[Dshield] Off topic: IIS lockdown tool "did not disable extensions" incident

John Hardin johnh at aproposretail.com
Tue Oct 16 15:37:51 GMT 2001


On Tue, 16 Oct 2001, Sean Graham wrote:

> You emailed the wrong people, they told you where to go.  They are not
> allowed/able to give technical support for products, even if those
> products are security products.  Email PSS, and see what they say.  
> Would you expect to be able to go to some (or your) companies IS tech
> support department and ask for product support on a product that your
> company makes?

Oh, nonsense. The IIS lockdown tool is a security tool, period. It does
not perform its intended task (that is, tightening security), which leaves
security holes in place. This is legitimately a security issue if the
lockdown tool is being advertised publicly as a security fix.

It's wise to *also* contact PSS, but notifying secure at microsoft.com that
their "security fix" tool does not close a security hole it claims to is
perfectly valid.

And I still think a bugtraq post is justified, especially after
Microsoft's reply.

--
John Hardin                                   <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192




More information about the list mailing list