[Dshield] Off topic: IIS lockdown tool "did not disable extensions" incident
Jonathan G. Lampe
jonathan at stdnet.com
Tue Oct 16 17:55:57 GMT 2001
>You emailed the wrong people, they told you where to go. They are not
>allowed/able to give technical support for products, even if those
>products are security products.
I thought since Microsoft markets their "lockdown toolkit" as a "security"
product in response to the many holes which have appeared in IIS, their
"security" people might be interested in finding out why their "security"
product didn't work.
>Email PSS, and see what they say. Would you expect to be able to go to
>some companies IS tech support department and ask for product support on a
>product that your company makes?
If you've ever dealt with Microsoft you know that "emailing PSS" isn't that
easy. You have to lay out some MORE cash before you can ask a
question. All I had was a simple question about a simple little "security"
program which doesn't appear to do its job. My immediate solution was to
perform the actions the tools ought to have performed by hand. I'm not
willing to cough up a couple hundred bucks to help Microsoft do some
debugging, but I was willing to donate a little of my valuable time to help
them locate the problem.
Because many unsophisticated users out there are using Microsoft's lockdown
toolkit as a major part of their "security" efforts, I would think
Microsoft would be interested to hear that their product no longer works on
a VERY common stock Dell platform.
>If you are the tech support, if someone came to you, would you (be able
>to) help them, or would you refer them to your tech support department?
If I knew that person had a problem I would get as much information as I
could from them (which Microsoft did not), personally contact a member from
the appropriate department (which Microsoft did not) and have them contact
the person who contacted me (which Microsoft did not).
Given Microsoft's precarious position in the enterprise web server market,
"try this department instead" is a poor response to a security
concern. And I won't excuse Microsoft for being poor respondents just
because they are a large company. (Wasn't "Exchange" supposed to fix
communication problems? ;)
>And BTW, when I ran the tool it worked fine, do you have any other
>machines that you can try the tool on?
Quite a few. Just thought it might be interesting to get to the bottom of
the problem with this tool on this platform - it's quite reproducible on
Dell 2500 rackmounts with Windows 2000 sp 2 preinstalled, and I'm sure
other people will run into the problem too.
> What other software was installed on the machines prior to running the tool?
Nothing. Brand new machines: stock Windows 2000s, default IIS.
I think its best to finish this discussion offline. (Or if your at SANS
this week, I'll be leading a BOF on Thursday at 8:00 on Content Protection
- look me up there.)
- Jonathan Lampe, GCIA - Standard Networks - jonathan at stdnet.com -
More information about the list