running the tool?

-- Sean

At 04:15 PM 10/15/2001 -0500, you wrote:
>As expected, here's Microsoft's reply to my note to secure at microsoft.com. 
>(Let me paraphrase: Yeah, so?)  I would laugh, but Microsoft's responses 
>really are not funny anymore.
>- Jonathan Lampe, GCIA - Standard Networks - 608.227.6100 - 
>jonathan at stdnet.com -
>Hi -
>Thanks very much for your note. However, it sounds as though the issue
>you've reported is a technical support issue rather than a security
>vulnerability in a Microsoft product. As much as we wish we could
>provide technical support, Microsoft Product Support Services is the
>better place to go for this kind of assistance. Information on how to
>contact PSS is available at http://www.microsoft.com/support/. The IIS
>Lockdown tool is supported.
>Secure at microsoft.com
> >
> >This week I was involved in the setup of two Windows 2000 service pack
> >2
> >boxes with IIS 5.0. To simplify the "hardening" procedure we decided
> >use Microsoft's IIS lockdown tool to flip off extensions,etc. We ran
> >tool and it appeared to execute properly. These are the options which
> >were selected from the wizard:
> > - Custom
> > - Disable all extensions EXCEPT (.asp/.asa)
> > - Enable all extra hardening measures EXCEPT (extra prot on files to
> > keep web users from altering content)
> > The program thought for a few seconds and informed the operator that
> > the program worked, but when I did a manual check of settings
> > afterwards (and again after a reboot) I noticed that ALL extensions
> > STILL enabled!!!
> >
> > We performed the same procedure on another box from the same
> > manufacturer with the same results.
> >
> >- Jonathan Lampe, GCIA - Standard Networks, Inc - 608.227.6100 -
> >jonathan at stdnet.com
> >
> >P.S. Both boxes were brand-new Dell 2500 rack-mounts with Windows 2000
> >Service Pack 2 preinstalled. At the time we ran the IIS Lockdown Tool,
> >the only web site on each box was the default IIS web site. It was
> >site that I checked for file extensions, etc. after running the
> >tool.
> >
>At 08:01 PM 10/13/2001, (johnh at aproposretail.com) wrote:
>>At Fri, 12 Oct 2001 11:14:04 -0500 , "Jonathan G. Lampe" 
>><jonathan at stdnet.com> wrote:
>> >   The program thought for a few seconds and informed the operator that the
>> >program worked, but when I did a manual check of settings immediately
>> >afterwards (and again after a reboot) I noticed that ALL extensions were
>> >STILL enabled!!!
>>You might want to send this to secure at microsoft.com and to bugtraq.
>Dshield mailing list
>Dshield at dshield.org
>To change your subscription options (or unsubscribe), see: 

Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

More information about the list mailing list