[Dshield] Off topic: IIS lockdown tool "did not disable extensions" incident
johnh at aproposretail.com
Tue Oct 16 15:37:51 GMT 2001
On Tue, 16 Oct 2001, Sean Graham wrote:
> You emailed the wrong people, they told you where to go. They are not
> allowed/able to give technical support for products, even if those
> products are security products. Email PSS, and see what they say.
> Would you expect to be able to go to some (or your) companies IS tech
> support department and ask for product support on a product that your
> company makes?
Oh, nonsense. The IIS lockdown tool is a security tool, period. It does
not perform its intended task (that is, tightening security), which leaves
security holes in place. This is legitimately a security issue if the
lockdown tool is being advertised publicly as a security fix.
It's wise to *also* contact PSS, but notifying secure at microsoft.com that
their "security fix" tool does not close a security hole it claims to is
And I still think a bugtraq post is justified, especially after
John Hardin <johnh at aproposretail.com>
Internal Systems Administrator voice: (425) 672-1304
Apropos Retail Management Systems, Inc. fax: (425) 672-0192
More information about the list